How to setup an alert for an ip, when a definied CVE / VID attack happens ?
Hello, I would like to setup an alert: When a specific event is detected in the logs (for ex: Confirmed vulnerability to 2011-3389, VID 71103 used by the attacker, and logged by the server and sent the logs to Envision) Envision must send an email to a email address. I managed to reach the basics (manage views / add / view name / ip selection ) but when I select "Event / VID" attribute, I can't see this 71103 VID listed in the results field. What am I doing wrong ? Thank you!
Maybe it's the wrong device type? In the relevant statement, maybe try selecting the device in different ways, either by device class/type of by device group and see if either method makes a difference?