EnVision Admin Guide

RSA enVision 4.1Administrator’s Guide

Contact Information

Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks

RSA, the RSA Logo, RSA enVision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-party licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Portions of this application include technology used under license from Visual Mining, Inc. 2000 - 2010.

Portions of this application include iAnywhere technology, 2001 - 2010.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2011 EMC Corporation. All Rights Reserved. Published in the USA.September 2011

www.rsa.com

www.rsa.com/legal/trademarks_list.pdf

RSA enVision 4.1 Administrator’s Guide

Contents

Preface................................................................................................................................... 9About This Guide................................................................................................................ 9

RSA enVision Documentation............................................................................................ 9

Related Documentation..................................................................................................... 10

Support and Service .......................................................................................................... 10

Before You Call Customer Support............................................................................11

Chapter 1: RSA enVision Administration Basics ..................................... 13RSA enVision Overview................................................................................................... 13

RSA enVision Administrators .......................................................................................... 13

System Requirements........................................................................................................ 14

Set Up Your Browser ........................................................................................................ 15

Log On to RSA enVision .................................................................................................. 15

Log Off of RSA enVision ................................................................................................. 16

Access RSA enVision Help .............................................................................................. 16

Starting or Stopping NIC Services.................................................................................... 16

Start or Stop a Service from the Manage Services Window...................................... 17

Start or Stop a Service from the Windows Services Dialog Box .............................. 17

Chapter 2: Setting Up RSA enVision ................................................................ 19Before You Begin ............................................................................................................. 19

Performing Required Setup Tasks .................................................................................... 20

Performing Optional Setup Tasks ..................................................................................... 21

Chapter 3: Managing Users and System Access ..................................... 23User Management and Access Permissions...................................................................... 23

Users .......................................................................................................................... 23

User Groups ............................................................................................................... 23

User Permissions........................................................................................................ 24

User Authentication ................................................................................................... 24

Managing Users ................................................................................................................ 25

Set Up Password Strength Rules ............................................................................... 25

Add Users .................................................................................................................. 26

Modify Users ............................................................................................................. 27

Delete Users ............................................................................................................... 28

Managing User Groups ..................................................................................................... 28

Add User Groups ....................................................................................................... 28

Modify User Groups .................................................................................................. 28

Delete User Groups.................................................................................................... 29

Managing Access Permissions.......................................................................................... 29

Modify Site Login Permissions ................................................................................. 29

Device Access Filters and Permissions ..................................................................... 29

Module and Tool Permissions ................................................................................... 30

Contents 3


Report and Report Folder Permissions ...................................................................... 30

RSA enVision Event Explorer Permissions............................................................... 30

Chapter 4: Managing Event Collection ........................................................... 31Event Collection................................................................................................................ 31

Event Sources ............................................................................................................ 31

Device Discovery....................................................................................................... 31

Device-Specific Services ........................................................................................... 32

Device Group Filters.................................................................................................. 33

Monitored Devices Management ...................................................................................... 33

Modify the NIC Collector Service............................................................................. 33

Modify Monitored Devices........................................................................................ 34

Modify Multiple Monitored Devices ......................................................................... 34

Delete Monitored Devices ......................................................................................... 35

Analysis For Monitored Devices ............................................................................... 35

Device Group Filters Management Tasks ................................................................. 36

Event Collection by Remote Collectors............................................................................ 38

Data Forwarding ........................................................................................................ 38

Event Collection from Unsupported Event Sources ......................................................... 39

Chapter 5: Managing Alerting ............................................................................... 41Alerts ................................................................................................................................. 41

Alerts Module ............................................................................................................ 42

Alerts Configuration ......................................................................................................... 42

Views ......................................................................................................................... 44

Thresholds and Filters................................................................................................ 45

Cache Variables ......................................................................................................... 52

Alert Suppression....................................................................................................... 53

Correlation Class........................................................................................................ 53

Watchlists .................................................................................................................. 54

Multithreading for a Correlation Rule ....................................................................... 54

Output Actions ........................................................................................................... 55

Alerts Monitoring ...................................................................................................... 58

Create Simple Alerts ......................................................................................................... 58

Create Correlated Alerts.................................................................................................... 63

Correlation Rules Management Tasks .............................................................................. 68

Download System-Defined Correlation Rules .......................................................... 68

Add Correlation Class................................................................................................ 68

Modify Correlation Class........................................................................................... 69

Delete Correlation Class ............................................................................................ 69

Modify Correlation Rules .......................................................................................... 69

Delete Correlation Rules............................................................................................ 70

Import Correlation Rules ........................................................................................... 70

Export Correlation Rules ........................................................................................... 70

Output Actions Management Tasks .................................................................................. 71

4 Contents


Add Output Actions ................................................................................................... 71

Modify Output Actions .............................................................................................. 71

Delete Output Actions ............................................................................................... 72

Escalate Tasks To RSA enVision Event Explorer..................................................... 72

Views Management Tasks ................................................................................................ 72

Modify Views ............................................................................................................ 72

Delete Views.............................................................................................................. 73

Export Views ............................................................................................................. 73

Import Views ............................................................................................................. 73

Starting, Stopping, and Restarting Views.................................................................. 74

Start, Stop, and Restart Views ................................................................................... 75

Enable or Disable Views............................................................................................ 75

Watchlists Management Tasks.......................................................................................... 75

Add Watchlists........................................................................................................... 75

Modify Watchlists...................................................................................................... 76

Delete Watchlists ....................................................................................................... 77

Export Watchlists....................................................................................................... 77

Import Watchlists....................................................................................................... 78

Chapter 6: Managing Reporting .......................................................................... 79Reports .............................................................................................................................. 79

Reports Module.......................................................................................................... 79

Standard Reports ............................................................................................................... 80

Report Permissions .................................................................................................... 81

Report Data ................................................................................................................ 81

Report Results Folders............................................................................................... 83

Report Results Folders Management Tasks...................................................................... 83

Add Report Results Folders ....................................................................................... 83

Modify Report Results Folders.................................................................................. 83

Delete Report Results Folders ................................................................................... 84

Reports Management ........................................................................................................ 84

Create Reports............................................................................................................ 84

Modify Reports .......................................................................................................... 91

Move a Report ........................................................................................................... 97

Run Ad Hoc Reports.................................................................................................. 98

Report Definition Folders ............................................................................................... 100

Create Report Definition Folders............................................................................. 100

Scheduled Reports........................................................................................................... 100

Schedule Reports ..................................................................................................... 101

Display Generated Scheduled Reports .................................................................... 104

Archive Scheduled Reports ..................................................................................... 105

Delete Scheduled Reports ........................................................................................ 106

Chapter 7: Managing the Dashboard ............................................................. 109Dashboard ....................................................................................................................... 109

Contents 5


Events and Alerts ......................................................................................................110

Dashboard Reports....................................................................................................110

Dashboard Standard Reports ....................................................................................111

Dashboard Options ...................................................................................................111

Dashboard Permissions.............................................................................................112

Select Dashboard Reports .........................................................................................112

Creating and Maintaining Dashboard Reports.................................................................112

Custom Dashboard Reports ......................................................................................112

Create a Tabular Report ............................................................................................113

Modify Dashboard Report ........................................................................................117

Delete Dashboard Report..........................................................................................118

Chapter 8: Managing Event Export ................................................................. 121Event Export ................................................................................................................... 121

Event Export Configuration ............................................................................................ 121

Event Export Management.............................................................................................. 122

Event Export Configuration in the Interactive Mode...................................................... 122

Open the Configuration Utility in the Interactive Mode.......................................... 122

Create Event Export Jobs......................................................................................... 122

Edit Event Export Jobs ............................................................................................ 124

Delete Event Export Jobs......................................................................................... 125

View a List of Event Export Jobs ............................................................................ 125

View the Details of an Event Export Job................................................................. 126

Exit the Configuration Utility .................................................................................. 126

Time Formats ........................................................................................................... 126

Event Export Configuration in Command Line Mode.................................................... 127

Event Export Job Management Tasks in the Command Line Mode .............................. 127

Source Profiles Management Tasks......................................................................... 127

Create Source Profiles ............................................................................................. 128

Edit Source Profiles ................................................................................................. 128

Delete Source Profiles ............................................................................................. 128

View a List of Source Profiles ................................................................................. 129

View the Details of a Source Profile ....................................................................... 129

Source Profile Command Parameters and Options.................................................. 129

Destination Profiles Management Tasks ................................................................. 133

Create Destination Profiles ...................................................................................... 133

Edit Destination Profiles .......................................................................................... 135

Delete Destination Profiles ...................................................................................... 135

View a List of Destination Profiles.......................................................................... 136

View Details of Destination Profiles ....................................................................... 136

Event Export Job Schedule Management Tasks...................................................... 136

Create Event Export Job Schedules ......................................................................... 136

Edit Event Export Job Schedules............................................................................. 136

Delete Event Export Job Schedules ......................................................................... 137

View a List of Event Export Job Schedules ............................................................ 137

6 Contents


View the Details of an Event Export Job Schedule ................................................. 137

Event Export Job Schedule Command Parameters and Options ............................. 137

Event Export Jobs Management Tasks ........................................................................... 139

Stop Scheduled Event Export Jobs .......................................................................... 139

Pause Scheduled Event Export Jobs ........................................................................ 139

Resume Paused Event Export Jobs .......................................................................... 139

View the Status of Scheduled Event Export Jobs.................................................... 140

Start or Stop the NIC EDI Service........................................................................... 140

Status Monitoring of Scheduled Event Exports .............................................................. 140

Status of Event Export Jobs ..................................................................................... 140

Set Up NIC EDI Server Logging in a Multiple Appliance Site............................... 140

Status of the NIC EDI Server .................................................................................. 141

Event Export Files........................................................................................................... 141

Share Event Export Files................................................................................................. 142

Chapter 9: Maintaining RSA enVision ........................................................... 145RSA enVision Maintenance Tasks ................................................................................. 145

Daily and Weekly Maintenance Tasks............................................................................ 146

Monitoring System Errors ....................................................................................... 146

Monitor System Errors Using Events ...................................................................... 150

Monitoring System Usage ....................................................................................... 150

Review Audit Reports.............................................................................................. 151

Monitor the Dashboard ............................................................................................ 153

EPS Rate .................................................................................................................. 154

Monitor the EPS Rate .............................................................................................. 154

Review Data Storage Options.................................................................................. 155

Drive Rotation Options and Drive Status ................................................................ 156

Review Drive Status ................................................................................................ 157

Monthly Maintenance Tasks ........................................................................................... 158

Reviewing Monitored Event Sources ...................................................................... 159

Users and System Access ........................................................................................ 160

Reviewing Users, User Groups, and User Permissions ........................................... 161

Reviewing Views..................................................................................................... 163

Quarterly Maintenance Tasks ......................................................................................... 169

Archive Event Data.................................................................................................. 169

Service Pack Installation.......................................................................................... 170

Yearly Maintenance Tasks.............................................................................................. 170

Maintenance Contract Renewal ............................................................................... 170

Professional Services RSA enVision Healthcheck.................................................. 171

Ongoing RSA enVision Updates .................................................................................... 171

New Releases ........................................................................................................... 172

Event Source Updates .............................................................................................. 172

VAM and IDS Signature Updates ........................................................................... 172

Operating System Security Updates ........................................................................ 173

Data Backup............................................................................................................. 173

Contents 7


Appendix A: Best Practices ................................................................................. 175Best Practices for Using RSA enVision.......................................................................... 175

Best Practices for Alerting .............................................................................................. 175

Best Practices for Correlation Rules ........................................................................ 176

Best Practices for Views .......................................................................................... 178

Best Practices for Compliance ........................................................................................ 185

Best Practices for Reporting ........................................................................................... 185

Speeding Up Report Generation .............................................................................. 185

Improving Report Quality........................................................................................ 187

Tips for Easier Use .................................................................................................. 188

Localizing Report Headings .................................................................................... 188

Best Practices for Dashboard .......................................................................................... 189

Best Practices for Event Export ...................................................................................... 189

Appendix B: Troubleshooting ............................................................................ 191Event Viewer Issues........................................................................................................ 191

Events Do Not Appear in the Event Viewer............................................................ 191

Reporting Issues.............................................................................................................. 192

Reports Do Not Contain Any Data .......................................................................... 192

Queries or Reports Fail ............................................................................................ 192

Finding the Right Database Table ........................................................................... 193

Other Reporting Issues............................................................................................. 193

Event Export Issues......................................................................................................... 194

Unable to View the Job Status ................................................................................. 195

Web Server Issues........................................................................................................... 195

Unable to Log On to the Web Server UI ................................................................. 195

Glossary ........................................................................................................................... 197

Index ................................................................................................................................... 203

8 Contents


Preface

About This Guide

This guide describes how an RSA enVision platform administrator or user with full administrator permissions can perform the basic tasks to set up and maintain an enVision system. For advanced tasks and detailed information, see the enVision Help.

RSA enVision Documentation

For information about the RSA enVision platform, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge.rsasecurity.com.

Overview Guide. Provides an introduction to RSA enVision platform features and capabilities.

Hardware Setup and Maintenance Guide. Provides instructions on setting up and maintaining RSA enVision appliances. Intended audience is the system administrator.

Configuration Guide. Provides instructions on configuring an RSA enVision site. Intended audience is the system administrator.

Migration Guide. Provides instructions on migrating data from a previous version of the RSA enVision platform to the current version.

Virtual Deployment Guide. Provides instructions on installing an RSA enVision single appliance site or Remote Collector on a virtual infrastructure.

Administrator’s Guide. Provides instructions on the basic setup and maintenance of the RSA enVision platform. Includes instructions for the most common administrator tasks.

User’s Guide. Provides information that helps users to get started using the RSA enVision platform. Includes instructions for the most common user tasks.

Backup and Recovery Guide. Provides instructions on backing up an RSA enVision system and recovering from a hardware failure.

Security Configuration Guide. Provides an overview of security configuration settings in the RSA enVision platform.

Universal Device Support Guide. Describes how to add log collection and analysis support for event sources that the RSA enVision platform does not support.

RSA enVision Help. Provides comprehensive instructions on setting up RSA enVision processing options and using RSA enVision analysis tools.

Preface 9

https://knowledge.rsasecurity.com


RSA continues to assess and improve the documentation. Check RSA SecurCare Online for the latest documentation.

Related Documentation

For information about the RSA enVision Event Explorer module, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues.

Installation Guide. Provides instructions on installing the RSA enVision Event Explorer module on your client machine in separate guides for Microsoft Windows and Apple Macintosh operating systems. Intended audience is the end user.

RSA enVision Event Explorer Help. Provides comprehensive instructions on setting up and using the RSA enVision Event Explorer module.

For information about the RSA enVision EventSource Integrator, see the following documentation:

Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues.

Overview Guide. Provides an introduction to RSA enVision EventSource Integrator features and capabilities.

RSA enVision EventSource Integrator Help. Provides comprehensive instructions on using RSA enVision Event Source Integrator.

Support and Service

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. SecureCare Online also offers information on new releases, important technical news, and software downloads.

The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

10 Preface

https://knowledge.rsasecurity.com

www.rsa.com/support

www.rsasecured.com


Before You Call Customer Support

Make sure that you have direct access to the computer running the RSA enVision software.

Please have the following information available when you call:

One of the following:

• On a 60-series appliance, the serial number of the appliance.You can find the seven-character serial number on the chassis tag on the back of the appliance, or open a Dell Openmanage Server Administrator session, and click System > Properties > Summary to find the serial number in the chassis service tag field.

• On a virtual appliance, the serial number of the RSA enVision software.Open the C:\WINDOWS\system32\drivers\etc\Nie-oe.dat file, and locate the line that begins with “S/N=”.

RSA enVision software version number.

The name and version of the operating system under which the problem occurs.

On a virtual appliance, the VMware ESX or ESXi server details.

Preface 11


1 RSA enVision Administration Basics

• RSA enVision Overview

• RSA enVision Administrators

• System Requirements

• Set Up Your Browser

• Log On to RSA enVision

• Log Off of RSA enVision

• Access RSA enVision Help

• Starting or Stopping NIC Services

RSA enVision Overview

The RSA enVision platform is a security information and event management (SIEM) solution. It collects log messages, and vulnerability and asset data from the entire IT network, applies logic to the data, and provides actionable information in the form of reports and real-time alerts.

RSA enVision transforms the raw, unrelated security and network events into meaningful intelligence that:

• Reduces demand on IT staff

• Increases security personnel effectiveness

• Provides ongoing support for compliance regulations

The RSA enVision Internet Protocol Database (IPDB) provides the architecture to automatically collect and protect data from network devices and event sources, without filtering. RSA enVision independently monitors network and security events to generate alerts for possible security and compliance breaches, and analyze and report on network performance.

RSA enVision Administrators

RSA enVision administrators have full administrative permissions for configuring the enVision system and managing users. Multiple administrators can be logged on to enVision at one time, with the number of concurrent administrator logons limited by the product license.

1: RSA enVision Administration Basics 13


Depending on the nature and size of an organization, people with varying responsibilities may be assigned the role of administrator, for example:

• System administrators and network operators who plan and implement deployments

• Experienced security analysts who are knowledgeable about incident management

• Security engineers or security architects who define the rules enVision uses to notify personnel about possible incidents

System Requirements

The following table lists the hardware and software requirements for running the RSA enVision client software.

Note: If you upgrade to JDK 1.6.20 on the enVision appliance, you must manually upgrade the client JRE to match the version on the appliance.

Note: If you use Mozilla Firefox 2.0, you cannot view the Enterprise Dashboard tool.

Windows Macintosh

Operating system

• Microsoft Windows 2003 Server Standard Edition (64-bit version)

• Microsoft Windows 2003 Server Enterprise Edition (64-bit version)

OS X 10.4.6

Browser Microsoft Internet Explorer 7 or 8

Mozilla Firefox 2.0

Mozilla Firefox 2.0

Java plug-in JRE 1.5.13 JRE 1.5.13

Processor Minimum: P3 1Ghz, P4 1.8Ghz, or Athlon 1800+

Minimum: G5

RAM Minimum: 512 MB Minimum: 1 GB RAM

Network Minimum: 100baseTX Minimum: 100baseTX

Display resolution

Minimum: 1024x768 at 16-bit color

Minimum:1024x768 at 16-bit color

14 1: RSA enVision Administration Basics


Set Up Your Browser

Pop-up blockers, ad banner blockers, and personal firewalls can interfere with the proper launching of enVision on your browser, especially at first logon.

You must do the following tasks to set up your browser.

• Set up the blockers to allow enVision to operate normally, or disable them.

• Configure personal firewalls to allow connections between the enVision client and appliance.

• Enable animation for web pages in your browser.

To enable animation in Microsoft Internet Explorer:

1. In the browser, click Tools > Internet Options.

2. On the Advanced tab, scroll to Multimedia.

3. Select Play animations in web pages.

4. Click OK.

5. Restart the browser.

Log On to RSA enVision

Note: If you use a web browser such as, Internet Explorer to access RSA enVision from the appliance, you may face a number of warning messages. RSA recommends that you access RSA enVision only from a client machine.

To log on to enVision:

1. Open your web browser.

2. In the Address field, type:

protocol://address:port

where:

• protocol is http or https. For more information on protocols, see the Help topic “Communication Protocols.”

• address is the machine name or IP address of the appliance on which the system is installed. For multiple appliance sites, this is the Application Server (A-SRV).

• port is the port through which you access enVision.For example, type http://sunshine:8080 or https://10.10.30.140:8443.

