I am having some challenges (the nicest way to say it publicly) with ESA and thought it was time to ask the guru's and experts here.
I have created a total of 2 successful rules (basic rules mind you).
- device_type is "AV device type"/"network based malware detection device type"
- alert is meta1 (both rules fire with this same alert condition)
So, I try to configure an ESA alert for HIPS (same vendor as AV). I am unsuccessful at this.
Round 2, seemingly brilliant idea is born: follow the same logic as the current two working rules (device_type is and alert is..). It worked for the two successfully, right?
I create an application rule to create to alert on the Alert meta, rule name "HIPS event".
I let this soak for a while and I can run a query in Investigation and under the Alert meta, I can see "hips event" (don't get me started on the case sensitivity issue). Ok, great. I'm on my way to saying "I have created 3 successful ESA alerts".
So I got from Mr. AV Vendor's website a file I can run similar to the EICAR file to test the HIPS functionality. I create the new HIPS ESA rule:
- device_type is "AV device type" (HIPS events come in under this same device_type)
- alert is "hips alert"
Run test file.
It took me a while to realize "hips alert" and "HIPS alert" in the eyes of ESA are two different things. So, I discover this last night thinking I have truly discovered the ultimate secret and resolution to my headaches.
I make the change... I sync the change.
Nothing. (ESA alert, but the application rule created the desired alert name successfully "working as designed")
So.... what am I doing wrong?