This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-03-11 04:54 AM

Is it possible to use same rule in different views, but for different device groups for each view?

Hi, 

 

Our enVision-solution integrates log sources for several of our customers. I would like to create one view for each customer, and then use the same correlation rules in each view, but they should of course only trigger for events belonging to the particular customer. 

 

For example

View_customer_1: Correlation_rule_1, filter on device group = customer 1

View_customer_2: Correlation_rule_1, filter on device group = customer 2

 

Is this (or something similar) possible? 

 

Best regards, Anne Siri

0 Likes
Reply
5 Replies
RSAAdmin
Beginner
Beginner
‎2010-03-11 07:12 AM

Yes very much. Rule is just a template. When you define the view for each customer, you can refer the same rule for respective customer devices or device groups...

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-03-11 09:00 AM

But is it possible to use different filters for the same rule - one filter for each view the rule is used within? Or even better - dynamically filter in the rules based on the view the rule is used within?

 

For example: 

For view_customer_1 I want to use rule_1 with a filter on device_group = customer_1

For view_customer_2 I want to use rule_1 again, but now with a filter on device on device_group = customer_2

 

Best regards, 

Anne Siri

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-03-11 09:04 AM

When I read your answer again, I see that you probably answer yes to the question in my previous reply. Could you give an example on how to refer to the same rule for respective device groups?

 

Best regards, 

Anne Siri

0 Likes
Reply
AnkushBaveja
Contributor Contributor
Contributor
In response to RSAAdmin
‎2010-03-29 03:22 AM

If you are changing the filter, that is equvalent to a new rule. So its better in ur case to create different rules and then add them to the view. It will be more manageable as well, as any change in rule will require restart of both the views if ur using only one rule.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to AnkushBaveja
‎2010-03-29 12:21 PM

You can do this two ways:

 

1. Create two rules: each applying to a different device group.  Put into a view (or two views, how ever you want.)

 

2.  Create 1 rule covering everything you might encounter, then assign it to different views.  This is done by limiting the devices the view covers on the "Select Devices and Correlation Classes" screen.  That is the second screen when you create a new view. 

 

Advantages to 1: if you update a device group your alert is dynamically updated.  Disadvantages to 1: if you have a lot of these to do, you have to do multiple rules for each rule you have. Flip them for option #2.  For Option#2, also have the ability to control security access to views as a benefit.

 

#2 is best used if you have several rules that are the same, but need to apply to different groups of devices.  For example, if you have 4 different sets of systems (Cisco Pix, ASA, Cisco IDS, and Snort IDS) and 10 alert rules that you want to create, using option #1 you have 40 rules (4 versions of 10 rules) - that update dynamically based on device groups/device type; you can have as many views as you want (1 to 10).  If you go option #2, then you have 10 rules (each generic, covering all 4 device types/device groups), and 4 views (one for each sub-set of systems.) 

 

So, option 1 if you only have a few rules like this has the benefit of doing dynamic updates.  If you have a number of these or need to control security, then option 2 is best.

 

-Clarke

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.