3. Press ENTER.

4. Enter your user name and password.

5. Click Log In.



Log Off of RSA enVision

To log off of the user interface:

Click Log Out at the bottom left-hand side of window.

RSA enVision closes all the open windows and the login page is displayed. However, all NIC services and processes continue to run without any interruption.

Access RSA enVision Help

The Help contains all of the information that you need to set up and use enVision. Help topics contain hyperlinks to other Help topics, pop-up boxes, external web sites, or e-mail addresses.

To access Help:

Do one of the following:

• To access the Help table of contents, click Overview > Best Practices > Help.

• To access Help for the current window, click the Help icon at the top of the window.

From within Help, you can search for keywords by clicking Search in the left-hand pane or print a Help topic by clicking Print on the toolbar.

Starting or Stopping NIC Services

The NIC services are started automatically on installation. For more information on the different NIC services, see the Help topic “NIC Services.”

You can start or stop services as follows:

• Start or stop the NIC Service Manager Service to start or stop all other services except the database services. You must start or stop the NIC Service Manager Service from the Windows Services dialog box.

• You can start or stop one service at a time from the Windows Services dialog box.

• You can start or stop one or more services at a time from the Manage Services window. However, you cannot start or stop the following services from the Manage Services window:

– NIC Web Server Service

– NIC DB Replication Client Service

– NIC DB Replication Server Service

– NIC DB Server Service

16 1: RSA enVision Administration Basics


– NIC DB Report Server Service

– NIC Front Panel Menu Driver Service

You must start the services listed above from the Windows Services dialog box.

Start or Stop a Service from the Manage Services Window

To start or stop a service:

1. Click Overview > System Configuration > Services > Manage Services.

2. Select the Start/Stop Service checkbox next to the service, and click Apply.

3. Click Refresh to refresh the menu and display the latest statuses for the services.

Start or Stop a Service from the Windows Services Dialog Box

To start or stop a service:

1. Connect to the appliance on which the NIC Server Service is running.

2. Click Start > Settings > Control Panel > Administrative Tools > Services.

3. Right-click the service that you want to start or stop.

4. Depending on which you want to do, click Start or Stop.When you stop a service, if you are prompted to stop dependent services, click Yes. For example, when you stop the NIC Web Server Service, if the NIC Alerter Service is running, you are prompted to stop the dependent service.

Note: Some services may take longer to stop than others, because tasks need to be completed before the service is stopped.



2 Setting Up RSA enVision

• Before You Begin

• Performing Required Setup Tasks

• Performing Optional Setup Tasks

Before You Begin

Before you begin setting up RSA enVision, you must ensure that you configure the appliance and event sources as follows:

1. Set up enVision appliances. For more information, see the Hardware Setup and Maintenance Guide.

2. Configure the appliances and sites using the RSA enVision Configuration Wizard. For more information, see the Configuration Guide.

3. After you configure the appliances, if needed, modify the site communication information in the Set Up Site Communication window. For instructions, see the following topic, “Modify Site Communication.”

4. Configure the event sources to be monitored. For more information, see the Help topic “Supported Devices (Event Sources).”

Modify Site Communication

To modify the site communication:

1. Click Overview > System Configuration > Services > Set Up Site Communication.

2. Modify the site communication information for any node as follows.

Field Name Action

External IP Enter the D-SRV external IP address.

External Port Enter the D-SRV external port number.

Internal IP Enter the D-SRV internal IP address.

Internal Port Default port is 2010. If you are using the default port for another purpose, enter the D-SRV internal port number.

2: Setting Up RSA enVision 19


3. Click Apply.

Important: If you make any changes to the information on this window, you must restart the NIC Locator Service, the NIC Server Service, and the NIC Web Server Service. The system propagates these changes to the other sites. For more information on the services, see the Help topic “NIC Service Manager.”

Performing Required Setup Tasks

Before setting up your system, you should plan how to set up the system to accomplish your security goals, policies, and requirements.You can contact RSA Professional Services for assistance in setting up the system.

You must perform the required tasks to set up RSA enVision to collect, report, and alert on events from supported event sources as follows:

1. Set up enVision to collect events from:

• Supported event sources

• Unsupported event sources

• Remote CollectorsFor detailed information, see the Help topic “Set Up Event Collection.”

2. Set up system access permissions as follows:

a. Set up users

b. Set up user groups

c. Assign permissions to users and user groups For detailed information, see the Help topic “Set Up Access Permissions.”

3. Set up alerting as follows:

a. Set up simple alerts

b. Set up correlated alerts

c. Set up views

d. Set up output actions

e. Set up alert monitoring using Alerter Module toolsFor detailed information, see the Help topic “Set Up Alerting.”

4. Set up reporting. For detailed information, see the Help topic “Schedule Reports.”

20 2: Setting Up RSA enVision


5. Set up your dashboard to view:

• Real-time and alert history details

• ReportsFor detailed information, see “Managing the Dashboard”on page 109.

6. Set up vulnerability and asset management for asset collection, alerting, and reporting. For detailed information, see the Help topic “Set Up Vulnerability and Asset Management.”

Performing Optional Setup Tasks

You can perform the following tasks to set up additional features or processing options:

1. Set up data storage as follows:

• Change default output directories.

• Set up directories and disk usage.

• Change event storage locations. For more information, see the Help topic “Set Up Data Storage.”

2. Set up data processing options as follows:

• Set up DNS resolution

• Set up DHCP processing For more information, see the Help topic “Set Up Data Processing Options.” RSA recommends that you perform this task.

3. Set up message handling as follows:

• Set up message categories

• Set up messages

• Set up message variables For more information, see the Help topic “Set Up Message Handling.”

4. Set up customized reporting. For more information, see the Help topic “Set Up Customized Reporting.”

5. Set up processing and display options for the following:

• System Performance tool

• Query tool

• Reports moduleFor more information, see the Help topic “Set Up Tool Display Options.”

6. Set up enVision to export raw and parsed events. For more information, see the Help topic “Set Up Event Export.”

2: Setting Up RSA enVision 21


3 Managing Users and System Access

• User Management and Access Permissions

• Managing Users

• Managing User Groups

• Managing Access Permissions

User Management and Access Permissions

RSA enVision relies on user identities and access permissions to control access to system capabilities. You assign each user a logon name (user identity). You can set up permissions for that identity or assign the identity to a user group from which the user inherits permissions.

Users

You must set up each user in enVision. A user role is based on permissions that you set for the user and for the user group to which you assign the user.

User Groups

A user group is a set of users. There are five system-defined user groups. You cannot change the permissions of these user groups. The following table describes the permissions of the system-defined user groups.

User Group Permissions

administrators All functions. Full administrative privileges. Multiple administrators can be logged on to RSA enVision at one time. The limit is based on the product license.

report-administrators Add, copy, modify, delete, and schedule reports in the Reports module.

report-users Run ad hoc reports in the Reports module.

all-applications-users Access and use all modules (with the exception of the Configuration tools in each module) and run all reports in the Reports module on an ad hoc basis. This group cannot add, schedule, copy, modify, or delete reports.

task-dispatchers Export Task Triage incidents to RSA enVision Event Explorer. RSA enVision initially assigns all task triage incidents created by the Alerter to the task-dispatchers user group. This group only has permission to export data to Event Explorer.

3: Managing Users and System Access 23


You can add your own user groups. You set up access permissions (site login, device access, applications, and reports) for each user group that you add. For more information, see “User Permissions.”

A user can belong to more than one user group. The user role is determined by the group or groups to which the user belongs. You can override group permissions for individual users. If you have not granted or denied individual user access permissions using an override, the user can access all the tools and resources defined by the full set of permissions of the groups to which the user belongs.

When you add a user, the system automatically adds the user to the all-applications-users group. To restrict the permissions of the user, delete the user from the all-applications-users group, and assign the user to another user group.

User Permissions

You can set the user access permissions for each user or user group. If you assign a user to a user group, the user inherits the permissions of that group. You can override permissions that you set for a user group for individual users who belong to the group.

You can set the access permissions on the Add/Modify User and Add/Modify Group windows. You can also set the following access permissions for users and groups (with the exception of the administrator user and the system-defined groups) on feature-specific windows:

• Modules and tools on the Manage Module and Tool Permissions window

• Reports on the Manage Report Permissions window

• Report folders on the Add/Modify Report Results Folder window

• Device access for each device group filter on the Manage Device Group Filters Access Permissions window

• Site logon on the Manage Site Login Permissions window

• Alert views on the Manage View window

• Dashboard on the Manage Dashboard window

• RSA enVision Event Explorer on the Manage Event Explorer Permissions window

If a user is a member of any user group that has access to the event sources in a device access filter, to a module or tool, or to Event Explorer, that user has access to the event sources in the device access filter, to the module or tool, or to Event Explorer, even if the user is also in another group that does not have access.

User Authentication

When you create a user, you must specify one of the following means of authenticating the user:

enVision. The user name and password are created and authenticated within RSA enVision.

authentication server. The user account exists in an existing domain environment. Only enVision application settings for the user account are stored in enVision. User authentication is performed by the selected server.

24 3: Managing Users and System Access


RSA enVision supports only Active Directory domains for domain-authenticated accounts.

To use an authentication server, you must first add the server name and IP address of the authentication server to the file containing the hostnames in the C:\windows\system32\drivers\etc directory. You must ensure the file with the hostnames is added to the hosts file in the C:\windows\system32\drivers\etc directory.

You add the authentication server to enVision on the Manage Authentication Servers window. For more information on adding an authentication server, see the Help topic “Add Authentication Server.”

If the authentication server is not available, enVision performs local authentication, using the last authenticated password.

Note: If you modify the NIC_System password in the Active Directory, you must also update the Windows Domain User password in enVision. For more information, see the Help topic “Manage Windows Domains Window.”

Managing Users

You can add, modify, or delete users and set up password strength rules.

Set Up Password Strength Rules

RSA recommends that you set up the password strength rules to ensure strong and secure passwords are defined when you add a user. You must set this before you add users. For example, you can require passwords to meet the following criteria:

• Be at least ten characters in length

• Contain at least one upper case letter

• Contain at least one lower case letter

• Contain at least one number

• Contain at least one special character

To set up user password strength rules:

1. Open the login.ini file in the E:\nic\enVision_version\node_name\etc directory.

2. Specify the values for the following parameters.

Parameter Description

password.minLengthLowerCase

Minimum number of lowercase alphabetic characters in a password. For example, to require passwords to contain at least one lowercase letter, specify 1.



3. Save and close the file.

4. Restart the NIC Web server service.

Note: If no values are entered in the login.ini file, the default password policy is used. For more information, refer to the RSA enVision 4.1 Configuration Guide.

Add Users

You can add users by performing one of the following tasks:

• Add a New User. You can add a new user and set up the access permissions for that user.

• Copy an Existing User. You can add a new user by copying an existing user. This allows you to copy all the access permission information from the existing user. You add a unique user ID and user information for the new user.

• Add Multiple Users. You can add multiple users from an authentication server to enVision (bulk add). To use this feature, you must first set up the authentication server.

Add a New User

To add a new user:

1. Click Overview > System Configuration > Users > Manage Users.

2. On the Manage Users window, click Add.

3. Complete the fields in the Add/Modify User window. For more information, see the Help topic “Add/Modify User Window.”

4. Click Apply.

password.minLengthUpperCase

Minimum number of uppercase alphabetic characters in a password. For example, to require passwords to contain at least one uppercase letter, specify 1.

password.minLengthNonAlphaCharacters

Minimum number of nonalphabetic characters in a password. For example, to require passwords to contain at least one number, specify 1.

password.minLength Minimum number of characters in a password. For example, to require passwords to contain at least 10 characters, specify 10.

password.minLengthNonAlphanumericCharacters

Minimum number of nonalphanumeric characters in a password. For example, to require the passwords to contain at least one special character, specify 1.




Copy an Existing User

To create a user by copying an existing user:


2. On the Manage Users window, select a user or complete the filter to display the user that you want to copy.

3. In the Select column, select the checkbox next to the user that you want to copy.

4. Click Copy User.RSA enVision displays the Add/Modify User window with the access permissions applied from the user that you copied. For more information, see the Help topic “Add/Modify User Window.”

5. Complete the User Information section of the window, and make any necessary changes to the information in the other sections of the window.

6. Click Apply.

Add Multiple Users

You can add a list of users from an authentication server to RSA enVision.

Before You Begin

Set up the authentication server. For more information, see the Help topic “Add Authentication Server.”

To add multiple users:


2. Click Bulk Add.

3. From the Authentication Server drop-down list, select the authentication server.

4. Complete the filter to display the users that you want to add and click Apply.

5. Enter a valid user name and password for the authentication server.

6. In the Select column, select the checkbox next to each user that you want to add to enVision.

7. Click Apply.

Modify Users

You can modify one or more users at a time.

To modify a user:

1. Click Overview > System Configuration > Users > Manage Users. Complete the filter to display the user that you want to modify and click Apply. For more information, see the Help topic “Use the Users Filter.” To display all users, create the following filter: WHERE user name is LIKE*.

2. In the Select column, select the checkbox next to the user that you want to modify.



3. Click Modify.

4. On the Add/Modify User window, make the necessary changes. For more information, see the Help topic “Add/Modify User Window.”

5. Click Apply.

Delete Users

You can delete one or more users at a time.

To delete a user:

1. Click Overview > System Configuration > Users > Manage Users. Complete the filter to display the users that you want to delete and click Apply. For more information, see the Help topic “Use the Users Filter.” To display all users, create the following filter: WHERE user name is LIKE*.

2. In the Select column, select the checkbox next to the user that you want to delete.

3. Click Delete.

Note: You cannot delete the administrator user with the user ID “administrator.”

Managing User Groups

You can add, modify, or delete a user group.

Add User Groups

To add a user group:

1. Click Overview > System Configuration > Users > Manage Groups.

2. On the Manage Groups window, click Add.

3. On the Add/Modify Group window, enter the user group information. For more information, see the Help topic “Add/Modify Group Window.”

4. Click Apply.

Modify User Groups

To modify a user group:


2. In the Group Name column, click the name of the group that you want to modify.

3. On the Add/Modify Group window, make the necessary changes. For more information, see the Help topic “Add/Modify Group Window.”

4. Click Apply.



Delete User Groups

You cannot delete the system-defined user groups, namely, administrators, report-administrators, report-users, task-dispatchers, or application-users.

To delete a user group:


2. In the Delete column, select the checkbox next to the user group that you want to delete.

3. Click Apply.

Managing Access Permissions

You can modify site login permissions; add, modify, or delete device access filters and permissions; or manage module and tool permissions and RSA enVision Event Explorer permissions.

Modify Site Login Permissions

To modify a site login permission:

1. Click Overview > System Configuration > Users > Manage Site Log In Permissions.

2. Click Permissions for the site for which you want to modify the permissions.

3. On the Modify Site Log In Permissions window, specify the details. For more information, see the Help topic “Modify Site Log In Permissions Window.”

4. Click Apply.

Device Access Filters and Permissions

You can set up device access filters, which are used to apply device access permission on a user or user group basis for a device group filter.

Device access filters can be either dynamic or static:

Dynamic filter. Each time that you apply the device access filter, the filter is resolved. Each time that the filter is resolved, the filter may select different event sources.

Static filter. You select specific event sources to include in the device access filter at the time that you create the device access filter. The event sources that are selected do not change.

Device access filters can include both monitored devices and assets, monitored devices only, or assets only.

The NIC_ALL device access filter is a system-supplied filter, which you cannot delete. This filter allows access to all event sources.



You can add, modify, and delete static device access filters and dynamic device access filters. For information and instructions, see the task topics in the Help, as follows.

Module and Tool Permissions

You can manage the module and tool access permissions for each user and user group. For more information on managing permissions, see the Help topics “Add/Modify User Window” and “Add/Modify Group Window.”

For each module or tool, you can view a list of all user groups and users with checkboxes that indicate whether each group or user has access to that module or tool.

Report and Report Folder Permissions

You can manage the report and report folder permissions for each user and user group. For more information on managing report permissions, see “Report Permissions” on page 81 and the Help topics “Add/Modify User Window” and “Add/Modify Group Window.”

RSA enVision Event Explorer Permissions

You must manage the RSA enVision Event Explorer permissions for each user or group. By default, users in the administrators and all-applications-users user groups have full permissions for Event Explorer, with the exception of the incident escalation and incident deletion permissions.

To enable Event Explorer users to view the incidents assigned to the task-dispatchers group under Active Incidents, you must add the users to the task-dispatchers group.

If you do not have a license for Event Explorer, Manage Event Explorer Permissions does not appear in the RSA enVision System Configuration > Users menu.

To enable Event Explorer users to view the Add to Watchlist option when they right-click a cell in a table, you must select Overview Manage Watchlists under Module/Tool permissions on the Add/Modify User window.

To enable Event Explorer users to view the asset details from a trace view, you must select Overview/Assets under Module/Tool permissions on the Add/Modify User window.

For more information on adding or modifying Event Explorer permissions, see the Help topic “Add/Modify RSA enVision Event Explorer Permissions.”

Task Reference

Add static device access filter Help topic “Add Static Device Access Filter.”

Add dynamic device access filter Help topic “Add Dynamic Device Access Filter.”

Modify static device access filter Help topic “Modify Static Device Access Filter.”

Modify dynamic device access filter Help topic “Modify Dynamic Device Access Filter.”

Delete device access filters Help topic “Delete Device Access Filters.”



4 Managing Event Collection

• Event Collection

• Monitored Devices Management

• Event Collection by Remote Collectors

• Event Collection from Unsupported Event Sources

Event Collection

RSA enVision collects, analyzes, and stores logs from event sources throughout an organization’s IT environment. The logs and the descriptive metadata that enVision adds are stored in the LogSmart Internet Protocol Database (IPDB).

Event Sources

Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. The enVision administrator configures event sources to send their logs to the Collector or configures the Collector to poll event sources and retrieve their logs. As a result, the Collector receives all system logs in their original form, without filtering, normalization, or compression. For a complete list of supported event sources, see the Help topic “Supported Devices (Event Sources).”

You must add newly supported event sources or update existing event sources in your enVision installation using the enVision Event Source Updates Package. For more information on Event Source Updates package, see “Event Source Updates” on page 172.

You can also add event sources that are not supported as part of the Event Source Update package. For more information, see “Event Collection from Unsupported Event Sources” on page 39.

Device Discovery

On an ongoing basis, the NIC Collector Service interprets the incoming event data streams to detect new event sources in your network. For more information on the NIC Collector Service, see the Help topic “NIC Collector Service.”

4: Managing Event Collection 31


Based on the event data collected, the system displays the detected event sources on the Manage Monitored Devices window with one of the following statuses:

Candidate. The NIC Collector Service collects events from an event source but cannot determine the device type.

Active. The NIC Collector Service collects events and can determine the device type.

If an event source is displayed with Candidate status, you must check the license for the appliance to ensure that you have not exceeded the supported event sources. If needed, obtain a valid license. You must check the sample threshold for the collector service. The sample threshold defines how RSA enVision collects a sample of events from an event source. By default, enVision collects up to 25 events in a five-minute period for a sample. You can change the time period or the number of events so that enVision collects a larger sample. If enVision can then identify the device type, the system updates the device type on the Manage Monitored Devices window and displays the status as Active. If enVision cannot determine the device type from a larger sample of events, contact RSA Customer Support. You must not manually specify the device type and change the status to Active unless Customer Support directs you to do so.

