Is it possible to use same rule in different views, but for different device groups for each view?
Our enVision-solution integrates log sources for several of our customers. I would like to create one view for each customer, and then use the same correlation rules in each view, but they should of course only trigger for events belonging to the particular customer.
View_customer_1: Correlation_rule_1, filter on device group = customer 1
View_customer_2: Correlation_rule_1, filter on device group = customer 2
Is this (or something similar) possible?
Best regards, Anne Siri
But is it possible to use different filters for the same rule - one filter for each view the rule is used within? Or even better - dynamically filter in the rules based on the view the rule is used within?
For view_customer_1 I want to use rule_1 with a filter on device_group = customer_1
For view_customer_2 I want to use rule_1 again, but now with a filter on device on device_group = customer_2
When I read your answer again, I see that you probably answer yes to the question in my previous reply. Could you give an example on how to refer to the same rule for respective device groups?
You can do this two ways:
1. Create two rules: each applying to a different device group. Put into a view (or two views, how ever you want.)
2. Create 1 rule covering everything you might encounter, then assign it to different views. This is done by limiting the devices the view covers on the "Select Devices and Correlation Classes" screen. That is the second screen when you create a new view.
Advantages to 1: if you update a device group your alert is dynamically updated. Disadvantages to 1: if you have a lot of these to do, you have to do multiple rules for each rule you have. Flip them for option #2. For Option#2, also have the ability to control security access to views as a benefit.
#2 is best used if you have several rules that are the same, but need to apply to different groups of devices. For example, if you have 4 different sets of systems (Cisco Pix, ASA, Cisco IDS, and Snort IDS) and 10 alert rules that you want to create, using option #1 you have 40 rules (4 versions of 10 rules) - that update dynamically based on device groups/device type; you can have as many views as you want (1 to 10). If you go option #2, then you have 10 rules (each generic, covering all 4 device types/device groups), and 4 views (one for each sub-set of systems.)
So, option 1 if you only have a few rules like this has the benefit of doing dynamic updates. If you have a number of these or need to control security, then option 2 is best.