RSA Admin

Correlation Sharing

Discussion created by RSA Admin Employee on Sep 2, 2008
Latest reply on Dec 21, 2010 by RSA Admin

I figured I'd post some correlation stuff we are doing in order to encourage others to share some more correlation work. I know the contest is done, but hoping more to leverage the userbase to share the knowledge :smileyhappy:

 

 

We're interested in looking at Cisco Failover so we have an alert setup to fire based on 104001*, 103001, 103004. If any of these occur, we use Task Triage to output this to a team for investigation. Eventually a ticket is created for the firewall team. This is helpful because we can tabulate if pairs of ASAs are failing over to pinpoint problems to a cable, switchport problems, bad hardware etc based on trending and metrics.

 

 

Outcomes