RSA enVision^® Discussions

Since we are talking scripting here, the idea would be to edit/modify the entire correlation rule.  Changes would be done externally to envision.

No problem.  If you are modding an existing rule--all you need to do is edit the XML (and make sure the XML follows proper conventions!)

Your best bet is to create a new Correlation Class and a test CRL rule within this class.  Build two Circuits with two statements each.

Now, change directories to the following and open the file (correlation_2000 is actually created for your new Correlation Class.  If you have other folders... check the other correlation_???? folders for your rule.).

%_ENVISION%\etc\devices\correlation_2000\<name of your correlation rule>.xml

I like Notepad++

You'll see tags for each of your Circuits, Statements, etc.  These MUST be separated by operator tags.

Example:

<circuit id="Circuit1" >

<statement  id="Circuit1-Statement1" thp="false">

<!-- contents -->

</statement>

<operator name="OR" within="-1" />

<statement  id="Circuit1-Statement2" thp="false">

<!-- contents -->

</statement>

</circuit>

<operator name="AND" />

<circuit id="Circuit2" >

<statement  id="Circuit2-Statement1" thp="false">

<!-- contents -->

</statement>

</circuit>

If you want to Add a Statement to Circuit2 then you add the proper Operator and Statement tags and any content you need.  So, it would become:

<circuit id="Circuit1" >

<statement  id="Circuit1-Statement1" thp="false">

<!-- contents -->

</statement>

<operator name="OR" within="-1" />

<statement  id="Circuit1-Statement2" thp="false">

<!-- contents -->

</statement>

</circuit>

<operator name="AND" />

<circuit id="Circuit2" >

<statement  id="Circuit2-Statement1" thp="false">

<!-- contents -->

</statement>

<operator name="AND" within="-1" />

<statement id="Circuit2-Statement2" thp="false">

<!-- contents -->

</statement>

</circuit>

Make sense?  

There is no need to restart the NIC web server between edits.  Just click on the rule within the enVision interface to see your changes.  The enVision interface won't load the CRL rule (the page will hang) if you made a mistake.

You will still need to restart services to actually use the rules.

Sorry dbp for not responding.  Wasn't paying attention on this thread.  This is only part of what we'd want to do, since we want to keep folks off the OS, but sounds like we could script the changes to the CR file, using our own scripts to do so.

The goal is to ask for a simple set of information, and then output a modified (appended) version of an existing CR.  Some information is prefab as part of our MSSP so we don't need to ask for it.

So we'd have a chain of scripts to perform this.

1.  Run script requiring basic info as parameters and build a appended CR file.

2.  At the end have that script call a generic CR file update/replace script. (available for other uses)

3.  Run a script to restart the related view (already in place)

 There should have a web interface to be able to perform this stuff.  We'll probably look to make a custom one until RSA realizes how useful this would be.