securitysavy

full searching for unknown devices or unknown messages!

Discussion created by securitysavy on Feb 18, 2011

Dear lord, this is the most inane limitation of a logging solution, which also requires you to build your own customizations, all without providing you easy access to raw messages of an unknown nature.

 

I should be able to search on (Analysis) any message that was received and stored by enVision that was stored as unknown.  As a categorical search, if you can say they are unknown messages (in the Analysis chart viewing), then please be able to filter on them in results!

 

This would accelerate the adoption of customizing, or requesting logging changes/fixes.

 

Its odd right now, its almost like RSA is hiding the messages they don't understand to make their product look better.  Very bizarre behavior.  I'm stunned no one has asked for this, or gotten it added yet.

 

As for unknown devices, have a builtin group or something for them.  I've created one, but it seems like a no-brainer to have by default. Especially given the poor detection we've experienced.

 

Also, more builtin reports on unknown devices or messages would be useful.

 

And finally providing some basic alerting abilities on unknown messages using the Alerts module and correlation rules.  This would quickly allow businesses to handle systems/events that they are unprepared for making device XML for, but able to try and perform basic alerting on. 

Outcomes