RSA enVision^® Discussions

I'd looked through some of the Forum posts but not through the blogs. Looks like it will get me started! Thanks

Right.....i have created an alert according to that guide, how to i get it to use one of my configured Output Actions (i.e E-Mail) ? Don't see any mention of it in the blog and can't for the life of me find the option under Alerts

After creating a rule when you attach it to the view, there you will get option to provide output action for that rule. So you have to go to Manage Views, create a view , add the rule to it and then in next page you till have option to give output action. Each page has a context based help at the top for your reference shown as "?"

When i go to Manage View-Create a View i can't see the rule i set up? I have looked through all the Attributes?

Hi Peter,
It sounds like you've created the correlated rule. That is typically the first step to creating the "Alert". The next step would be to add that Rule to a View. A view is a container that can hold one or more rules. Adding a rule to a view takes a few steps.
1) Create a View if you don't already have one in place.
2) Find the rule that you are trying to add
* In the filter window, top section of the right hand window, click on the attribute dropdown and select Correlation/Correlation
* Click Apply in the top window
* In the bottom window select the correlation class that you identified for your rule, default is NIC Security Correlated Class
* Click OK
* Click Next
* In the top section of the new window click Apply
* In the bottom section a list of Rules will appear, find and select your Rule from the list
* Click OK
* Click Finish

The third part is the Output action. You will first need to create the output action.
Click on the Output Action section on the left side of the enVision GUI under the Alerts -> Alert Configuration tab.
1) Click Manage Output Actions
2) Click the Add button on the bottom right window
3) Name the new Output action
4) Select an Action Type (SMTP for email)
5) Fill in the required fields
6) Click Apply to save the Output Action

Apply the Output Action to the Alert you've created.
1) Click on Views -> Manage Views
2) Click on the Edit link across from the view that contains the Rule you want to add the output action to
3) A list of all the rules in that view will appear. Under the Output Action column click on the link (initially OFF)
4) A new window will appear displaying all available output actions, select the Output Action(s) you want to apply to the rule.
5) Click Finish

As a warning I will advise you not to turn on any output actions intially until the view has run for a period of time to ensure that you do not spam an email box with alerts. It's common to turn on a rule and find out after that you should have applied additional filters or restricted certain events. Good luck, Steve

Struggling with setting up a view, what do i select/do in the 'correlation classes' part?

Hi peterplan,

 

To get an idea of the correlation classes I would recommend navigating to the Manage Correlation Rules section in the Alert Tab:

The rules that are listed in the right hand window are each in a class.  Most are in the Security Correlated Class.  When you create a correlation rule in this section you can choose what class it is part of.  If the rule that you want is in the Security Correlation Class, you would select this class in the View in the 'correlation classes' part.