Device-Specific Services

Some event sources use collection services specific to the event source. You must set up the options for these services in enVision. Examples of device-specific services are:

• NIC FW-1 Lea Client Service

• NIC Trapd Service

• NIC File Reader Service

• NIC SDEE Collection Service

• NIC ODBC Service

• NIC Windows Service (for Windows 2003)

• NIC Windows Eventing Collector Service (for Windows 2008)

• NIC VMware Collector Service

For the complete list of device-specific services and instructions to configure the collector services, see the Help topic “NIC Services.”

32 4: Managing Event Collection


Device Group Filters

A device group filter acts as selection criteria that you can use to simplify the selection of multiple event sources and assets for data retrieval purposes throughout the system.

For example, if you create a device group filter that selects all the event sources in your Boston area offices, to define a correlation rule that monitors all of those event sources, you can use that device group filter rather than selecting the event sources individually.

Device group filters can be either dynamic or static:

Dynamic filter. Each time that you apply the device group filter, a different group of devices may be selected based on the filter criteria.

Static filter. You select specific event sources to include in the device group at the time that you create the device group filter. The devices selected does not change.

You specify how the filter is used for retrieving event sources by selecting one or both of the following:

• Device access filter for setting permissions. The device group filter is available on the Manage Device Access Filters window, where you can assign users and user groups access permissions for the device group filter. For more information, see the Help topic “Manage Device Access Filters Window.”

• Device Group filter for selecting data by devices. The device group filter is used for event selection. For example, you can assign device group filters to a query to include event sources for that query.

Device group filters can include both monitored devices and assets, monitored devices only, or assets only.

Monitored Devices Management

You can modify the NIC Collector Service, modify or delete monitored devices, and enable analysis of incoming data from the monitored devices.

Note: You can add a monitored device manually. For instructions, see the Help topic “Add Monitored Devices Manually.” RSA recommends using the NIC Collector Service to discover new event sources. RSA does not recommend adding monitored devices manually.

Modify the NIC Collector Service

The NIC Collector Service is configured with default options and starts automatically when you start RSA enVision. You can modify the NIC Collector Service to change default options, such as the port for collection or the data forwarding parameters for a Remote Collector.



To modify the NIC Collector Service:

1. Click Overview > System Configuration > Services > Manage Collector Service.

2. Modify the information as needed. For more information, see the Help topic “Manage Collector Service Window.”

3. Select Restart Collector Services.

4. Click Apply.

Modify Monitored Devices

For each monitored device, you set options. Optionally, you can set up device attributes.

To modify a monitored device:

1. Click Overview > System Configuration > Devices > Manage Monitored Devices. By default, the event sources for the site to which you are logged on are displayed in the Manage Monitored Devices window.

2. Complete the filter to display the event source that you want to modify.

3. In the IP Address column, select the IP address of the event source.

4. Complete the fields in the Add/Modify Device window. For more information, see the Help topic “Add/Modify Monitored Device Window.”

5. Click Apply.

Note: Modifying device information may impact the views. You should either restart the individual views that contain the modified event source or restart the NIC Alerter Service. For instructions on restarting the views, see “Starting, Stopping, and Restarting Views” on page 74.

Modify Multiple Monitored Devices

You can modify the information associated with multiple monitored devices at one time.

To modify multiple monitored devices:

1. Click Overview > System Configuration > Devices > Manage Monitored Devices. By default, the event sources for the site to which you are logged on are displayed in the Manage Monitored Devices window.

2. Complete the filter to display the event sources that you want to modify. For more information on the filter, see the Help topic “Use the Manage Monitored Devices Filter.”

3. In the Select column, select the checkbox next to each event source that you want to modify.



4. Click Modify.

5. On the Add/Modify Device window, enter the information as needed. For more information, see the Help topic “Modify Monitored Devices Window.”

6. Click Apply.

Note: Modifying device information may impact the views. You should either restart the individual views that contain the modified event sources or restart the NIC Alerter Service. For more information, see the Help topic “NIC Alerter Service.”For instructions on restarting the views, see “Starting, Stopping, and Restarting Views” on page 74.

Delete Monitored Devices

When you delete a monitored device, the event source is deleted and all the related data files are moved to the nic\lsnode directory as follows:

• If you have a NAS, the nic\lsnode directory is on vol0, vol1, vol2, or vol3 of the NAS, for example, vol0\nic\lsnode.

• In all other installations, the nic\lsnode directory is on the node where the data is stored, for example, E:\nic\lsnode.

This information is not accessible through enVision. You should delete the data using the Maintenance Utility before you delete a monitored device.

Important: Although the NIC device is listed in the monitored devices list, you must NEVER delete this. Deleting the NIC device will result in issues with the entire enVision installation.

To delete a monitored device:

1. Click Overview > System Configuration > Devices > Manage Monitored Devices.

2. Complete the filter to view the event sources that you want to delete.

3. In the Select column, select the checkbox next to each event source that you want to delete. To delete all the event sources, select the checkbox next to the column heading Select.

4. Click Delete.

Note: Deleting an event source may impact the views. You should either restart the individual views that contain the deleted event source or restart the NIC Alerter Service.

Analysis For Monitored Devices

RSA enVision can analyze the event data that it collects from event sources. You must enable analysis for each monitored event source for which you want enVision to analyze data in the Analysis module, Reports module, and Alerts module.



You can enable analysis on the following windows:

Manage Monitored Devices window. You can select the Analyze option for one or more monitored event sources at one time. For instructions, see the Help topic “Select Analyze for Monitored Devices.”

Add/Modify Monitored Device window. You can select the Analyze option for individual monitored event sources. For instructions, see the Help topic, “Select Analyze for a Monitored Device on the Add/Modify Monitored Device Window.”

Device Group Filters Management Tasks

You can add, modify, or delete device group filters.

Add Device Group Filters

A dynamic device filter resolves the event sources each time that you apply the device group filter. Each time that the filter is resolved, the event sources selected may be different.

To add a dynamic device group filter:

1. Click Overview > System Configuration > Devices > Manage Device Group Filters.

2. Click Add Dynamic.

3. In the Name field, enter the name of the filter.

4. (Optional) In the Description field, enter a description of the filter.

5. If the filter will be used as a device access filter for setting permissions, in the Filter type field, select the checkbox.

Note: If you do not select the device access filter checkbox, the device group filter is used as the filter type.

6. Select Monitored devices, Assets, or both to indicate which to include in the filter.

7. Add the filter entries to the Filter area to define the device group filter as follows:

a. Click Add to create a new entry.

b. From the Attribute drop-down list, select a value.

c. From the Comparison drop-down list, select a value.

d. In the Criteria field, select or enter a value.

e. To add an additional criteria value, click + and select or enter another value. Repeat to add all the additional criteria values.

f. To add another filter entry, click Add and, from the Operator drop-down list, select an operator to connect the filter entries. Go to step b.

8. (Optional) Click Show Devices to display the event sources that currently meet the filter criteria.

9. Click Apply.



Modify Device Group Filters

To modify a device group filter:


2. Select the dynamic device group filter that you want to modify.

3. Make any necessary changes to the Description and Filter type fields. Select or clear Monitored devices and Assets.

4. If you want to modify the existing filter entries, select or enter new values in the fields.

5. If you want to delete existing filter entries, follow these steps:

a. In the Delete column, select the checkbox next to each filter entry that you want to delete.

b. Click Delete.

6. If you want to add new filter entries to the filter, follow these steps:

a. Click Add to create a new entry.

b. From the Attribute drop-down list, select a value.

c. From the Comparison drop-down list, select a value.

d. In the Criteria field, select or enter a value.

e. To add an additional criteria value, click + and select or enter another value. Repeat to add all the additional criteria values.

f. To add another filter entry, click Add and, from the Operator drop-down list, select an operator to connect the filter entries. Go to step b.

7. (Optional) Click Show Devices to display the event sources that currently meet the filter criteria.

8. Click Apply.

Note: Changing a device group filter may impact any correlation rules that you are using in views. You should either restart the individual views that contain correlation rules using the modified device group filter or restart the NIC Alerter Service.

Delete Device Group Filters

To delete the device group filters:


2. Select the checkbox next to each device group filter that you want to delete.

3. Click Apply.



Note: Deleting a device group filter may affect any correlation rules that you are using in views. You should either restart the individual views that contain correlation rules using the deleted device group filter or restart the NIC Alerter Service. For more information on correlation rules and views, see “Alerts Configuration” on page 42 and “Views” on page 44.

Event Collection by Remote Collectors

A Remote Collector (RC) captures incoming events remotely. Each Remote Collector is considered a remote site. Each remote site is associated with a multiple appliance site. You can have up to 16 Remote Collectors per multiple appliance site. You set up the remote site during installation, using the enVision Configuration Wizard. For more information, see the Hardware Setup and Maintenance Guide or Configuration Guide.

Remote Collectors support a store-and-forward technology. On the Remote Collector site, enVision processes alerts in real-time. RSA enVision compresses and encrypts other events and caches them locally until it can forward the events to the master enVision site (by the NIC Forwarder Service) for historical analysis. For more information on the NIC Forwarder Service and services that run on the Remote Collector, see the Help topics “NIC Forwarder Service” and “NIC Services.”

Data Forwarding

The NIC Forwarder Service on the Remote Collector allows you to collect your data on the Remote Collector and then forward the data to the associated enVision site.

You must set up the parameters for the Remote Collector forwarder on the Modify Collector Service window. For more information, see the Help topic “Modify Collector Service Window.”

Schedule the Data Forwarding Task

You can schedule the data forwarding task on the Schedule Task window to specify when the data forwarding task must be performed and how often. By default, the data forwarding task runs every four hours.

To schedule the data forwarding task:

1. Click Overview > System Configuration > Services > Scheduler Service > Schedule Task. RSA enVision displays the Schedule Task window.

2. From the Site/Node drop-down list, select the remote collector. RSA enVision displays the NIC Forwarder Service data forwarding task.

3. To specify when and how often enVision performs the data forwarding task, click Set Recurrence.RSA enVision displays the Set Recurrence window.

4. Complete the window and click Apply.RSA enVision displays the Schedule Task window.



5. Click Schedule.RSA enVision displays the task on the Manage Scheduled Tasks window.

6. Click Apply.

7. If the NIC Scheduler Service is not running, start the NIC Scheduler Service.

Event Collection from Unsupported Event Sources

You can collect events from event sources that are not supported by enVision. You must create an event source XML file for the event source and deploy the event source XML file in enVision to collect and monitor events from the event source.

You can use RSA enVision Event Source Integrator to support new event sources. For more information, see RSA enVision EventSource Integrator 1.2 Overview Guide and RSA enVision EventSource Integrator 1.2 Help.



5 Managing Alerting

• Alerts

• Alerts Configuration

• Create Simple Alerts

• Create Correlated Alerts

• Correlation Rules Management Tasks

• Output Actions Management Tasks

• Views Management Tasks

• Watchlists Management Tasks

Alerts

An alert is a notification that a specific event or set of events, as defined by the enVision administrator, has occurred that requires further investigation. One of the following conditions can generate an alert:

• A single event, such as one reporting an asset malfunction

• A string within an event, such as content that matches a configured list of known spammers

• A specified combination of events within a given time frame, such as a series of logon attempts that suggest a possible denial-of-service attack

RSA enVision analyzes all incoming events and issues an alert immediately when a specified condition is met.

5: Managing Alerting 41


Alerts Module

You access the Alerts module by clicking the Alerts tab. The following figure shows the Alert Configuration menu.

Alerts Configuration

Before you configure the alerts, you must analyze the event sources and any possible threats to the event sources so that you can decide how to set up your system for alerting. You must create views for an alert and specify the conditions in which the alert must be triggered. For more information on views, see “Views” on page 44. For each view, you can specify the output action to notify you when the alert occurs.

42 5: Managing Alerting


You can configure a view for the following alerts:

Simple alerts. Simple alerts include system alerts, which are issued based on the events received from the NIC System device, and event source alerts, which are based on supported event sources and correlation classes. For example, you can set up an alert to monitor user logon failures on all the event sources in your site.

Correlated alerts. A correlated alert is a combination of alerts from various event sources that occur within a specified period of time. For example, you can set up a correlated alert to monitor a virus attack on port 445 of the event sources in your network.

Each correlated alert is set up as a correlation rule. The rule identifies a set of events from a device type and defines a set of specific conditions to be met.

A correlation rule is made up of correlation circuits. A correlation circuit is made up of correlation statements combined using operators. A correlation statement defines a set of events from one or more event sources, based on a set of device types, with a threshold limit, optional statement filters, and cache variable comparisons.

Every correlation rule is associated with a correlation class.

Configure a Simple Alert Task Overview

Following is an overview of the tasks for configuring a simple alert. For detailed instructions on creating a simple alert, see “Create Simple Alerts” on page 58.

To configure a simple alert:

1. Add a view, and specify the details of the view. For more information about views, see “Views” on page 44.

2. Select the event sources on which to alert. By default, RSA enVision displays only the monitored devices that are selected for analysis. You can add additional filters to list the required event sources.

Important: Do not select a correlation class.

3. Select the messages on which to alert. Use the filters to list the required messages.

4. (Optional) Add filters for the alert. Watchlists can be included in the filter. For more information on filters, see “Thresholds and Filters” on page 45.

5. (Optional) Select the alert level to change the default alert level. For more information on alert levels, see the Help topic “Alert Level.”

6. (Optional) Specify the threshold for the alert on the Threshold Definition window. For more information on thresholds, see “Thresholds and Filters” on page 45.

7. (Optional) Configure alert suppression to suppress duplicate alerts. For more information about alert suppression, see “Alert Suppression” on page 53.

8. (Optional) Specify the output action for the alert configuration. For more information on output actions, see “Output Actions” on page 55.



Configure a Correlated Alert Task Overview

Following is an overview of the tasks for configuring a correlated alert. For the complete set of instructions on creating a correlated alert, see “Create Correlated Alerts” on page 63.

To configure a correlated alert:

1. Define a Correlation Rule. Do one of the following:

• Download the correlation rules by installing the Event Source Updates. Go to step 6.

• Add a new correlation rule. When you add a correlation rule, you must specify the event category, alert level, and correlation class. Go to step 2.

2. Add one or more circuits to the rule.

3. Add one or more statements for each circuit. For each statement, do the following:

a. Select the monitored devices on which to alert. Use the search criteria to list the required event sources.

b. Select the messages on which to alert. Use the search criteria to list the required messages.

c. (Optional) Specify the threshold. For more information on thresholds, see “Thresholds and Filters” on page 45.

d. (Optional) Add filters using operators and values. Include watchlists, if required, to define the filter.

e. Select the events to specify the statement filters. For more information on filters and watchlists, see “Thresholds and Filters” on page 45 and “Watchlists”on page 54.

f. (Optional) Specify the cache variables. To add new cache variables, use the Manage Cache Variables option on the Manage Correlation Rules window. For more information on cache variables, see “Cache Variables” on page 52.

4. Set up multithreading for the rule.

5. Add a view for the correlated alert. For more information about views, see “Views” on page 44.

6. Select the correlation class that you specified when you defined the correlated rule.

7. Select the correlation rule.

8. (Optional) Specify alert suppression for the rule to suppress duplicate alerts.

9. (Optional) Select the output action for the alert configuration.

Views

A view defines the event sources, messages, correlation rules, and user-defined criteria for which enVision issues alerts. You create views that specify the conditions—the event sources, events, user-defined criteria, and correlations among criteria—that are worthy of investigation.



When you define a view, you can set up the following:

• Events that can be selected by NIC Category, Alert Level, Alert Category, Event Category, and REGEX Alert categories.

• Correlation class to specify the rules for monitoring and alerting.

• Correlation rules to specify the set of events within a time period and a set of conditions to generate an alert. The correlation rule includes a message ID and message text for the alert.

• Filters and thresholds, such as a percentage increase of activity above the baseline, to rate the severity of the events and focus on those of highest priority.

• Watchlists, which filter events by string, IP address, port, protocol, or regular expressions.

• Output action to specify the action that must be taken on occurrence of the alert, such as, send the alert information to a text file, e-mail the alert information to a user, or create an incident with an attached trace log file containing a list of event messages that fired the alert.

Thresholds and Filters

An event threshold defines the conditions in which the receipt of a specific message constitutes an alert. Thresholds are a part of correlation rules. If you determine that enVision generates unnecessary alerts, you can create thresholds to narrow the alert conditions. For example, you can set a threshold to trigger an alert only after 100 messages occur within an hour after the same user failed to log on from the same machine. Another example is to set a threshold to trigger an alert only when no message is sent after the machine is pinged 60 times.

You can specify the threshold as follows:

• For a specific number of events received within a specified time period.

• If the total number of events received is either greater than or less than either the selected event average or event baseline. See“Threshold Configurations” on page 47 for an explanation of the different threshold configurations with examples.

• In the absence of events being received. If you normally receive a specific message and you do not receive that message for a user-specified period of time, this situation can constitute an alert. This threshold definition is only used for correlation statements. In this case, an alert is fired if the particular correlation rule does not receive any events for the specified time period of x seconds. After this time period, the threshold timer gets reset and the second time slot begins. If there are any incoming events in this time slot, no alerts are fired. For example, if the threshold is defined as, “Consider if NO events come within 2 minutes” and if there are no events received for the next 2 minutes for that rule, then an alert is fired.

If you want to consider every event received for a message as an alert, do not set a threshold.



A message filter complements thresholds and checks the received event messages for specific parameters, such as date or time, IP addresses, or message content. Message filters enable enVision to issue an alert only for specific instances of messages. If you determine that enVision generates unnecessary alerts, you can create filters to narrow the alert conditions.

You can add filters to a statement. You can include watchlist values in the filter. For more information on watchlists, see “Watchlists” on page 54.

Threshold Configuration Levels

Thresholds can be configured at two levels:

• Threshold at View Level: Thresholds can be configured at the view level. The incoming messages are verified to satisfy the threshold criteria at the view level. If there is more than one correlated rule defined inside a single view, we can define different threshold values for each configured correlated rule.

• Threshold at Correlated Rule Level:Thresholds configured at the correlated rule level will be applicable only to the correlated rule. The incoming messages are verified to satisfy the threshold criteria at the rule level. You can have a separate threshold for each statement defined in the correlated rule.



Threshold Configurations

• Minute Average: In the Minute Average criteria, the alerter calculates the average number of events received per minute since the start of the view within which this threshold is configured. If the events received at a particular time satisfy the Minute Average threshold, then the events that crossed the threshold limit are considered for alerting.Consider the following example:

Let the threshold condition be:

“Consider if the count of events, Increases 30% from the minute Average”.

If the view containing the Minute Average threshold is started at 10.00 A.M, then the view starts the calculation from 10.00 a.m. Suppose for the first 5 minutes there were no events, and at 10.35 a.m. the alerter starts receiving events for that view.

At 10:35 AM:

Events Received - 12

Minute Average – 0 (first set of events received, therefore the Minute Average is 0)

Threshold - 0 + (0 * 30.00%) = 0.00 (Threshold Calculated is also 0)

Number of Alerts - 12

Thus all the events received fire an alert.

Number of events received = 12

At 10:36 AM:

Events Received during this minute – 10

Minutes elapsed = (10. 36 – 10.30 = 6 minutes)

Minute Average: 12 (Number of events received so far) / 6(Minutes elapsed) = 2 events per minute.

Threshold: 2 + (2 * 30.00%) = 2.60

Number of Alerts = 3

Every third message received fires an alert. That is, the third, sixth and ninth messages received fire an alert.

Number of events received = 12 + 10 = 22

At 10:37 AM:

Events Received – 15

Minutes elapsed = (10.37 – 10.30 = 7 minutes)

Minute Average: 22 (Events received so far) / 7(Minutes elapsed) = 3.33 events per minute.

