Using information in Device Attributes
Since a few weeks we enrich our device attributes with information from our CMDB (Configuration Management DataBase). This information includes for example Location and CIA classification.
For me it is quite unsure how to use this information in the processing of alerts and reports.
We want to use this information in the following way:
1. To add extra information with an alert;
2. To add extra information with reports;
3. To help prioritizing alerts, for example: a logon failure on a device results with a High CIA classification results into an alert with alert level 2, the same logon failure on another device with a lower CIA classification results into an alert with alert level 4.
Number 3 is the most important option we would like to use.
Does anyone has tips, tricks, ideas or the same issues concerning this, please let me know.
Thanks in advance.
I think you can accomplish what you are after using some clever combinations of device groups and correlation rules. The dynamic device groups can be created using your attributes you applied to your event sources.
The basic premise is to build 2 versions of the same basic correlation rule, then use the device groups (broken down by your CIA classifications) as filters on address fields within your rules. Then based on the High or Low device group you chose, you can set the alert level in the metadata part of the rule to trigger at level 2 or 4 respectively.
I did something similar to this with 2 other customers, although we went one step further and used separate "Create Task" Output actions to have the incidents appear in Event Explorer's Incident Management component at 3 different alert levels.
I hope that helps!