RSA enVision^® Discussions

RSAAdmin · ‎2011-12-12

I was wondering what people's experience has been with using Event Category instead of MessageID's. (Note: I am using Content 2.0).

Since moving to 2.0 I have found the Category Names to be pretty good for Windows. I have specifically gotten a lot of use out of:

User.Activity.Failed Logins

User.Activity.Successful Logins

User.Management.Groups.Modifications.User Added

User.Management.Groups.Modifications.User Removed

For me its certainly a lot easier for generating alerts and reports using this logic as opposed to having to input a list of Message IDs for each one.

RSAAdmin · ‎2011-12-13

I personally prefer Event Category as well. But if I have a report or query that is taking a long time to run, Message ID's will return the results faster as it is an indexed field.

RSAAdmin · ‎2011-12-13

If you are running content 2.0 devices, you can also check to see if your device uses the Enhanced Categorization Tagging model. It is a relatively new feature used to categorize events in a flat and flexible way instead of the existing hierarchical event category model. For more information, please refer to RSA enVision online help.

RSAAdmin · ‎2011-12-13

ahmed, I have seen issues with the EC tags. For example I ran a Windows report based on User.Activity.Failed Logins and checked out the 4 EC fields. About half of them were blank which means if I had run a report based purely on the EC tags I would have been missing data. I'm not sure its there yet...

RSAAdmin · ‎2011-12-13

In ECT, not all columns (ECSubject, ECActivity, ECTheme and ECOutcome) have to be filled out when you tag an event. You can tag an event by assigning Authentication to ECTheme or by assigning User, Logon, Authentication and Failure to ECSubject,ECActivity,ECTheme and ECOutcome respectively. That's how flexible the model is because in certain events, it is not clear how the four fields could be inferred. As I said before, the ECT model is a relatively new feature and not all events in all devices are tagged but you may consider it for your future reports

RSAAdmin · ‎2012-01-09

We've been trying to use Event Category to build a correlated alert for "User Added" that works across all of our platforms using Event Categories. So far it's been hard due to inconsistencies with the Categorization used from device to device.

For example, on Linux, the 'useradd' command gets categorized into User.Management.Groups.Additions. Except if it fails, when it is placed into User.Management. I haven't been able to find a single event going into UM.Users.Additions, where I'd expect to find most useradd commands.

User.Management.Groups.Additions -- why is the user add event in the Groups category?
useradd[11501]: new user: name=user1, UID=109, GID=109, home=/home/user1, shell=/bin/bash

User.Management -- a failed event goes at the top level, not under 'Additions'
useradd[20490]: failed adding user `user1', data deleted

I also noticed that userdel shows up under UM.Groups.Deletions instead of UM.Users.Deletions.

User.Management.Groups.Deletions -- why is the delete user event in the Groups category?
userdel[3783]: delete user `user1'

Oracle, on the other hand, seems to have no User.Management messages at all...there we have to use MessageID lists.

I probably need to open a case on each platform to request better categorization...

RSAAdmin · ‎2012-01-09

I'll be honest with you, I have been temptped to just rewrite all of the XMLs for the devices we alert / report on to get better event categorization.... the only pain would be the ESU updates.

RSAAdmin · ‎2012-01-17

I created a case for the Linux useradd/userdel/usermod events, we'll see what the response is.

RSA enVision® Discussions

Event Category -vs- Message ID

RSA enVision^® Discussions