Threshold – 3.33 + (3.33 * 30.00%) = 4.33 ~ 5 (rounded off to the highest number)




Every fifth event received fires an alert. That is, the 5th, 10th and 15th messages fire an alert.

Total events received so far = 22 + 15 = 37

This process continues until the view is restarted. If the view is restarted, the values are calculated from the beginning.

• Hour Average: In the Hour Average criteria, the alerter calculates the average number of events received per hour since the start of the view within which this threshold is configured. If the events received at a particular time satisfy the Hour Average threshold, then the events that crossed the threshold limit are considered for alerting. Consider the following example:Let the threshold condition be:

“Consider if the count of events Increases 30% from the Hour Average.”

If the view containing the Hour Average threshold is started at 10.00 a.m., then the alerter starts the calculation from 10.00 a.m.

At 10.00 A.M:


Hour Average – 0 (first set of events received, therefore Hour Average is 0)



Thus all the events received fire an alert.

Number of events received at the end of the first hour = 30

At 11.00 A.M:


Hours elapsed since the alerter started = (11. 00 – 10.00 = 1 Hour)

Hour Average: 30 (Number of events received so far) / 1(Hour elapsed) = 30 events per hour

Threshold: 30 + (30 * 30.00%) = 39


Every 39th message received fires an alert. That is, the 39th and 78th messages received fire an alert.

Number of events received at the end of the second hour = 30 + 100 = 130

At 12.00 P.M:


Hours elapsed since the alerter started = (12. 00 – 10.00 = 2 Hours)

Hour Average: 130 (Number of events received so far) / 2(Hour elapsed) = 65 events per hour

Threshold: 65 + (65 * 30.00%) = 84.5




Every 85th message received fires an alert. That is, the 85th, 170th, and 255th messages received fire an alert. The remaining events are ignored.

Number of events received at the end of the third hour= 130 + 300 = 430

This process continues until the view is restarted. If the view is restarted, the values are calculated from the beginning.

Decreased Hour Average also works the same way, except that this method looks for a decrease in the number of events received.

• Day Average: In the Day Average criteria, the alerter calculates the average number of events received per day since the start of the view within which this threshold is configured. If the events received at a particular time satisfy the Day Average threshold, then the events that crossed the threshold limit are considered for alerting.Let the threshold condition be,

“Consider if the count of events Increases 30% from the Day Average.”

If the view containing the Day Average threshold is started at 12.00 a.m. on July 1st, then the alerter starts the calculation from 12.00 A.M and continues the calculation from then onwards.

On July 1st:


Day Average – 0 (First set of events received, therefore Day Average is 0)



Thus all the events received on the first day fire an alert.

Number of events received at the end of the first day = 300

On July 2nd:


Days elapsed since the alerter was started = (1 day)

Day Average: 300 (Number of events received so far) / 1(Day’s elapsed) = 300 events per day

Threshold: 300 + (300 * 30.00%) = 390


Every 390th message received fires an alert. That is, the 390th and 780th messages received fire an alert.

Number of events received at the end of the second day = 300 + 1000 = 1300

On July 3rd:


Days elapsed since the alerter was started = (2 Days)

Day Average: 1300 (Number of events received so far) / 2(Days elapsed) = 650 events per day



Threshold: 650 + (650 * 30.00%) = 845


Every 845th message received fires an alert. That is, the 845th, 1690th and 2535th event received that day fire an alert. The remaining events are ignored.

Number of events received at the end of the third day = 1300 + 3000 = 4300

This process continues until the view is restarted. If it is restarted, the values are calculated from the beginning.

Decreased Day Average also works the same way, except that this method looks for a decrease in the number of events received.

• Minute Baseline: For Minute Baseline, the number of events received in a particular minute is compared with the number of events received during the same minute of the previous hour. If the number of events received during that minute satisfies the Minute Baseline criteria, then the events that crossed the Threshold Baseline are considered for alerting. Consider the following example:Let the threshold condition be:

“Consider if the count of events increases 30% from the minute baseline”

Suppose the number of events received at 10.30 A.M is 14. The alerter compares this with the number of events it received at 09:30 a.m.

If the number of events received at 09:30 a.m. is 10, then the alerter calculates the baseline value as follows:

10 + (10 * 30 / 100) = 13 (13 indicates an increase of 30% on minute baseline)

At 10.30 a.m., since the number of messages received is 14, the first 13 messages received are ignored and only the 14th message is considered.

If that event satisfies all the other criteria of the rule then the alerter fires an alert.

After the 14th message, the next 13 events received are ignored, and the next 14th event is considered and this process continues.

If the number of events received at 10.30 A.M is 50, then the 14th, 28th, 32nd and 46th message are considered while everything else is ignored.

The Decrease Minute Baseline also works in the same way, except that this method checks for a decrease in the percentage of events received.



• Hour Baseline: For Hour Baseline, the number of events received during a particular hour of the day is compared with the number of events received during the same hour on the same day of the previous week. If the events received at a particular time satisfy the Hour Baseline criteria, then the events that crossed the threshold baseline are considered for alerting. Consider the following example:Let the threshold condition be:

“Consider if the count of events increases 30% from the hour baseline.”

Suppose the number of events received at 10.00 a.m. on June 27th is 300. The alerter will compare this with the number of events it received at the same time the previous week, which is June 20th.

If the number of events received at 10:00 a.m. on June 20th is 100, then the alerter calculates the baseline value as follows:

100 + (100 * 30 / 100) = 130 (130 indicates an increase of 30% on Hour Baseline)

At 10.00 a.m., since the number of messages received is 300, the first 129 messages received are ignored and only the 130th message is considered.

If that event satisfies all the other criteria of the rule, then the alerter fires one alert.

After the 130th message, the next 129 events received are ignored and the next 130th event, which is the 260th event, is considered, and this process continues.

The Decrease in Hourly Baseline also works in the same way except that this method checks for a decrease in the percentage of events received.

• Day Baseline: In Day Baseline, the number of events received during a particular day is compared with the number of events received on the same day of the previous week. If the events received on a particular day satisfies the Daily Baseline criteria, then the events that crossed the threshold limit are considered for alerting. Consider the following example:Let the threshold condition be:

“Consider if the count of events increases 30% from the daily baseline.”

Suppose the number of events received on June27th is 300. The alerter compares this number with the number of events received on the same day of the previous week, which is on June 20th.

If the number of events received on June 20th is 100, then the alerter calculates the baseline value as follows:

100 + (100 * 30 / 100) = 130 (130 indicates an increase of 30% on daily baseline)

On June 27th, since the number of messages received is 300, the first 129 messages received are ignored and only the 130th message is considered.

If that event satisfies all the other criteria of the rule, then the alerter fires one alert.

After the 130th message, the next 129 events received are ignored and the next 130th event, which is the 260th event, is considered and this process continues.

The Decrease in Hourly Baseline also works in the same way except that this method checks for a decrease in the percentage of events received.



Cache Variables

A cache variable is a variable, for example, a value in a payload, used in a statement that you save to compare to a variable in another statement. You can use cache variables to filter on a correlation statement.

The value of the cache variable can be either a user-defined value or a variable value in the event message that is configured in the first statement. The cache variable values are compared by using operators in the circuits or statements. For example, to alert when a user accesses a destination using different ports, you can configure a cache variable for the port number and compare the value against events in other statements using the filter condition “Not in cache.”

To create a correlation rule containing a cache variable:

Create a rule with a circuit containing multiple statements.

Go to Manage Cache Variables at the circuit level, and enter a name and default value for the cache variable. You can also leave the Default Value blank.

If you select the option “Set once per Circuit Operation,” the value of the cache variable is set only once and this value is used during the entire operation. If this option is not selected, the value is reset every time a new value comes in for the variable that is associated with the cache variable.

Within the statement, associate the cache variable with a specific variable that belongs to an event under that statement. Once associated with a variable of an event, the value of that variable is stored in the cache variable. If the default value is set in “Manage Cache variables,” then the configured default value is stored in the cache variable and compared against all the incoming events. If the default value is not set in the “Manage Cache variables,” the value of the variable in the event message in the statement is stored in cache variable and compared against all the events messages in the next statements. When there is no value for that variable, an empty value is stored in the cache variable.

Set the filter condition in a statement belonging to the same circuit. Select the variable belonging to an event in that statement and select the comparison criteria. This criteria can be either IN or NOT IN. Select the Cache checkbox. All cache variables are listed in the Criteria drop down. Select the required cache variable.

Consider this example:

Event 1: %PIX-2-106001: Inbound tcp connection denied from 10.10.10.1 to 20.20.20.2 flags SYN on interface INTERFACE

In the above log message, the value "10.10.10.1" is the destination address and the value "20.20.20.2" is the source address.

Event 2: %PIX-2-106001: Inbound tcp connection denied from 20.20.20.2 to 30.30.30.3 flags SYN on interface INTERFACE

In the above log message, the value "20.20.20.2" is the destination address and the value "30.30.30.3" is the source address.

Let us say that the source address of the first event is to be matched with the destination address of the second event and an alert fired when they are the same.

The following steps explain the process to create the rule in this scenario:



Create a rule with one circuit which contains two statements. Both statements contain the event ID 106001

At the circuit level, go to Manage Cache Variables and give a name for a cache variable along with a default value.

Let the cache variable be named as X and the default value be a blank field.

In the first statement, associate the source address with the cache variable.

When the first message comes in:

%PIX-2-106001: Inbound tcp connection denied from 10.10.10.1 to 20.20.20.2 flags SYN on interface INTERFACE

The value 20.20.20.2 gets stored in the cache variable X.

In the second statement, go to the Set Filters window and compare the destination address variable of the event with the cache variable set in the first statement. In this case, when the second message comes in:

%PIX-2-106001: Inbound tcp connection denied from 20.20.20.2 to 30.30.30.3 flags SYN

The cache variable is compared with the destination address.

Cache variable X contains the value 20.20.20.2 and this is matched with the second event's destination address. The destination address is 20.20.20.2. Since both are the same, an alert will be fired.

Alert Suppression

An event is generated each time a particular traffic signature is encountered and such traffic patterns can generate duplicate events leading to generation of duplicate alerts.

You can filter this flood of events by generating an alert on the first instance of the event and then suppressing subsequent events for the same instance. For example, if you are getting alerts due to some problem with a port, the same messages are sent repeatedly. You can suppress the alert for an hour until the machine problem is resolved.

You can suppress alerts based on one of the following:

• The number of duplicate alerts that come in within a specified time frame.

• A specified time frame, referred to as “quiet time”. Duplicate alerts are suppressed until the “quiet time” has lapsed.

Suppression can also be performed on multithreaded variables in a correlation rule. See “Suppression on Multithreaded Variables” on page 55.

Correlation Class

You can use a correlation class in a view. The following table lists the default correlation classes and the corresponding class types.

Class Name Class Type

NIC Host Correlated Alerts Host



You can also add new correlation classes and include them in a view. All correlated rules must be assigned to a class.

Watchlists

Watchlists are a named collection of strings that represent a list of like-values. You can use watchlists as a shortcut to filtering events on which you want to alert or report. A watchlist can provide an exception to the narrowing accomplished using filters and thresholds. For example, a single failed logon attempt may not be of interest, unless the attempt is made by a terminated employee. A watchlist containing names of terminated employees can scan all messages for these names, triggering an alert when it detects a match. For more information, see the Help topic “Watchlists.”

You can add values to a watchlist individually or in bulk using the import facility. When you update a watchlist, enVision immediately applies this change to the Alerter and views without requiring you to stop and restart the NIC Alerter Service or any related views.

Multithreading for a Correlation Rule

You must configure multithreading for a correlation rule for RSA enVision to maintain a state for a variable or a set of variables across the correlation analysis. You can configure up to three variables when you define multithreading for a rule.

For example, if you defined a correlation rule to ensure that the number of times that a user logs on does not exceed a specified number over a specified time period, RSA enVision evaluates the events associated with a specific user on the basis of the logic for an independent parallel correlation rule alert. When more than one user logs on, enVision must route the associated events to a user-identified thread of the correlation rule alert logic.

There are two different sets of multithreading keys that are present in a correlation rule.

Device Variables - includes Device IP Address, enVision Site, and enVision Collection Node. You can choose from 0 to 3 of these variables.

Event Variables - for existing rules only, includes the set of variables found in every event selected in the rule (variables that are common to all events). You can choose from 0 to 3 of these variables.

Device Variables are present by default for all the rules and multithreading can be set on these variables. However, Event Variables may or may not be present. If a particular variable is present across all events selected in a correlation rule, then that variable is listed in the multithread definition window and can be selected.

NIC Network Correlated Alerts Network

NIC Security Correlated Alerts Security

NIC Storage Correlated Alerts Storage

Class Name Class Type



Suppression on Multithreaded Variables

Suppression can be performed on multithreaded variables.

The variables on which multithreading needs to be performed should be selected in the correlation rule and when this rule is mapped on a particular view, the variables selected for multithreading are listed in the alert suppression window of the view.

Select the variables on which alert suppression should be performed.

The alerter suppresses all the duplicate instances of the multithreaded variable while any new instances fire an alert.

The working of the suppression logic on multithreaded variables can be explained with the following example.

Consider a sample Ciscopix event.

%PIX-6-113003: AAA group policy for user abcd is being set to policy_name.

In this message, there are three Event Variables that can be selected as multithreaded variables.

List Name: policy_name

User Name: abcd

Result: AAA group policy for user

Configure the rule for this as follows,

Create a circuit and a statement with the device type Ciscopix and event type 113003. The main page of the correlation rule has an option to set multithreading. Click on this option to open the multi-threading definition box. This box lists all the variables on which multithreading can be set on that rule.

For this example, there are three Device Variables present by default for all the messages, along with the above-mentioned variables which are specific to this message.

Select User Name and Result as the multithreaded variables for this correlation rule.

Map this correlation rule to a view. The View settings page has an option to set alert suppression on the correlation rule that is selected.

In the Alert Suppression window, suppression conditions can be set on the multithreaded variables that were selected while creating the correlation rule.

Both the multithreaded variables that were created in the initial step are present in the Alert Suppression window. Select these variables along with the Suppression interval. The Suppression interval is the time during which messages containing duplicate values for the multithreaded variables are suppressed.

In the above example, depending on the suppression condition set on the multithreaded variables, Result and User Name, any duplicate messages containing the same values for Result and User Name are suppressed.

Output Actions

An output action is a configured notification method for an alert. The following table describes the output actions that you can configure for an alert.



Type Description

Text File Sends alerts to a text file in the directory that you specify.

RSA enVision writes all alerts associated with the Text File output action for that view to the filename that you specify. The format is identical to the received message.

RSA enVision continues to add alerts to this file over time so that the file continues to grow until you delete it. You are responsible for the backup and deletion of this file.

SNMP Simple Network Management Protocol (SNMP)

Sends alerts through SNMP traps.

SMTP Simple Mail Transfer Protocol (SMTP)

Sends alerts through e-mail (SMTP).

You can also send generated reports to a defined e-mail address or up to five addresses. RSA enVision allows the e-mail delivery of scheduled and ad hoc reports.

AIM Sends alerts through AOL Instant Messenger (AIM).

RSA enVision sends one message every five seconds. The NIC Alerter Service adds the message to a queue to be sent. For example, a burst of twelve messages in one second will take one minute to send out.

Syslog Forwards a syslog message from a event source to an external syslog server in its original format.

Note: In a multiple appliance site, the A-SRV forwards the syslog messages.

This output action is useful when:

• A system other than enVision requires the syslog message, but it cannot handle the load. In this case, enVision performs syslog events filtering.

• A system other than enVision requires the syslog message and the event source does not support multiple destinations.

Run Command

Launches a command. The Run Command output action creates an output module that launches a single command immediately. You can specify the executable name and a list of parameters to pass to the command.

RSA enVision generates a NIC log event that states that the command has started and whether or not it was successful.



Task Create and Task Escalate

Creates an incident with an attached trace log file containing a list of event messages that fired the alert. You can assign the Task Triage output action only to a correlation rule associated with the Alerter View. You can have only one Task Triage output action within a NIC domain. The initial owner of the Alerter-generated incident is anyone in the task-dispatchers group.

Note: Do not delete the Task Triage output action after it has been created. Incidents created by the Alerter rely on the existence of a Task Triage output action for critical setting information.

You can create incidents in Task Triage using either of the following:

• Task Create output action associated with an Alerter View for a correlated alert. The incident created from the Alerter will have an attached trace log file that contains a list of the event messages that led to the firing of the alert. The initial owner of the Alerter-generated incident is the task-dispatchers user group. RSA enVision comes with a default Task Create output action that you can use when creating a view. For more information, see the Help topic “Set Up enVision to Create Incidents.”

• Task Escalate output action to escalate incidents to an external application (such as a third-party ticketing system).

SNPP Simple Network Paging Protocol (SNPP)

Sends alerts through SNPP to a cell phone or pager. The output message is limited to 128 characters.

Type Description



Depending on the output action, you can apply an output action template that specifies the format and fields for the alert output. You can use an output template for multiple types of output actions.

You can use the default system-defined output action templates or create custom output action templates. For more information on the default system-defined output action templates, see the Help topic “Output Action Template.” You can add, modify, or delete output action templates. For more information see the Help topics “Add or Modify an Output Action Template” and “Delete an Output Action Template.”

Alerts Monitoring

You can use the following tools to monitor alerts:

• Enterprise Dashboard to monitor the peak status information of multiple views (called a Collection) concurrently from a single screen. For more information, see “Managing the Dashboard” on page 109.

• Real-Time Details window to monitor alerts as they occur in real time for a single view.

• Event Explorer to monitor alerts that are escalated. For more information on how to monitor alerts using Event Explorer, see the Help topic “RSA enVision Event Explorer.”

• Alert History module to view alerts in the database. For more information, see the Help topic “Alert History Window.”

Create Simple Alerts

This topic provides basic instructions for creating a simple alert. For detailed instructions, see the Help topic, “Add a View.”

To create a simple alert:

1. Click Alerts > Alert Configuration > Views > Manage Views.

2. Click Add.

3. Enter the view details as follows:

a. Enter the name for the view. You can enter up to 32 alphabetic characters. The view name cannot contain special characters (& @ ‘< \ # + ; : /).

b. Click and select the users to monitor the view.

c. From the Site/Node drop-down list, select a site and node name.

d. In the View description field, enter a brief description of the view. The description must not exceed 256 alphanumeric characters.

e. In the Enabled field, select the checkbox to enable alert processing for the view.



In this example, the view name is View For Login Failures.

4. Click Next.



5. In the Select column, select the event sources to include in the view.

Note: RSA enVision only displays the monitored devices that have been selected for analysis. You can add additional filters to list the required event sources.

6. Click OK.

7. Click Next.



8. In the Select column, select the messages on which you want to alert. You can specify the filter to list the messages of interest, and click Apply.

9. Specify the threshold details as follows:

a. Click the hyperlinked value to display the Threshold Definition pop-up window.

b. Enter the threshold details. For more information, see the Help topic “Threshold Definition Pop-up Window.”

c. Click Select.

10. From the Alert Level Custom drop-down list, select the custom alert level to use for the message in this view. You must select a value between 0 and 7.



11. Specify the filters for the alert as follows:

a. In the Filters column, select OFF.

b. Specify the filter details. For more information, see the Help topic “Manage Views Window - Add Filters.”

12. Specify the output action for the view.

a. In the Output Actions per Alert column, select OFF.

b. Select the output actions for the alert. For more information, see the Help topic “Manage Views Window - Add/Modify Output Action Information.”

