This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-11-12 03:08 PM

IDS and VAM correlation rule

Does anyone have an example of a correlation rule that 1. An IDS alert fires with an attack against a certain Microsoft patch MSxx-xxx. 2. Cross references the VAM data to see if the asset is vulnerable to the IDS attack

or any other IDS and VAM correlation

0 Likes
Reply
3 Replies
FIRSTNAMELASTNA
Beginner
Beginner
‎2011-11-14 07:51 AM

Hello - I am in same boat - Please someone guide ?
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-11-14 08:58 AM

There is a tutorial for this exact thing in the blogs section of the Intelligence Community. Here is a link to the tutorial: [[page no longer exists]]
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-11-28 12:31 PM

Watch the video that Matt posted, its pretty good. Essentially all you have to do is apply Confidence Level Filtering in your alert. If you have your VAM properly setup (Foundstone broke in 4.1, so if you use that don't upgrade!!) then envision will correlate the Message ID of the IDS alert to the CVE of your vulnerability. It does this using the internal NIC VID.
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.