EventExplorer - new features
As probably most envision users, I found EE to be very useful. But there are some features I would like to see in EE or enVision itself, which are requested by my customers! Most of them are implemented in some other products for example Juniper NSM, which I consider the best IPS/IDS console and other SIEMs. Some are new.
1. Drill down capabilities - in EE it would be
- details on correlated events - I want to see all events which produce that correlation
- I want to be able to click on any variable in table and choose (some examles)
- "show all events for %variable% as the same field" with and without applied filters
- "show all events for %variable% in message" with and without applied filters
- "show all events for %variable% as %chosen field%", and new window shows up, when you have to choose filed of interest (of course with and without applied filters)
- show report for %variable%
All such acctions will open new window or better divide existing into two parts, showing requested content. If it is divided into two, content of this new part could change, while you change focus on new row in orginal table.
On graphs I would like to click on let say collumn (as in event viewer) to see what are the events behind this column.
2. Offline correlations - on-line correlation and alerting in enVision is great. But it has some limitations. First is that is now practical way to correlate events from for example Windows with Cisco PIX. When events from Windows are pulled once per 5 minutes you can not say what was the first: windows or pix event. In most cases Windows events will be delivered to alerter service up to 5 minutes after cisco event, but it is not neceseirly true.
Such functionality should, in my opinion be, something similar to QRadar's offenses. Some events (predefined by RSA and/or user) defined as "incident", would allow clicking on details and seeing potentially relaeted events across whole IPDP (in scope of proper domain - see point 3 below).
3. Network topology understanding (the only difficult to implement feature) - for above very useful would be knowing network topology. For simplicity, would be objects, which I call "domain". Each domain will consist of network assets (monitored and unmonitored).
I would also appreciate very much integration of "unmonitored devices" and "assets". And also some autogenerated "watchlists" from assets ie. "all IIS 5.0 servers" will be useful.
4. Confidence level should be applied on each IDS/IPS event always, not only when in correlated rule. It should be also possible on already collected data.
5. 3D logs analysis, similar to Juniper's LogInvestigator.