13. Set up the alert suppression information, as follows:

a. In the Alert Suppression column, select OFF.

b. Specify the alert suppression information. For more information, see the Help topic “Modify Alert Suppression Window.”

14. Complete the series of windows to define the view. Modify the severity level.

15. Click Finish.



Create Correlated Alerts

This topic provides basic instructions for creating a correlated alert and including this alert in a view. For detailed instructions, see the Help topic, “Add a View.”

To create a correlated alert:

1. Click Alerts > Alert Configuration > Correlated Alerts > Manage Correlation Rules.

2. Click Add.

3. To add cache variables, follow these steps:

a. Click Manage Cache Variables.

b. Click Add.

c. In the Cache Variable field, enter the name of the variable.

d. (Optional) In the Default Variable field, enter the default value to be used.

e. To add another cache variable, repeat step b and step c.



f. Click Apply.

4. Enter the details of the correlated rule. For more information, see the Help topic “Add/Modify Correlation Rule Window.”



5. To add a circuit, follow these steps:

a. In the Correlation Rule Logic section, click Add Circuit.

b. In the Circuit label field, to change the default circuit name that is displayed, enter a name for the circuit.

The following is an example of a circuit for a correlated alert.

6. To add a statement, follow these steps:

a. Click Add Statement.

b. In the Statement label field, enter the name of the statement.

7. Specify the threshold details as follows:

a. In the Add/Modify Statement window, click the arrow to open the Threshold Definition section.

b. Enter the threshold details. For more information, see the Help topic “Add/Modify Statement Window.”

8. To select the event sources to associate with the statement, follow these steps:

a. In the Add/Modify Statement window, click the arrow to open the Devices Selection section.

b. Select either Select devices by Device Class/Type or Select devices by Device Group.

c. If you selected Select devices by Device Class/Type, do the following:

• Click and select the Device Class/Type.

• Click under IP Address List/Mask.

• Complete the window and click Select.

d. If you selected, Select devices by Device Group, do the following:

• Click Add.

• From the drop-down, select the device group.

e. To add another event source to the statement, repeat step a through step d.



9. Select the events for the statement:

Note: If you are doing multithreading, you should consider appending your event selection in the Add/Modify Statement window based on the variables that you want to use in multithreading. For example, you can use the AND operator and select the variable that you want to assure that you have selected only events that contain at least that specific variable.

a. In the Add/Modify Statement window, click the arrow to open the Event Selection section.

b. Click Add. RSA enVision adds an event selection entry.

c. From the Event Type drop-down list, select the event type.

d. From the Comparison drop-down list, select the values for comparison.

e. Under Value, click .

f. Complete the fields in the window and click Select.

g. To add another event selection entry, repeat step a through step e and select the appropriate operator from the drop-down list to connect the entries. The following is an example of a statement for the circuit.



10. (Optional) Set up statement filters as follows:

a. In the Add/Modify Statement window, click Set Filters.

b. Click Add Filter.

c. Complete the filter. To use a watchlist, in the Comparison column, select In Watchlist or Not In Watchlist, and in the Criteria column, select the name of the watchlist.

d. To add another filter, repeat step b and step c, and select the appropriate Join expression from the drop-down list to connect the entries.

e. Click Apply. The following example shows a filter to filter all user names that exist in the watchlist.

11. (Optional) Associate the cache with variables as follows:

a. In the Add/Modify Statement window, click Set Cache.

b. On the Associate Cache with Variable window, enter the details.

c. Click Apply.

12. Click Apply.

13. To add another statement, repeat step 5 through step 10.

14. To connect the statements into a circuit, specify the Operator and Within (seconds) fields.

15. To position the statements in the correct order, use the Order arrows.

16. To add another circuit, follow these steps:

a. Repeat step 5 through step 11.

b. Complete the Operator and Within (seconds) fields to connect the circuits correlation rule logic.

c. Use the Order arrows as necessary to position the circuits in the correct order.

17. Click Apply.



Add a Correlated Alert to a View

To add the correlated alert to a view:


2. Click Add.

3. Enter the view details as follows:

a. Enter the name for the view. You can enter values are up to 32 alphabetic characters. The view name cannot contain special characters (& @< \ # +’ “; : /).

b. Click , and select the users to monitor the view.

c. From the Site/Node drop-down list, select a site and node name.

d. In the View description field, enter a brief description of the view. The description must not exceed 256 alphanumeric characters.

e. In the Enabled field, select the checkbox to enable alert processing in the view.

4. Click Next.

5. In the Select column, select the correlation class to include in the view.

6. Click Next.

7. Use the filter to view the correlation rules for the class and select the appropriate correlation rule.

8. Click Finish.

Correlation Rules Management Tasks

You can download system-defined correlation rules; add, modify, or delete correlation classes; and modify, delete, import, or export correlation rules.

Download System-Defined Correlation Rules

You can download the system-defined correlation rules from the latest Event Source Updates. The Event Source Updates are hosted on RSA SecurCare Online. For instructions on how to download and install the Event Source Updates, see the Help topics “RSA enVision Event Source Update - Getting Started” and “Correlation Rules.”

Add Correlation Class

To add a correlation class:

1. Click Alerts > Alert Configuration > Correlated Alerts > Manage Correlation Classes.

2. Click Add.

3. In the Class Name field, enter a name for the correlation class.



4. In the Class Label field, enter a class label.

5. From the Class Type list, select the device type.

6. Click Apply.

7. If prompted, start or restart the NIC Alerter Service. You must restart the service for the selected options to be applied. The default selection is set in the Manage Default AlerterView Restart field on the Set Up Alerter Service window. For more information, see the Help topic “Set Up Alerter Service Window.”

Modify Correlation Class

To modify a correlation class:


2. In the Class Name column, click the name of the class to modify.

3. On the Add/Modify Class window, enter the details, and click Apply. For more information, see the Help topic “Add/Modify Correlation Class Window.”

4. To modify another class, repeat step 2 and step 3.

5. Do one of the following:

• Restart the individual views that contain the modified correlation classes.

• Restart the NIC Alerter Service.For more information, see the Help topics “Start/Stop/Restart View,” and “Start/Stop Services - Manage Services.”

Delete Correlation Class

To delete a correlation class:


2. In the Delete column, select the checkbox next to the class to be deleted.

3. Click Apply.

Modify Correlation Rules

To modify a correlation rule:


2. In the Message ID column, select the rule that you want to modify.

3. Make changes as necessary. For more information, see the Help topic “Add/Modify Correlation Rule Window.”

4. Click Apply.


../services/alerter_service/alerter_service.htm

../services/alerter_service/alerter_service.htm



• Restart the individual views that contain this correlation rule.

• Restart the NIC Alerter Service.For more information, see the Help topics “Start/Stop/Restart View,” and “Start/Stop Services - Manage Services.”

Delete Correlation Rules

To delete a correlation rule:


2. In the Delete column, select the checkbox next to the rule to be deleted.

3. Click Apply.

4. Restart the individual views that contain this correlation rule or restart the NIC Alerter Service. For more information, see the Help topics “Start/Stop/Restart View,” and “Start/Stop Services - Manage Services.”

Note: If you delete a correlation rule, then the view that contains only this correlation rule is stopped.

Import Correlation Rules

To import a correlation rule:

1. Click Alerts > Alert Configuration > Correlated Alerts > Import/Export Correlation Rules.

2. In the Operation field, select Import.

3. In the Directory field, enter the directory containing the XML files to import or browse to select the directory from which you want to import.

4. Click Update List. RSA enVision displays the XML files in the specified directory.

5. From the Class drop-down list, select the class name where you want to store the correlation rules.

6. In the Select column, select the checkbox next to each XML file that you want to import.

7. Click Apply.

Export Correlation Rules

You can export correlation rules, as XML files, from your system. The system exports the selected files to the directory that you specify. The exported filename is correlation_rule_name.XML. For example, if you export the NIC001 rule, the exported filename is NIC001.XML.



Note: If the directory to which you export the rules contains a file with the same name as the file being exported, the system overwrites the existing file with the newly exported file.

To export a correlation rule:

1. Click Alerts > Alert Configuration > Correlated Alerts > Import/Export Correlation Rules. RSA enVision lists the correlation rules associated with the default correlation class.

2. In the Operations field, ensure that Export is selected.

3. In the Directory field, enter the directory or browse to select the directory where you want to save the exported file.

4. From the Class drop-down list, select the associated class name for the correlation rules that you want to export.

5. In the Select column, select the checkbox next to each XML file that you want to export.

6. Click Apply.

Output Actions Management Tasks

You can add and modify output actions, and escalate tasks to RSA enVision Event Explorer.

Add Output Actions

To add an output action:

1. Click Alerts > Alert Configuration > Output Actions > Manage Output Actions.

2. On the Manage Output Actions window, click Add.

3. On the Add/Modify Output Action window, enter the details. For more information see the Help topic “Add/Modify Output Action window.”

4. Click Apply.

Modify Output Actions

To modify an output action:


2. On the Manage Output Actions window, click the Name of the output action that you want to modify.

3. On the Add/Modify Output Action window, enter the details. For more information see the Help topic “Add/Modify Output Action window.”



4. Click Apply.

Note: Modifying an output action may impact the views. You should restart the individual views that contain the modified output action.

Delete Output Actions

Note: You cannot delete an output action that is currently assigned to a message in a view.

To delete an output action:


2. In the Delete column, select the checkbox next to each output action that you want to delete.

3. Click Apply.

Escalate Tasks To RSA enVision Event Explorer

To escalate tasks to Event Explorer:


• Set up a Task Escalate output action so that RSA enVision automatically escalates incidents. For information, see the Help topic, “Add/Modify Output Action Window.”

• Manually change the incident status to Escalated in RSA enVision Event Explorer. You must log on to Event Explorer before starting this procedure. For more information on Event Explorer, see the RSA enVision Event Explorer Help.

Views Management Tasks

You can modify, delete, export, import, start, stop, restart, enable, or disable views.

Modify Views

To modify a view:


2. In the View Name column, select the name of the view that you want to modify.

3. Modify the values and complete the series of windows to define the view.Ensure that the Start/restart view checkbox is selected if you want the view to begin alert processing.

4. Click Finish.



Important: If you are using the Enterprise Dashboard and make a change to a view, you must restart the view, and close all Enterprise Dashboard windows for the changes to take effect in the Enterprise Dashboard.

Delete Views

To delete a view:


2. In the Delete column, select the checkbox next to the view that you want to delete.

3. Click Apply.

Export Views

You can export views that contain a correlation rule from your system.

The system exports the selected files to the directory that you specify. The exported filename is view_name.xml. For example, if you export the Boston view, the exported filename is Boston.xml.

Note: If the directory to which you export the view contains a file with the same name as the file being exported, the system overwrites the existing file with the newly exported file.

To export a view:

1. Click Alerts > Alert Configuration > Views > Import/Export View > Import/Export Views.

2. In the Operation field, ensure that Export is selected.

3. In the Directory field, enter the directory or browse to select the directory where you want to save the exported file.

4. In the Select column, select the checkbox next to each XML file that you want to export.

5. Click Apply.

Important: You cannot change the name of an exported view.

Import Views

You can import, as XML files, views that consist solely of correlation rules. The view is not enabled upon import. To use the view, you must enable the view on the Manage Views window.

Before You Begin

You must import the correlation rule before you import a view with a correlation rule.



To import a view:

1. Click Alerts > Alert Configuration > Views > Import/Export Views.

2. In the Operation field, select Import.


• In the Directory field, enter the filename of the XML file to import or the directory containing the XML files to import.

• Click to browse, and select the file or directory from which you want to import.

4. Click Update List.

5. In the Select column, select the checkbox next to each XML file that you want to import.

6. Click Apply.

Starting, Stopping, and Restarting Views

When you add or make changes to a view or modify items that impact the view, you must restart the view for the changes to be reflected in the alerting process.

Changes to the following items may impact views with which the items are associated:

• Monitored devices

• Output actions

• Messages (XML file)

• Correlation rules

• Device groups

Restarting a view restarts NIC Alerter Service processing for that individual view only. Restarting only an individual view, not the entire NIC Alerter Service, decreases the impact on your alerting process, and the other views continue to process alerts uninterrupted. However, for performance reasons, if you need to restart many or all views, restart the NIC Alerter Service rather than restarting the individual views.

You can review the view state, and stop, start, or restart a view on the Manage Views window. A view is in one of the following states:

Running. The view is running.

Stopped. The view is stopped or the NIC Alerter Service is not running.

Starting View, Stopping View, or Restarting View. Temporary status as the view is starting, stopping, or restarting.

Error. An error has occurred in the view. You must stop, start, or restart the view.



Start, Stop, and Restart Views

To start, stop, or restart a view:


2. In the Change State column, from the drop-down list next to the view, select the action that you want to perform.

3. Click Apply.

4. (Optional) Click Refresh to display the updated status of the view.

Enable or Disable Views

To enable or disable a view:



• To disable a view, click the checkbox in the Enable column to clear the check mark.

• To enable a view, select the checkbox in the Enable column.

3. Click Apply.

Watchlists Management Tasks

You can add, modify, delete, export, or import watchlists.

Add Watchlists

To add a watchlist:

1. Click Overview > System Configuration > Watchlists > Manage Watchlists.

2. Click Add.

3. In the Watchlist name field, enter the name of the watchlist.

4. In the Watchlist description field, enter a description of the watchlist.

5. If the values in the watchlist are regular expressions (REGEX), select Use regular expressions.

Note: Only use regular expressions for watchlists used for alerting. The Reports module ignores watchlists with regular expressions.



6. To manually add values to the watchlist, follow these steps:

a. Click Add. The system displays a new value line.

b. In the Value field, enter a value.

c. To add additional values, repeat step a and step b until you have added all the values. To delete a value, in the Delete column, select the checkbox next to the value, and click Delete.

The following example shows a watchlist of terminated employees.

7. To import values to the watchlist, follow these steps:

a. Click Import Watchlist.

a. Select the file that you want to append. Only the watchlists stored in the folder E:\nic\4100\nodename\etc\watchlists are displayed in the import list.

b. Click Append. For more information, see the Help topic “Import Watchlist Values.”

8. Click Apply.

Modify Watchlists

If you make a change to a watchlist while RSA enVision is in the process of filtering events using that watchlist, the changes will not be applied until enVision finishes filtering the events.



To modify a watchlist:


2. In the Watchlist name column, click the watchlist that you want to modify.

3. Modify the watchlist as necessary. Do one of the following:

• To manually add additional values, click Add.

• To append additional values to the list through an import, click Import Watchlist. Select the file that you want to append. Only the watchlists stored in the folder E:\nic\4100\nodename\etc\watchlists are displayed in the import list. Click Append. RSA enVision adds values to the display. For more information, see the Help topic “Import Watchlist Values.”

• To replace the values in the list through an import, click Import Watchlist. Select the file that you want to replace. Only the watchlists stored in the folder E:\nic\4100\nodename\etc\watchlists are displayed in the import list. Click Replace. RSA enVision replaces the original values with the new values. For more information, see the Help topic “Import Watchlist Values.”

• To delete a value, in the Delete column, select the checkbox next to the value and click Delete.

4. Click Apply.

Delete Watchlists

To delete a watchlist:


2. In the Delete column, select the checkbox next to each watchlist that you want to delete.

3. Click Apply.

4. When prompted for confirmation, click OK.

5. Restart the views that reference the deleted watchlists.

Note: The deleted watchlists are referenced by the view until the view is restarted.

Export Watchlists

To export a watchlist:


2. In the Watchlist name column, click the watchlist whose value list you want to export.

3. Click Export Watchlist.

4. Enter the file name without the extension.

5. Click Export. RSA enVision creates the exported watchlist values file at the location E:\nic\4100\nodename\etc\watchlists.



Import Watchlists

You can add values to a watchlist by importing a .txt file.

To import a watchlist:


• Import a list of values to a new watchlist. For more information, see “Add Watchlists” on page 75.

• Import a list of values and append the values to an existing list of watchlist values. For more information, see “Modify Watchlists” on page 76.

• Import a list of values and replace the existing list of watchlist values with the newly imported list. For more information, see “Modify Watchlists” on page 76.



6 Managing Reporting

• Reports

• Standard Reports

• Report Results Folders Management Tasks

• Reports Management

• Report Definition Folders

• Scheduled Reports

Reports

The Reports module provides standard network and traffic analysis reports and graphs. You can copy and modify these reports, or create your own custom reports to meet specific reporting needs. You can run the reports immediately or schedule them to run at specific times.

Reports Module

You access the Reports module by clicking the Reports tab. The following figure shows the default Scheduled Reports tool. Other tools are Ad Hoc Reports and Report Configuration.

6: Managing Reporting 79


The following table shows the uses of the three report tools.

Standard Reports

RSA enVision provides over 1,200 standard reports that gather common network security and traffic analysis statistics into tables and graphs. You can copy and modify these reports to create custom reports to meet specific reporting needs.

The following table shows the available report categories.

Tool Tasks

Scheduled Reports View scheduled reports that have already run.

Ad Hoc Reports Create, modify, and run reports.

Report Configuration Manage running scheduled reports, schedule reports, report results folders, and set up reports options.

Report Category Report Contents

Archer Control procedure reports for event sources such as Check Point Firewall-1, SharePoint Server, Oracle WebLogic, and VMware.

Compliance Security statistics and data for a variety of regulations, including Sarbanes-Oxley and Gramm-Leach-Bliley.

Correlated Reports Statistics for correlated alerts and for multiple event sources. Correlated alerts reports provide statistics and data on event combinations. Multiple event source reports contain statistics and data for multiple event sources from the same IP address.

Host Statistics and data for application servers, load balancers, mail servers, mainframes, midrange systems, UNIX systems, web logs, and Windows hosts.

Insider threat mitigation

Standard system reports for insider threats. Insider threat mitigation reports include UNIX and database reports and Windows reports.

Network Configuration management and traffic analysis statistics and data for routers, switches, systems, and wireless event sources.

Security Network security statistics and data for access control systems, antivirus deployments, firewalls, intrusion detection (IDS) systems, intrusion prevention (IPS) systems, physical security controllers, and virtual private network (VPN) systems.

Storage Statistics for storage and database systems.

80 6: Managing Reporting


Report Permissions

You can control who can access report functions in the following ways:

• You can add users to the report-administrators or report-users group. For more information on the user groups, see “User Groups” on page 24.

• You can control individual user access to specific reports or to all the reports in a device class, such as run a report or modify a report definition.

• You can change the default permissions set for new users as well as the permissions associated with user groups to:

– Allow users to create new reports.

– Allow users to read and run reports.

For more information on changing the permissions, see the Help topic “Managing Report Permission Window.”

• You can assign user permissions to schedule reports. You can also assign the permission to view generated reports, without the permission to schedule the reports. For more information, see the Help topic “Module and Tool Permission” and “Add/Modify User Window.”

• You can assign permissions to access the report folders. You can assign permissions at any level in the reporting folder hierarchy. For more information, see the Help topics “Manage Report Results window” and “Add/Modify User Window.”

Report Data

Reports draw their data from tables maintained by enVision. Report parameters specify which tables to use and further define the data set by device type and address, time range, and message ID.

This topic gives an overview of tables, introduces the concept of a data set, and explains how to use an SQL WHERE clause and parameters to narrow the results.

Database Tables

RSA enVision creates temporary database tables as needed to generate reports and queries. The tables exist only for the time required to create the report. For descriptions of each database table and information on when to use each table, see the Help topics “Database Tables,” “Database Table Layouts,” and “When to Use Each Database Table.”

