AnsweredAssumed Answered

Seeking the knowledge of the ESA guru's

Question asked by skdixon1 on Aug 25, 2015
Latest reply on Aug 26, 2015 by skdixon1

I am having some challenges (the nicest way to say it publicly) with ESA and thought it was time to ask the guru's and experts here.

 

I have created a total of 2 successful rules (basic rules mind you).

  • device_type is "AV device type"/"network based malware detection device type"
  • alert is meta1 (both rules fire with this same alert condition)

So, I try to configure an ESA alert for HIPS (same vendor as AV). I am unsuccessful at this.

Round 2, seemingly brilliant idea is born: follow the same logic as the current two working rules (device_type is and alert is..). It worked for the two successfully, right?


(Wrong btw)


I create an application rule to create to alert on the Alert meta, rule name "HIPS event".
I let this soak for a while and I can run a query in Investigation and under the Alert meta, I can see "hips event" (don't get me started on the case sensitivity issue). Ok, great. I'm on my way to saying "I have created 3 successful ESA alerts".


 


So I got from Mr. AV Vendor's website a file I can run similar to the EICAR file to test the HIPS functionality. I create the new HIPS ESA rule:

  • device_type is "AV device type" (HIPS events come in under this same device_type)
  • alert is "hips alert"

 

Run test file.

 

Nothing

 

It took me a while to realize "hips alert" and "HIPS alert" in the eyes of ESA are two different things. So, I discover this last night thinking I have truly discovered the ultimate secret and resolution to my headaches.

 

I make the change... I sync the change.

 

Same. result.

 

Nothing. (ESA alert, but the application rule created the desired alert name successfully "working as designed")

 

So.... what am I doing wrong?

Outcomes