This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2008-09-02 11:25 AM

Correlation Sharing

I figured I'd post some correlation stuff we are doing in order to encourage others to share some more correlation work. I know the contest is done, but hoping more to leverage the userbase to share the knowledge :smileyhappy:

 

 

We're interested in looking at Cisco Failover so we have an alert setup to fire based on 104001*, 103001, 103004. If any of these occur, we use Task Triage to output this to a team for investigation. Eventually a ticket is created for the firewall team. This is helpful because we can tabulate if pairs of ASAs are failing over to pinpoint problems to a cable, switchport problems, bad hardware etc based on trending and metrics.

0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2008-09-02 11:37 AM

Another we have is monitoring for devices not sending data. Since we're the log service, we really need to know if a device stops sending for some reason.

 

We've got it setup for our IPS that if we don't get in any event within 61 minutes, then we fire an alert.

 

We look for event ID 508100 (which is a package error) and variable * , with a filter on Count = 0 and Variable "Local Address laddr"  in the correct Device Group. This is working for us, but we do have problems with certain devices that are less chatty. We're thinking of splitting into groups based on site or average events. Maybe have one group that alerts if no events come in for 3 hours, and one for 30 minutes or something like that, but this is the bulk of the idea....

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2008-09-02 01:23 PM

Marcher,

 

Actually, the summer contest is complete, but we are running a new one now, so please post away! Winner gets $150  and runner-up gets $50 (AmEx gift cards).

 

Thanks for the great content!

 

Debbie

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-09-15 06:50 PM

Marcher,

 

Good stuff as were looking into something along those lines.  Not to hijack this thread, but is there a convienent way to show from all of your monitored devices when the last log was received? ie..timestamp  That might help for monitoring of devices not sending data.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2008-09-16 04:03 PM

Yeah I'm not sure on that, I'll give it some thought. I wonder if you could take the timestamp value and then setup some filter that says if the timestamp is older than 1 hour ago....

 

Right now our way is to look for a message not coming in, which it does the job, but I think grouping devices into different groups based on how chatty they are would be helpful.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-12-21 01:04 AM

HI Team

 

I was trying to create corelation rule for device not sending the log in 24 hours .I have used  CRL 23 rule default one but no luck ....any sugession ?

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2010-12-21 10:43 AM

Use Device down messages to alert on any devices not logging. Look at enVision SP3 notes and it should outline the device down setup. You need to modifiy the PI.ini file, and then setup parameters for each device. It has a system timer value that keeps track of devices and alerts based on your threshold.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.