Task Triage Statistics and data drawn from incident open and closure rate, status of open incidents across the enterprise, and average time to acknowledge and time to close incidents.

VAM (Vulnerabilities and Asset Management)

Statistics for vulnerability occurrence, vulnerability severity, and business rank and importance for the most vulnerable assets in the enterprise.

Report Category Report Contents



RSA enVision maintains summary data containing information and totals for summary type reporting. Summary data consists of preprocessed totals of common data points, such as total bytes per local address and total counts of URL addresses accessed. RSA enVision creates and stores summary data in the LogSmart Internet Protocol Database (IPDB) at one-minute intervals.

RSA enVision has many different summary tables. Each table stores data related to specific events, such as router events or event source connection information for access control devices. For descriptions of each summary table and information on when to use each table, see the Help topics “Summary Database Tables” and “When to Use Each Database Table.”

Use a summary table for a report whenever possible. Using summary data results in the fastest overall performance times because the data is preprocessed.

Data Set

Tables often contain data from many event source types, for example, the Firewall System database table contains information from all monitored firewall event sources. You can focus a report on specific event source types by defining a data set. A data set uses the device type identifier of an event source to select data from only those event sources with matching device type identifiers.

When designing a report to only show data for a single device type, in the SQL WHERE clause, you must use a SELECT statement to include only device addresses of that device type.

You can specify the device group or set of device groups to show data for a particular device type. For a list of supported event sources and associated device type identifiers, see the Help topic “Supported Devices (Event Sources).”

You can further narrow a search using the following data set parameters:

• Device address filters on IP address (a single address or a range of IP addresses)

• Time range limits the search to just those events in the specified time range needed for the report

• Message ID limits the search to only events with the specified message ID for the report

Data Selection

You select the database table or universal table from which you want to gather data to create a report. When possible, refine the data selection using an SQL WHERE clause to reduce the scope of the information included in a report. Otherwise, enVision returns all messages for all event sources in the selected table. For more information on SQL WHERE clauses, see the Help topic “SQL Statements.”

Construct the SQL WHERE clause by selecting values and operators from drop-down lists to create a statement. Alternatively, you can manually type a complete statement, but this approach may introduce typographic errors.



You can add a runtime parameter to a report to enable a person running the report to enter specific search criteria to focus the report. Depending on how you define the parameter, users can enter data directly or select from a drop-down list. For example, add an Enter User Name field to a report so that users can focus the report on a specific user.

You can construct a parameter to display existing watchlists in a drop-down list. (A watchlist is a named set of specified parameter values such as user IDs or IP addresses.) When you run the report, you can select a watchlist to focus the report. For more information about watchlists, see the Help topic “Watchlists.”

Report Results Folders

You can create report results folders and specify the folders as output folders when you schedule reports. You can then assign access permissions to report results folders to make the reports in the folder available to specific users.

You can specify the report folder permissions to the user or user groups. For more information, see “User Permissions” on page 24. The users can access only the reports in the assigned folder using the Display Schedule Report Results window.

Report Results Folders Management Tasks

You can add, modify, or delete report results folders.

Add Report Results Folders

To add a report results folder:

1. Click Reports > Report Configuration > Manage Report Results Folders.

2. Click Add.

3. In the Name field, enter the name of the folder.

4. In the Description field, enter the description.

5. View the Parent Folder field to ensure that you are creating the folder in the correct position on the tree.

6. Specify the folder permissions for the users.

7. Click Apply.

Modify Report Results Folders

To modify a report results folder:


2. In the tree, select the folder that you want to modify.

3. Click Modify.

4. Modify the Description of the folder and folder permissions.

5. Click Apply.



Delete Report Results Folders

When you delete a report results folder, all the scheduled reports that output to this folder, the results of the scheduled reports previously run, and subfolders will be deleted.

To delete a report results folder:


2. Select the folder that you want to delete.

3. Click Delete.

Reports Management

You can create, modify, and run ad hoc reports.

Create Reports

When your organization needs to collect statistics or analyze incidents that are not defined using the available standard reports, you can create new reports tailored to gather the information that you need.

This topic provides an example to create a tabular report. The example includes instructions to create a report of failed authentication attempts by the specified users. For instructions on creating a graph report or bind report, see the Help topic “Create a Graph Report” or “Create a Bind Report.”



To create a new report:

1. Click Reports > Ad Hoc Reports > Create New Report.

2. Enter a unique name for the report, and click Next. In this example, the report name is Failed Logins Across Multiple Platforms.



3. Select the table and fields for the report as follows:

a. From the Select table drop-down list, select a table to use to generate the report. For information on selecting the table to use, see the Help topic “When to Use Each Database Table.”

b. From the Select fields list, select a field or fields. Use the CTRL key to select multiple fields.

c. (Optional) To consider only rows that contain distinct field values and no duplicates, select Distinct.

d. Click Next.This example shows selecting multiple fields from the Global table: DeviceAddress, DeviceTypeName, and UserName. Note that UserName is not in the visible part of the list. Distinct is selected to list distinct user names without any duplicates.



4. Select a field to sort on and a sort order as follows:

a. From the drop-down list of the field on which you want to sort, select a sort order (Ascending or Descending).

b. If necessary, set the sort order of all other fields to None.

c. Click Next.The example sets the sorting for the UserName field to Descending. All other fields are set to None.



5. Specify the report selection criteria as follows:

a. (Optional) Create a parameter definition to reduce the scope of the information included in your report. Click Apply.

This example shows entering parameters to allow users running the report to select the user they want a report for.

b. Construct the SQL WHERE clause. If you created a parameter definition, add it to the SQL WHERE clause.



c. Click Next.This example shows entering an SQL WHERE clause that returns failed login event information for the specified users.

6. Edit the report column headings, if necessary, to make them more descriptive or readable. Click Next.The example shows changing the headings.



7. To rearrange the order of the columns in the report, select a column heading, and click the up or down arrow as needed. Click Next.The example shows columns sorted appropriately for the report.

8. Select any additional report options as needed. Click Apply.This example shows selecting the options to display the date and time range in the report and to enable preprocess filters that speed up the report generation. For ways to optimize reports, see “Best Practices for Reporting”on page 185.



9. To run the report, click Run.

Modify Reports

You cannot modify a standard report. You can only modify a copy of a standard report. You can modify a custom report and save it under the same or a different name.

This topic provides basic steps for modifying tabular reports. The example includes the instructions to copy a standard router report and modify the copy from sorting traffic based on the number of packets received from a host to sorting traffic by hostname. For instructions on modifying a graph report or for detailed descriptions of the fields, see the Help.

To modify a report:

1. Click Reports > Ad Hoc Reports, and select an existing report.

2. Depending on the type of report, do one of the following:

• If the report is a custom report, set options as needed. Click Modify.

• If the report is a standard report, click Copy to create a copy of the report, and set options as needed. Click Modify.



This example shows copying a standard Cisco Router report, Bandwidth Usage by Address, to modify under a new name.

3. If needed, in the Name field, enter a report name. Modify the type of report, title, and description as needed. Click Next.In this example, the report name is changed to Cisco Router - Bandwidth Usage by Host Name.



4. Select the appropriate table, and select fields as needed. Use the CTRL key to select multiple fields. Click Next. For information about selecting the table, see the Help topic “When to Use Each Database Table.”This example uses the same fields as the standard report so the fields are already selected.



5. If necessary, select a field to sort on and a sort order as follows:

a. From the drop-down list of the field on which you want to sort, select a sort order (Ascending or Descending).

b. If necessary, set the sort order of all other fields to None.

c. Click Next.This example changes the report from sorting on sum(Packets) to sorting on the Local Host Name in ascending (A to Z) order.

6. Modify the parameter or the SQL WHERE clause as needed. Click Next.This example does not use a parameter definition or an SQL WHERE clause.



7. Modify the column headings as needed. Click Next.In this example, the column headings are not changing.

8. Using the up and down arrows, modify the column order as needed. Click Next.In this example, the column order is not changing.



9. Modify the additional report options as needed. Click Apply to save the settings in the modified report. This example limits view of the result set to the first 100 rows.



Move a Report

You can move only custom reports to a different report definition folder in the Ad Hoc Reports menu.

Note: For standard reports, the Move button is not available.

To move a report:

1. Click Reports > Ad Hoc Reports.

2. Click the report that you want to move.

3. In the Edit report section, click Move.

4. From the Report Definition Folder list, select the folder to which you want to move the report.

5. Click Apply.

6. Click on the Ad Hoc Reports menu to refresh the menu and display the report in the folder to which you moved the report.



Run Ad Hoc Reports

The Ad Hoc Reports tool in the Reports tab provides access to all of the standard and custom reports. You can run a standard or custom report whenever needed.

This topic provides basic steps for running reports. For detailed steps and explanations of report parameters, see the Help. For information about scheduling reports to run at specific times, see “Scheduled Reports” on the page 100.

To run a report:

1. Click Reports > Ad Hoc Reports, and expand the report types to see the available reports. The example shows the Compliance > PCI reports.



2. Select a report, and click Run.This example shows selecting the PCI-Router Configuration Changes report.

RSA enVision displays the completed report in a separate browser window.



Report Definition Folders

You can create report definition folders to organize the folders in the Ad Hoc Reports tool. Each report definition folder will contain the following options:

Create Report Definition Folder. Create sub folders in the report definition folder.

Create New Report. Create new reports in the report definition folder. For more information on creating a report, see the Help topic, “Create/Modify Report Window.”

Manage Permissions. Specify user permissions for the reports created in the report definition folder. For instructions, see the Help topic “Manage Report Permissions Window.”

You can move only custom reports from one report definition folder to another. You cannot move standard reports. For more information on how to move a report, see “Move a Report” on page 97.

Create Report Definition Folders

To create a report definition folder:

1. Click Reports > Ad Hoc Reports > Create Report Definition Folder.

2. In the Report definition folder name field, enter the name for the report definition folder.

3. Click Apply.

4. Click the Ad Hoc Reports menu to refresh the menu and display the new report definition folder.

Scheduled Reports

You can schedule a report to run at a specified time and at recurring intervals. Report administrators and users with report permissions can display generated reports. You can also assign the user with permission to schedule a report. For more information on scheduled reports, see the Help topic “Scheduled Reports.”

You can archive report folders that archives all the generated reports in the selected folders. You can also delete the reports from specific reports folders if they are not required.



Schedule Reports

The instructions in this topic provide a working example to schedule a report.

To schedule a report:

1. Click Reports > Reports Configuration > Schedule Report.

2. Schedule a standard report as follows:

a. In the Task name field, enter a unique task name.

b. Select Enabled.

c. From the Report name drop-down list, select the report that you want to schedule.

d. From the Folder name pop-up window, select the output folder for the report.

e. (Optional) Set any other runtime parameters.

f. Click Set Recurrence.



The example shows setting the report Alerts Under Investigation by View to run as the task AlertsByView and be output to the default folder.

3. Set when and how often a recurring report should run. Click Apply.The example shows setting the report to run every day at 12:00 p.m.



4. Click Apply to save the settings.

5. Click Manage Scheduled Reports to display the list of reports scheduled to run.This example shows all reports scheduled by administrators and users. Only administrators can view all the scheduled reports. A user can view only the reports that the user scheduled.



Display Generated Scheduled Reports

To display a generated scheduled report:

1. Click Reports > Scheduled Reports.

2. If the system has multiple report folders, click the name of the folder containing the report that you want to view.

3. In the calendar, click a date to see available reports for that date. Click the report that you want to view.RSA enVision stores reports in the month corresponding to the data contained in the report and not the date on which the report ran.



RSA enVision displays the report.

Archive Scheduled Reports

You can schedule a task to archive multiple report folders. You can set up the time interval, report folders from which to archive, and the recurrence for the task. RSA recommends that you archive the reports on the NAS for efficient space utilization.

To archive a schedule report:

1. Click Reports > Report Configuration > Schedule Report Delete/Archive.

2. Configure the archiving task as follows:

a. In the Task name field, enter a unique name for the task.

b. Select Enabled.

c. In the Delete/Archive time field, enter the age in months of the reports to be archived. Any report older than this age will be archived.

d. In the Removal option field, select Archive.

e. In the Directory path, enter the complete path where the reports will be archived, for example, \\10.20.30.101\vol0\nic\.

f. From the Folder Selection list, select the report folders to be archived.

Note: You cannot select the same folder for another archiving or deleting task.



This example shows how to define a task to archive reports older than six months.

3. To schedule the task, do one of the following:

• To run the task immediately, click Schedule Immediate.

• To schedule the task at recurring intervals, click Set Recurrence and specify when the task is to run.

Note: You can set the recurrence to a monthly basis only.

4. To add the task, click Apply.

Delete Scheduled Reports

You can schedule a task to delete reports in multiple report folders to ensure that you clean up old reports, which occupy space. You can set up the time interval and the recurrence for the delete task.

To delete a scheduled report:

1. Click Reports > Report Configuration > Schedule Report Delete/Archive.

2. Configure a deletion task as follows:



a. In the Task name field, enter a unique name for the task, for example, Deletion of year old reports.

b. Select Enabled.

c. In the Delete/Archive time field, enter the age in months of the reports to be deleted. Any reports older than this age will be deleted.

d. In the Removal option field, select Delete.

Note: You cannot select the same folder for another deleting or archiving task.

e. From the Folder Selection list, select the report folders containing the reports to be deleted.This example shows how to define a task to delete reports older than ten months from the Firewall Reports folder.


• To run the task immediately, click Schedule Immediate.



• To schedule the task at recurring intervals, click Set Recurrence and specify when the task is to run.

Note: You can set the recurrence to a monthly basis only.

4. To add the task, click Apply.



7 Managing the Dashboard

• Dashboard

• Creating and Maintaining Dashboard Reports

Dashboard

The Dashboard opens when users log on to RSA enVision. The Dashboard shows the reports and graphs that users select, providing an immediate summary of events that they choose to monitor.

You select the dashboard items from which users can select and set up the parameters for the dashboard items. Users can customize the Dashboard to show the dashboard items, such as reports and graphs, of their choice.

7: Managing the Dashboard 109


This example shows a sample Dashboard with the Alerts reports selected.

Events and Alerts

RSA enVision collects events that occur on monitored event sources. An event or set of events, such as a disk failure, an unexpected spike in network traffic, or the signature of a known threat, may warrant further investigation. You can configure enVision to recognize these specific events and issue real-time alerts to the user.

Dashboard Reports

The Dashboard shows a set of standard reports and graphs as dashboard items for each user.

You can create tabular or graphical dashboard reports. For detailed information on creating and modifying reports, see the Help topic “Dashboard Reports.”

Note: You can have views defined that generate alerts to populate the alert-specific reports.

110 7: Managing the Dashboard


Dashboard Standard Reports

The following table describes some of the Dashboard Standard Reports. For a complete list, see the Help topic “Dashboard Standard Reports.”

Dashboard Options

You have the full administrative rights to configure user dashboard permissions.

You must determine the:

• Permissions for users or user groups to access a Dashboard report to include on their Dashboards

• Permissions for users or user groups to modify a specific Dashboard report

Note: Allowing update permissions to a report allows the user or user group to select the reports that are available for all users to display on their personal Dashboard.

• Various parameters involved with running the background reports and graphs

Report Name Report Type Description

Alerts - Recent Alerts Detail Lists the top ten alerts from any view over the past ten minutes.

Anti-Virus - Recent Activity

Detail Lists the top ten categories of activity across all event sources on the network over the past ten minutes.

E-mail - Top Accounts Sending E-mail

Summary Lists the top five accounts sending e-mail messages over the past hour.

Host - Top Failed Login Accounts

Summary Lists the user accounts that have had the most failed logon attempts over the past hour.

IDS - Top Threats Summary Displays the top threats detected by all monitored Intrusion Detection Systems over the previous hour.

Network - Activity by Category

Summary Displays the top five categories of activity across all event sources on the network.

Network - Top Bandwidth Users

Summary Displays the top ten bandwidth users by address over the past hour.

Proxy - Top Web/FTP Destinations

Summary Displays the top five web or FTP destinations by category of all traffic going through the firewall over the past hour.

VAM - Least Recently Scanned

Detail Displays assets in the order of the longest duration since last scanned.

VAM - Most Vulnerable Assets By Severity

Detail Displays assets in the order of the aggregate vulnerability severity score.



Dashboard Permissions

You must specify which reports are accessible to each user or user group on the Manage Users - Add/Modify User window and Manager Users - Add/Modify Group window, in the Dashboard Permissions panel.

You must also specify whether the user or user group can add or modify user-defined Dashboard reports on the Manage Users - Add/Modify User window and Manage Users - Add/Modify Group window, in the Module Tool Permissions panel (Overview/Manage Dashboard option). For more information, see the Help topics “Add/Modify User Window” and “Add/Modify Group Window.”

Select Dashboard Reports

Important: Any report that you enable for users to include on their Dashboards runs in the background as soon as enVision detects one user on the system. All enabled reports run in the background, even reports that no users have selected to display on their Dashboards. A report can be displayed immediately if a user selects the report to display on the Dashboard. Carefully select the reports to enable because the more reports that are enabled, the more the system response time degrades.

To set up the Dashboard items for the Dashboard window:

1. Click Overview > System Configuration > Dashboard Items > Manage Dashboard.

2. Select Enable next to each item that you want to allow users to be able to display on their Dashboards. Only the Alerts reports are enabled by default.

3. Select Default Report next to each item that you want to display by default on the users’ Dashboards.

4. Click Apply.

Creating and Maintaining Dashboard Reports

You can create, modify, and delete tabular reports.

Custom Dashboard Reports

The Dashboard has standard Dashboard reports and graphs. RSA enVision allows you to create your own custom Dashboard reports as well. Administrators, report-administrators, and users with Dashboard tool update permissions can create and modify Dashboard reports. For information on permissions, see “Dashboard Options” on page 111.



Create a Tabular Report

To create a tabular Dashboard report:

1. Click Overview > System Configuration > Dashboard Items > Dashboard Reports > Create New Report.

2. To specify the name and type of report, follow these steps:

a. In the Name field, enter a unique report name.

b. In the Type of Report field, select Tabular.

c. (Optional) In the Description field, enter a report description.In this example, the report name is Alert Messages by Date and Time.

d. Click Next.

3. To select the fields for the report, follow these steps:

a. From the Select table drop-down list, select a table on which to report.

b. From the Select fields list, select the fields on which to report. Use the CTRL key to select multiple fields.



This example shows the Alerts table, and the hour(Date/Time), Message, and EventMessageID fields selected.

c. Click Next.

d. From the drop-down list for each field, select the sort order as needed. Click Next.

This example shows all of the fields selected in Descending order.



4. (Optional) To create a parameter to use in an SQL statement for the query, follow these steps:

a. On the Parameter Definitions header, click Expand/Collapse to display the definition fields.

b. Complete the fields to define the parameter.

c. Click Apply. The system adds the new parameter to the Insert Param list in the SQL where clause section.

d. To create another parameter, under variables, click [new]. Repeat step b to step c.

5. (Optional) To filter the report information, create an SQL statement for the query. In the SQL where clause section, follow these steps:

a. From the Insert SQL column list, select a field.

b. From the Insert SQL operator list, select an operator.

c. Do one of the following:

• From the Insert Param list box, select a parameter.

• In the SQL where clause field, enter a parameter for the statement.This example shows the SQL WHERE clause created by selecting EventMessageID, >, and 0.



d. To add additional SQL query statements, from the Insert SQL operator list box, select an operator to join the SQL statements together.

e. To create additional SQL query statements, repeat step a through step c.

f. Click Next.

6. Edit the report column headings, if necessary, to make them more descriptive or readable. Click Next.

7. To rearrange the order of the columns in the report, select a column heading, and click the up or down arrow as needed. Click Next.

8. Select any additional report options as needed. Click Apply.This example has the Result set field set to 20 rows.

9. Click Preview to view the report.

10. Click Refresh on the System Configuration menu to display the new tabular report in the menu.

Important: After a report is created, you must enable the report to be used by users. For more information on enabling reports, see “Select Dashboard Reports” on page 112.

For more information:

• On creating a tabular report, see the Help topic “Create Tabular Dashboard Report.”

• On creating a graph report, see the Help topic “Create Graph Dashboard Report.”



Modify Dashboard Report

You can modify your custom Dashboard reports. You cannot modify a Dashboard Standard Report. You must copy the Dashboard Standard Report and then modify the copy. You can modify the name of the report, select new fields, change the report selection criteria, and customize the column headings and order.

To modify a dashboard report:

1. Click Overview > System Configuration > Dashboard Items > Dashboard Reports.

2. Click the report that you want to modify.

3. Depending on the type of report, do one of the following:

• If the report is a custom report, set options as needed. Click Modify.

• If the report is a standard report, click Copy to create a copy of the report, and set options as needed. Click Modify.

This example shows the Alert Messages by Date and Time report with Modify button.



4. Make appropriate modifications to the report. This example shows the Result set field increased to 40 rows.

5. Click Apply.

Delete Dashboard Report

You can delete any custom Dashboard report. You cannot delete a Dashboard standard report.

To delete a Dashboard report:

1. Click Overview > System Configuration > Dashboard Items > Dashboard Reports.

2. Click the report that you want to delete.

3. Click Delete.



This example shows the Alert Messages by Date and Time report with the Delete button.

4. When prompted to confirm the deletion, click OK.



8 Managing Event Export

• Event Export

• Event Export Configuration

• Event Export Management

• Event Export Configuration in the Interactive Mode

• Event Export Configuration in Command Line Mode

• Event Export Job Management Tasks in the Command Line Mode

• Event Export Jobs Management Tasks

• Status Monitoring of Scheduled Event Exports

• Share Event Export Files

Event Export

You can export events from RSA enVision to a comma-separated value (CSV) file. You can then import the exported events into an external data destination, such as a relational database or data warehousing application, for further investigation and analysis. You can export both raw and parsed events. You can schedule events to be exported for a specific interval or at a recurring interval.

Event Export Configuration

When you install RSA enVision, the Event Data Interchange (EDI) server is automatically installed. The EDI server exports events from enVision. You manage the EDI server using the NIC EDI Service, which is installed as a Windows service.

You can configure event export as follows:

• In a multiple appliance site, configure event export on any Database Server (D-SRV). If there are multiple D-SRVs, RSA recommends that you use one dedicated D-SRV for event export. For instructions on configuring a dedicated D-SRV, see the Configuration Guide.

• In a multiple site deployment, RSA recommends that you configure event export on one D-SRV in each site.

• In case you have a Remote Collector in your site, you may set up separate event export jobs.

8: Managing Event Export 121


Event Export Management

You use a configuration utility to configure event export. You can use the configuration utility in either an interactive mode or a command line mode.

Event Export Configuration in the Interactive Mode

The interactive mode of the configuration utility prompts for responses. You can open the configuration utility in the interactive mode, and create, modify, delete, and view event export jobs.

Open the Configuration Utility in the Interactive Mode

To start the configuration utility in the interactive mode:

1. Open a new command shell and type:

edi-admin

2. Press ENTER.

Create Event Export Jobs

You can create recurring or non-recurring jobs. When you define a job, you can specify the event sources from which to export events, output format, table to be used, the directory where the CSV file must be stored. You can specify a directory on the D-SRV on which the EDI Server is running or the NAS attached to the D-SRV. If you specify a NAS directory, the event export job may take longer to complete because of the network throughput.

To create an event export job:

1. Open the configuration utility in the interactive mode. For instructions, see “Open the Configuration Utility in the Interactive Mode.”

2. Type:

create

3. Enter the name for the job, and press ENTER.

4. Enter the event source specification information in the following format:

[[[Site:]Node:]DeviceType:]DeviceAddress[(MessageId1,MessageId2,..)]

The following table describes the parameters in the event source specification.


Site Name of the site from which to export events, for example, Site1 or Site2. To export events from all sites, specify “*”.

122 8: Managing Event Export


Note: If you do not enter any event source specification information, all the messages from all the nodes in all the sites will be exported.

The following are examples of event source specifications:

• To export events with message IDs 1000 and 1234:01 from the netscreen event source at 10.10.3.4 on Site1 and Node1. Site1:Node1:netscreen:10.10.3.4:(1000,1234:01)

• To export all events from 10.10.2.4 in Site4 irrespective of the device types or nodes in Site4. Site4:*:*:10.10.2.4

• To export all events from all sites in the domain irrespective of nodes, device types, IP addresses, and message IDs. all

5. Press ENTER.

6. If you want to add another event source specification, press Y, and specify the details.

7. Enter the output format:

• To export only parsed events, press 1.

• To export only raw events, press 2.

• To export raw and parsed events, press 3.

8. Press ENTER.

9. If you are exporting parsed events or raw and parsed events, specify the table to which the events will be exported:

• To use the Universal table, press 1.

• To use the Global table, press 2.

Node Name of the node from which to export events, for example, LS-DS1. To export events from all nodes, including Remote Collectors, specify the wildcard “*”.

Device Type Type of event source for which to export events, for example, netscreen. To export events from all the event source types, specify all or the wildcard “*”.

Device Address IP address of the event source from which to export events, for example, 10.1.20.123. To export from all event sources, specify the wildcard “*”. The address is mandatory.

Message IDs Message ID of the event or events to export, for example, 1000,1234:01.




Note: You must ensure that you select the appropriate table based on the events that you are exporting. If you do not specify any table, the Universal table is used. For more information on the tables, see the Help topic “RSA enVision Tables.”


• If you want the event export job to run only once, follow these steps:

a. Press N, and press ENTER.

b. Enter the start time and end time of the events. For information on the time formats, see “Time Formats” on page 126. For example, 2011-01-10T10:30GMT+5:30 2011-03-10T10:30GMT+5:30.

c. Press ENTER.

• If you want the event export job to recur, follow these steps:

a. Press Y, and press ENTER.

b. Enter the recurrence interval and the number of recurrences. For example, to specify a recurrence interval of ten minutes that occurs five times, specify 10m 5. The number of recurrences is optional. If you do not specify the number of recurrences, the job runs continuously.

c. Press ENTER.

11. Specify the destination directory to which to export the events.You can specify a directory on the D-SRV or the NAS connected to the D-SRV, for example, E:\nic\EventExport or \\10.203.2.101\vol0\EventExport. The events exported to the NAS cannot be shared. For more information, see “Share Event Export Files” on page 142.

12. Press ENTER.

13. Enter the maximum size of the file to which the events will be exported.

Note: If you do not specify the file size, the default size of 10 MB is used. The maximum file size is 100 MB.

14. Press ENTER.

15. Enter the start time for the job in the time format. For more information on the time format, see “Time Formats” on page 126. For example, 2011-01-10T10:30GMT+5:30. If you want the job to start immediately, specify the time as “now.”

Edit Event Export Jobs

You can edit an event export job to modify the event source specification, output format, table, schedule, and destination details. You cannot edit the job recurrence or the job start time if the event export job is in progress. The changes will be applied for the next occurrence of the job.



To edit an event export job:


2. Type:

edit

The jobs that are defined are listed.

3. Enter the name of the job that you want to modify, and press ENTER. The job parameters and corresponding values are displayed.

4. Enter the number corresponding to the parameter that you want to modify.

5. Press ENTER.

6. Enter the new values for the parameter.

7. Press ENTER.

Delete Event Export Jobs

You can delete a job that is not running. If you delete a job that is running, that job is stopped. If you delete a recurring job, the subsequent recurrence of the job is not executed. To stop a running job, see “Stop Scheduled Event Export Jobs” on page 139.

To delete an event export job:


2. Type:

delete

3. Enter the name of the job that you want to delete, and press ENTER.

View a List of Event Export Jobs

You can view a list of all event export jobs and their corresponding status. Jobs have one of the following statuses:

• Running

• Scheduled (scheduled but not started)

• Stopped

• Paused

• Error

To view a list of all the event export jobs:


2. Type:

List



View the Details of an Event Export Job

You can view the details of a specific job, including when the job was created, the present status of the job, the job configuration, event source specification, output format, table used, the destination details, and the schedule details.

To view the details of the an event export job:


2. Type:

View

3. Press ENTER.

4. Enter the name of the job that you want to view, and press ENTER.

Exit the Configuration Utility

To exit the configuration utility in the interactive mode:

1. In the configuration utility in the interactive mode, type:

Quit

2. Press ENTER.

Time Formats

You can specify the time in one of the following formats:

• YYYY-MM-DDThh:mmz

• hh:mmz

where z is the time zone, which is one of the following:

• +05:30

• GMT+05:30

• IST

The time zone is not mandatory. If you do not specify the time zone, the local time zone of the appliance is used.

For the hh:mmz format, the year, month, and day are the current day.

You can enter “now” to specify the current system time.

For example, 2011-11-12T10:12GMT+05:30 specifies time in GMT+5:30 with respect to the time on the appliance on November 12, 2011.



Event Export Configuration in Command Line Mode

The configuration utility in the command line mode requires that you enter commands to configure the event export job. In addition to the basic configuration, you can make advanced configurations such as use filters to enhance the search criteria for events to be exported.

To define an event export job in the command line mode, you must create a source profile, a destination profile, and a schedule for the source and destination profiles.

Source Profile

A source profile defines the criteria for and nature of the data to be exported. You can define the search criteria for events, the data model or schema to be used, and the time frame for the export.

Destination Profile

A destination profile defines the details of the destination to which the events are exported. You must specify a destination directory for the export files. Optionally, you can specify the maximum size of the export files and the maximum size of the directory where the export files are stored. If the size of the exported data exceeds the specified file size, the export is split into multiple files in the destination directory.

Event Export Job Schedule

An event export job schedule defines the date and time when the events specified by the source profile are exported to a file or files specified by the destination profile.

The schedule can be recurring or non-recurring.

To create an event export job, you must perform the following tasks:

1. Create Source Profiles

2. Create Destination Profiles

3. Create Event Export Job Schedules

Event Export Job Management Tasks in the Command Line Mode

You can manage source profiles, destination profiles and event export job schedules. in the command line mode.

Source Profiles Management Tasks

You can create, modify, delete, and view source profiles.



Create Source Profiles

To create an event export job that occurs once, you must specify the start time and the end time or end interval for the source profile. To create an event export job that recurs, you do not need to specify the time or interval. You can specify the recurrence information when you create the event export job schedule. For more information, see “Create Event Export Job Schedules” on page 136.

To create a source profile:

Open a new command shell and type:

edi-admin -source -create "Source_Profile_name" -devices "DeviceSpec1" "DeviceSpec2" ... -[options]

For more information on the parameters and options to create source profile, see “Source Profile Command Parameters and Options” on page 129.

Edit Source Profiles

You can change all the parameters of a selected source profile. If you edit a source profile that is associated with an event export job that is in progress, the changes will be applied at the next occurrence of the job.

To edit a source profile:


edi-admin -source -edit "Source_Profile_name" [options]

where Source_Profile_name is the name of the source profile that you want to modify. For more information on the parameters and options to edit a source profile, see “Source Profile Command Parameters and Options” on page 129.

Delete Source Profiles

You cannot delete a source profile if that profile is specified in an event export job schedule. To delete a source profile that is specified in an event export job schedule, you must delete the job schedule first. For more information, see “Delete Event Export Job Schedules” on page 137.

To delete a source profile:


edi-admin -source -delete "Source_Profile_name"

where Source_Profile_name is the name of the source profile that you want to delete.



View a List of Source Profiles

To list all source profiles:


edi-admin -source -list

View the Details of a Source Profile

To list the details of a source profile:


edi-admin -source -list - id "Source_Profile_name"

where Source_Profile_name is the name of the source profile that you want to view.

Source Profile Command Parameters and Options

The following table describes the parameters for source profile commands.


Source Profile Name

A unique name of the source profile, for example, ciscoexport. This parameter is mandatory.

The name must begin with an alphabetic character and can contain alphanumeric characters and the special character “_”.



devices One or more event sources from which the event or events were collected. This parameter is mandatory.

You must specify the event source specification in the following format:

[[[Site:]Node:]DeviceType:]DeviceAddress[(MessageId1,MessageId2,..)]

where:

• Site is the name of the site from which to export events, for example, Site1 or Site2. To export events from all sites, do not specify a site name or specify the wildcard “*”.

• Node is name of the node from which to export events, for example, LS-DS1. To export from all nodes, including Remote Collectors, specify the wildcard “*”.

• Device Type is the type of event source for which to export events, for example, netscreen. To export from all the event source types, specify all or the wildcard “*”.

• Device Address is the IP address of the event source from which to export events, for example, 10.1.20.123. To export from all event sources, specify the wildcard “*”. This parameter is mandatory.

• Message ID is the message ID of the event or events to export, for example, 1000,1234:01.

Examples:

• To export events with the message IDs 1000 and 1234:01 from the netscreen event source on 10.10.3.4 on Site1 and Node1:

Site1:Node1:netscreen:10.10.3.4 (1000,1234:01)

• To export all events from 10.10.3.4 irrespective of the device types or nodes in Site4.

Site4:*:*:10.10.3.4

• To export all events from all sites irrespective of nodes, device types, IP addresses, and message IDs in your domain, specify:

all

stime Start time for the event export. The time must be specified in a supported time format, for example, 2011-11-12T10:12GMT+05:30.

For more information on the time formats, see “Time Formats” on page 126. The start time must be earlier than the etime.

This parameter is mandatory.

etime To specify that events to be exported within a fixed time range, specify the end time. The time must be specified in a supported time format, for example, 2011-11-12T10:12IST. For more information on the time formats, see “Time Formats” on page 126.

The end time must be later than the stime.

This parameter is optional.




You can specify any of the following options, separated by a space, when you create a source profile.

eint To specify that events be exported for a specific time interval from the stime, enter the end interval. You must specify either the etime or eint. You must specify the interval in one of the following units:

• m - minutes

• h - hours

• d - days

• w - weeks

• y - years

For example, if you want to export events starting at 2011-01-05T10:30GMT+5:30 for half an hour, specify the time interval as 30m.

schema Name of the event export schema used for export. Specify the schema as one of the following values:

• g or global

• u or universal

Note: When you export only raw events, the schema is ignored.

This parameter is optional. If you do not specify any value, u or universal table is used.

out Specifies whether raw events, parsed events, or both are exported. Specify one of the following output types:

• p or Parsed

• r or Raw

• rp or RawAndParsed

This parameter is optional.

If you specify Raw as the output type, you do not need to specify the schema.


Option Description

level The severity level, from 0 to 7, of the events to export. You must specify the levels in the format “xxxxxxxx”. To export events that match more than one severity level, enter “1” in the corresponding position of the level. For example, to match levels 0, 2, 3,and 6, enter -level “1x11xx1x”.

ms A string to match (ignoring the case). To specify more than one string, separate strings by a space. For example, specify -ms "Auth" "Success" to include events that contain the exact strings Auth and Success in the message.



msi A string that is not case sensitive to match. To specify more than one string, separate strings by a space. For example, specify -msi "Auth" "Success" to include events that contain the strings Auth and Success, irrespective of the case, in the message.

mrx A regular expression (REGEX) that is case sensitive to match. For example, specify -mrx 10000|10001 to include events that contain the regular expression 10000|10001. To specify more than one expression, separate expressions by a space.

mrxi A regular expression (REGEX) that is not case sensitive to match. For example, specify -mrxi “Failed|Success” to include events that contain the regular expression Failed|Success. To specify more than one expression, separate expressions by a space.

fs A string that is not case sensitive to filter out events. Events that match the string are not exported. To specify more than one string, separate strings by a space. For example, specify -fs “company” “ABC” to include events that do not contain the exact match “company ABC” in the message.

fsi A case-sensitive string to filter events. Events that match the string are not exported. To specify more than one string, separate the strings by a space. For example, if you specify -fsi “company” “ABc”, events that contain “company ABc” are not exported.

frx A case-sensitive regular expression (REGEX) to filter events. Events that match the regular expression are not exported. To specify more than one expression, separate strings by a space. For example, if you specify -frx Failed|Success or Login|LogOut events that contain the regular expression Failed|Success or Login|LogOut are not exported.

frxi A regular expression (REGEX) that is not case sensitive to filter events. Events that match the regular expression are not exported. To specify more than one expression, separate expressions by a space. For example, if you specify -frxi “Failed|Success” “Login|LogOut”, events that contain the regular expression “Failed|Success” “Login|LogOut” are not exported.

cols The columns whose values to export. Enter the column headings, separated by a space. For example, cols DeviceTypeName EventType SourceAddress. If you do not enter any column headings, the CSV file will contain all the columns in the selected table.

colsfile A text file in which you specify the columns to export, for example, colsfile exportcolumns.txt. In the text file, enter the column headings in separate lines.

Note: You can specify both columns and a file containing columns. The columns that you specify and the columns in the text file are both used for column selection.

Option Description



Destination Profiles Management Tasks

You can create, edit, delete, and view destination profiles in the command line mode.

Create Destination Profiles

To create a destination profile:


edi-admin -dest -create "Destination_profile_name" -dir "Destination directory" -[options]

The following table describes the parameters for the destination profile command.

resolve Resolves the hostnames in the event headers to the IP addresses at the time of export.

quote Format the quotes in the CSV file. You must use one of the following options:

• Raw to export events as in the NIC server. This choice is the default option.

• None to remove quotes from the parsed values and retain quotes in the raw events.

• Single to add single quote to all the parsed values and raw events.

• CSV to remove quotes from the parsed values and add double quotes to the raw events.

For example, to export parsed values without quotes, specify -quote Raw.

ctimeformat Collection time of the event. This is a metadata value.

To view the list of supported formats, see http://download.oracle.com/javase/1.5.0/docs/api/java/text/SimpleDateFormat.html.

Option Description


Destination_profile_name A unique name for the destination profile, for example, ciscoexport. This parameter is mandatory.


http://download.oracle.com/javase/1.5.0/docs/api/java/text/SimpleDateFormat.html





The following table describes the options for the destination profile command.

dir The path of the directory where the comma-separated values (CSV) file is created, when events are exported. You can specify a directory on the D-SRV where the EDI server is running or the NAS connected to the D-SRV, for example, E:\nic\EventExport or \\NAS IP address\Volume number\EventExport. The events exported to the NAS cannot be shared. For more information, see “Share Event Export Files” on page 142.This parameter is mandatory.

Note: If you specify a NAS directory, the event export job may take longer to complete because of the network throughput.


Option Description

msize Size in megabytes of the CSV file. At runtime, if the events exported exceed the file size, additional files of the same size are created as needed to contain the events. The maximum size that you can specify is 100 MB.If you do not specify the file size, the default size of 10 MB is used. For example, to specify the size as 50 MB, enter -msize 50.

mdirsize Size in megabytes of the directory where the CSV files are stored. If the maximum size is exceeded, the event export jobs fail to execute. To continue with the event export, you must move or copy the files from the directory. For example, to specify the directory size as 10 MB, enter -mdirsize 10.

chunksize Buffer size in megabytes to write data to the CSV file. Only if this size is reached, the events are exported to the CSV file. For example, to specify the chunk size as 2 MB, enter -chunksize 2.

ctrldir The path of the directory where the .done files depicting the completion status of the event export job, is created. You can specify a directory on the D-SRV where the EDI server is running or the NAS connected to the D-SRV, for example, E:\nic\JobStatus or \\NAS IP address\Volume number\JobStatus.



Edit Destination Profiles

If you edit a destination profile that is associated with an event export job that is in progress, the changes are applied at the next occurrence of the event export job.

To edit a destination profile:


edi-admin -edit "Destination_profile_name" [options]

where Destination_profile_name is the name of the destination profile that you want to modify. For more information on the parameters and options, see “Create Destination Profiles” on page 133.

Delete Destination Profiles

You cannot delete a destination profile specified in an event export job schedule. To delete the destination profile that is specified in an event export job schedule, you must delete the job schedule first. For more information, see “Delete Event Export Job Schedules” on page137.

fieldsorder Order of the metadata fields to be exported to the CSV file. Following is the list of metadata fields:• SITE is the enVision site name.

• NODE is enVision node on which the events are collected.

• DEVICE_TYPE is the device type of the event source.

• DEVICE_ADDRESS is the IP address of the event source.

• DEVICE_ID is the unique identifier for the event source.

• EVENT_ID is the unique identifier for a particular event.

• COLLECTION_TIME is the collection time for a particular event.

• RAW_EVENT is the raw event collected by enVision. You must specify this option if you want the raw events to be exported along with the metadata. To configure raw events, you select the output format as Raw or RawAndParsed at the time of source profile definition. For more information, see “Source Profile Command Parameters and Options” on page 129.

• EVENT_VARIABLES are the event variables that are parsed based on the selected output format. You must specify this option to export the selected variables along with the metadata. For more information on specifying the variables, see “Source Profile Command Parameters and Options” on page 129.

For example, to export the metadata fields Site and Node along with the raw events and selected variables, specify -fieldorder “SITE, NODE, RAW_EVENT”.

Option Description



To delete a destination profile:


edi-admin -delete "Destination_profile_name"

where Destination_profile_name is the name of the destination profile that you want to delete.

View a List of Destination Profiles

To list all the destination profiles:


edi-admin -dest -list

View Details of Destination Profiles

To list the details of a destination profile:


edi-admin -dest -list - id "Destination_profile_name"

where Destination_profile_name is the name of the destination profile that you want to view.

Event Export Job Schedule Management Tasks

You can create, edit, delete, and view event export job schedules.

Create Event Export Job Schedules

To create an event export job schedule:


edi-admin -schedule -create "Schedule name" -source "Source_Profile_name" -dest "Destination_profile_name" -stime "Job start time" [options]

For more information on the parameters and options to create an event export job schedule, see “Event Export Job Schedule Command Parameters and Options” on page 137.

Edit Event Export Job Schedules

If you edit an event export job schedule when the event export job is in progress, the changes are applied at the next occurrence of the event export job. If you do not want to include a recurrence interval, specify an empty string value for the time interval parameter.

To edit an event export job schedule:


edi-admin -edit "Schedule name" -[dest] "Destination_profile



name" -[source] "Source_Profile_name" [options]

where Schedule name is the name of the event export job schedule that you want to modify. For more information on the parameters and options to create an event export job schedule, see “Event Export Job Schedule Command Parameters and Options” on page 137.

Delete Event Export Job Schedules

When you delete a event export job schedule, the corresponding source profile and destination profile are deleted if they are not referenced in any other schedules. If you delete a recurring event export job schedule the job is stopped if it is running.

To delete an event export job schedule:


edi-admin -delete "Schedule name"

where Schedule name is the name of the event export job schedule that you want to delete.

View a List of Event Export Job Schedules

To view all event export job schedules:


edi-admin -schedule -list

View the Details of an Event Export Job Schedule

To list the details of an event export job schedule:


edi-admin -schedule -list -[id "Schedule name"]

where Schedule name is the name of the event export job schedule that you want to view.

Event Export Job Schedule Command Parameters and Options

The following table describes the parameters for the event export job schedule command.


Schedule_name A unique name for the schedule, for example, ciscoexport1monthperiod. This parameter is mandatory.



The following table describes the options for the event export job schedule command.

source Name of the source profile for the event export job schedule.

Note: RSA recommends that you specify a source profile in only one schedule.

This parameter is mandatory. To view the list of source profiles, see “View a List of Source Profiles” on page 129.

dest Name of the destination profile for the event export job schedule.

Note: RSA recommends that you specify a destination profile in only one schedule.

This parameter is mandatory. To view the list of destination profiles, see “View a List of Destination Profiles” on page 136.

stime Start time of the first event export job. The start time is mandatory and must be specified in a supported time format, for example, 2010-11-12T10:12+IST. For more information on the time formats, see “Time Formats” on page 126.If the event export job schedule does not recur, the start time of the event export job schedule must be earlier than or equal to the end time (etime) of the source profile.


Option Description

r The recurrence interval for the event export job schedule. You must specify the interval in one of the following units:• m - minutes

• h - hours

• d - days

• w - weeks

For example, to set the recurrence interval as once an hour, set the interval as 1h. If the source profile is set to recur, that is, no time range is specified in the source profile, specify the recurrence interval.

n Number of event export job recurrences. This value must be an integer. Specify this option only if you specified an event export job recurrence interval.

If you do not specify the number of recurrences, the event export job will run indefinitely.



Event Export Jobs Management Tasks

You can stop, pause, and resume event export jobs. You can view the status of the event export jobs and also start or stop the NIC EDI service.

Stop Scheduled Event Export Jobs

When you stop a job that is running, only those events that were exported up to the time that you stop the job are exported to the CSV file.

To stop a scheduled job using the command line mode:

1. Obtain the job ID of the event export job that you want to stop from a list of event export jobs. Type:edi-admin -job -list all

2. Type:edi-admin -job -stop job-id

where job-id is the identification number of the event export job.

Pause Scheduled Event Export Jobs

When you pause a job that is running, only those events that were exported up to the time that you pause the job are exported to the CSV file. You must resume the job to complete the event export.

To pause an event export job:

1. Obtain the job ID of the event export job that you want to stop from a list of event export jobs. Open a new command shell and type:edi-admin -job -list all

2. Type:edi-admin -job -pause job-id


Resume Paused Event Export Jobs

When you resume a job, events that are exported after the time that you paused the job are exported to the CSV file.

To resume a paused event export job:

1. Obtain the job ID of the event export job that you want to stop from a list of event export jobs. Open a new command shell and type:edi-admin -job -list all

2. Type:edi-admin -job -resume job-id




View the Status of Scheduled Event Export Jobs

To view the status of an event export job:

Open a new command shell, and type:

edi-admin -job -list (running | paused | all)

where running lists the event export jobs that are running, paused lists the event export jobs that have been paused, and all lists all the jobs that are running or paused.

Start or Stop the NIC EDI Service

You start or stop the NIC EDI Service from the Windows Services dialog box.

Note: When you start the NIC Service Manager, the NIC EDI Service starts automatically.

To start the service:

1. Click Programs > Administrative Tools > Services.

2. Right-click NIC EDI Service, and select Start.

To stop the service:

1. Click Programs > Administrative Tools > Services.

2. Right-click NIC EDI Service, and select Stop.

Status Monitoring of Scheduled Event Exports

You can monitor event exports by the status of the event export job or NIC EDI server.

Status of Event Export Jobs

You can monitor the status of an event export job using the NIC messages. To view these NIC messages, you must download and install the latest Event Source Update from RSA SecurCare Online.

Set Up NIC EDI Server Logging in a Multiple Appliance Site

In case of a multiple appliance site with multiple D-SRVs, you must set up the slave D-SRV to log events on the master D-SRV.

To set up the EDI server logging for the slave D-SRV:

1. Open a new command shell on the slave D-SRV, and type. edi-admin -log -host IP address -port port number

where IP address is the IP address of the master D-SRV and port is the port number on the master D-SRV. For example the IP address is 10.10.3.4 and port is 6550.



2. Restart the NIC EDI Service. For more information, see “Start or Stop the NIC EDI Service” on page 140.

Status of the NIC EDI Server

You can view the messages in the log files to monitor the status of the NIC EDI server. You can view the current log level and change the level to an appropriate log level.

View the Current Log Level

To view the current log level for the NIC EDI server:

Open a new command shell, and type:

edi-admin -log -get

Set the Log Level

To set the log level for the EDI server:

Open a new command shell, and type.

edi-admin -log -set level

where level is one of the following:

• INFO

• FINEST

• ALL

Event Export Files

The events exported to the CSV file are based on the output format, table selected, and the variables in the table.

You can specify the output format as one of the following:

• Raw events. If the output format is Raw, all the events are exported in the raw format to a file.

• Parsed events. If the output format is Parsed, you must specify either the Global or Universal table. Additionally, you can specify the variables you want to export. The parsed values for all the selected variables in the selected table are exported to the CSV file.

• Raw and Parsed events: If the output format is Raw and Parsed, you must specify either the Global or Universal table and the variables in the table. The parsed values for all the variables in the selected table and events in the Raw format are exported to the CSV file.

If you have configured to include metadata in the destination profile configuration, the metadata values are also exported. For more information on configuring metadata to be exported to the CSV file, see “Create Destination Profiles” on page 133.



Share Event Export Files

You can share the directories that contain the CSV files to copy or move the files to an external folder. Transfer of data files from the D-SRV is supported through sFTP, through the WinSSHD daemon.

Note: You cannot share the CSV files that you export to a folder on the NAS.

To configure WinSSHD to allow sFTP access:

1. Create a configuration (.ini) file that conforms to the following template:access.virtGroups.New.group “<virtual-group-name>”

access.virtGroups.New.winAccount “nic_sftp”

access.virtGroups.New.permitExecRequests false

access.virtGroups.New.permitRemoteAdmin false

access.virtGroups.New.permitTerminalShell false

access.virtGroups.New.permitC2SForwarding false

access.virtGroups.New.permitS2CForwarding false

access.virtGroups.New.permitExecRequests false

access.virtGroups.New.permitScpfalse

access.virtGroups.New.sfsMap.sfsHomeDir “<sftp-path>”

access.virtGroups.New.sfsMap.mountPoints.l.sfsMountPath “<sftp-path>”

access.virtGroups.New.sfsMap.mountPoints.l.realRootPath “<windows-mount-path>”

access.virtGroups.New.sfsMap.mountPoints.l.writeAccess false

access.virtGroups.NewCommit

access.virtAccounts.New.virtAccount “<virtual-user-name>”access.virtAccounts.New.virtPassword.Set “<virtual-user-password>”access.virtAccounts.New.group “<virtual-group-name>”access.virtAccounts.New.Commit

Where:

<virtual-group-name> is the name of the virtual group that you intend to create.<sftp-path> is the virtual path to the export directory.<windows-mount-path> is the Windows path to the local file system directory containing export CSV files.<virtual-user-name> is the name of the virtual user that you intend to create.<virtual-user-password> is the password of the virtual user.

2. Upload this file using the importText command to the wcfg utility:E:\nic\4100\site name>\wcfg.exe settings importText <filename.ini>

Where:



<filename.ini> is the configuration (.ini) file created.

Winsshd is now configured to allow sftp access to the local file system directory containing export CSV files.

To transfer files, use sftp protocol to connect. You must have only Read and Delete access permission to the contents of the directory containing export CSV files.



9 Maintaining RSA enVision

• RSA enVision Maintenance Tasks

• Daily and Weekly Maintenance Tasks

• Monthly Maintenance Tasks

• Quarterly Maintenance Tasks

• Yearly Maintenance Tasks

• Ongoing RSA enVision Updates

RSA enVision Maintenance Tasks

RSA enVision administrators have routine responsibilities for managing and maintaining the enVision system over time. Some tasks should be performed daily or weekly while others should be performed monthly, quarterly, or yearly.

RSA recommends setting a schedule of tasks. The scheduling and applicability of specific tasks depends on your organizational needs. Any change to your enVision setup, such as collection from a new event source, should trigger a general review of system settings and user and group assignments. This review ensures enVision is properly configured and all event sources are monitored.

Daily or weekly tasks include:

• Monitoring system errors and usage

• Monitoring the events per second (EPS) rate

• Monitoring disk usage and storage parameters

Monthly tasks include:

• Reviewing monitored event sources

• Reviewing user group and system access settings

• Reviewing views

Quarterly maintenance tasks include:

• Archiving event data

• Installing service packs as needed

Yearly maintenance tasks include:

• Renewing the maintenance contract

• Arranging for a Professional Services enVision healthcheck

9: Maintaining RSA enVision 145


Ongoing maintenance tasks include:

• Migrating to new releases of enVision

• Installing event source updates

• Installing VAM/IDS signature updates

• Installing operating system security updates

Daily and Weekly Maintenance Tasks

You should perform tasks to monitor system performance on either a daily or weekly basis, depending on the size and IT requirements of your organization, for example, organizations with a high volume of message traffic may need to monitor disk usage on a daily basis to avoid exhausting disk space while those with lower volumes may only need to monitor disk usage on a weekly basis.

You should perform the following tasks daily or weekly:

• Monitor system errors

• Monitor system usage activity

• Monitor the events per second (EPS) rate

• Review data storage options and disk usage

• Review the drive rotation options and drive status

Monitoring System Errors

You can monitor system errors in two ways:

• Monitor system errors using alerts

• Monitor system errors using events

Monitoring System Errors Using Alerts

Monitoring system errors using alerts involves the following tasks:

• Determine who is monitoring the NIC_View

• Enable the NIC_View

• Monitor NIC_View alerts

Determine Who is Monitoring the NIC_View

Ensure that the NIC_View is being monitored by an assigned user if you or another administrator is not reviewing the view. Review the users assigned to the NIC_View and make changes as necessary. To monitor the NIC_View, the user must be in the administrators group or have the Alert view permission “NIC_View.”

To determine who is monitoring the NIC_View:


2. In the Filter, select Permissions/Alert View, IN, and NIC_View. Click Apply.

146 9: Maintaining RSA enVision


The window displays the users with permission to monitor the NIC_View.

Enable the NIC_View

Ensure that the NIC_View is enabled so that the view is available for monitoring.

Note: In a multiple site deployment, enable and run NIC_View on a single A-SRV (each site has its own NIC_View). Running the NIC_View on multiple A-SRVs unnecessarily duplicates a resource-intensive process and wastes resources.

To enable the NIC_View:


2. From the Site/Node drop-down list, select the site or node for which you want to enable the NIC_View.



3. If necessary, select Enable for NIC_View, and click Apply. The example shows the NIC_View enabled and running.

Monitor NIC_View Alerts

The NIC_View allows you to monitor the health of the enVision system, alerting you to possible issues within the enVision software environment. The NIC_View monitors all enVision appliances for the site and uses correlation rules to alert on NIC events.

You can modify the NIC_View only to add output actions. To customize other information of the NIC_View or a correlation rule, you must export the view or rule, save it with a unique name, and import the new view or rule. For information on exporting and importing views and correlation rules, see “Views Management Tasks” on page 72 and “Correlation Rules Management Tasks” on page 68.



To monitor NIC_View alerts:

1. Click Alerts > Real-time Detail > NIC_View.

2. From the Show drop-down list, select the type of alerts to display.This example shows the peak and current severity status of the NIC_View Alert Levels, the current alert count for each Alert Level, and the Alert Details for all Alert Categories with an alert count.



Monitor System Errors Using Events

NIC system errors may indicate a problem with the enVision system. Use the Event Viewer to view incoming NIC system event data and to retrieve data from the database.

RSA enVision supports hundreds of messages that describe system events including authentication successes and failures, failed startups or shutdowns of services, and file errors. You can use the event messages to help diagnose problems.

To monitor system errors in the Event Viewer:

1. Click Analysis > Event Viewer > Message View.

2. From the Device Type drop-down list, select NIC System.

3. From the Device drop-down list, select the enVision device name.

4. From the Timeframe drop-down list, select the time range to view.

5. (Optional) To filter by severity level or string matching, select Display advanced filter options, and configure the filter.

6. To update the list of messages, click Update now.This example shows NIC system events collected over the past thirty minutes.

Monitoring System Usage

You can monitor system usage using standard audit reports in the Reports module. The following reports contain information on configuration changes and use patterns:

• Configuration Changes

• Report Access Activity

• Report Emailing Activity



• Report Viewing Activity

• User Session Activity

You can monitor system usage in two ways:

• Schedule and review audit reports

• Monitor audit reports on the Dashboard

Scheduled Audit Reports

Schedule audit reports to run automatically on a daily or weekly basis, depending on the security polices of your organization. For example, if your organization has a lot of activity, reviewing reports on a daily basis can break the workload into more manageable chunks. For additional information about using enVision report capabilities, see chapter “Managing Reporting” on page 145. To schedule a report to run on a recurring basis, see “Schedule Reports” on page 101. For detailed instructions on scheduling and running reports, see the Help.

Review Audit Reports

Review audit reports for unusual or unexpected events, such as unexpected configuration changes, multiple consecutive failed logon attempts, or reports that are not being consistently reviewed by the people who normally review them.

You can configure enVision to automatically e-mail reports to people who need to review them. Users may also review reports by logging into enVision and viewing stored reports.

To review a scheduled report that has completed:

1. Click Reports > Scheduled Reports.

2. In the calendar, click the date to see available reports for that date.

3. Click the report that you want to view.

The following report examples show typical system usage reports:

• Configuration Changes by Date/Time



• Report Access Activity by Date/Time

• Report Viewing Activity by Date/Time

• User Session Activity by Date/Time



Monitor the Dashboard

The enVision Dashboard opens when you log on to enVision. The Dashboard shows the report results that you configure it to display, providing an immediate summary of events that you choose to monitor.

Configure the Dashboard to display the reports that are currently meaningful for your organization. For example, if the security policy requires that you monitor recent alerts and task triage progress, you can monitor reports such as the Alerts - Recent Alerts, Alerts - Top Categories, and Task Triage - Last Modified Tasks reports. For more information about designing your Dashboard, see the Help.

To monitor audit reports on the Dashboard:

1. Click Overview > Dashboard.

2. From the left pane of the Dashboard window, select the reports to display and the report view.

3. If the report that you want display is not listed, click System Configuration > Dashboard Items > Manage Dashboard, and select Enable for the report.

4. Review audit reports on the Dashboard.The following example shows the Dashboard window displaying the Alerts - Recent Alerts, Alerts - Top Categories, and Task Triage - Last Modified Tasks reports.



EPS Rate

The EPS rate measures the average number of events collected by the enVision Collector every second. Your enVision license specifies the highest EPS rate allowed by your system. RSA enVision collects messages at your licensed EPS rate and provides a buffer to allow for an occasional excess of messages. If the EPS rate is exceeded by 10 percent, enVision generates a warning message (NIC-4-400019). If the EPS rate is exceeded by 30 percent, enVision generates an alert message (NIC-1-400020) indicating the condition and the number of events dropped.

If you are consistently receiving these warning and alert messages, you must upgrade your enVision license. Confirm that the EPS rate supported by your appliance can support a higher licensed EPS rate. For appliance EPS rates, see the appendix, “Hardware Specifications” in the Hardware Set Up and Maintenance Guide. If your enVision appliance cannot support a higher EPS rate, you must upgrade your appliance. To upgrade your license or purchase an appliance with more capacity, contact your RSA sales representative.

Monitor the EPS Rate

To monitor the EPS rate of a collector:

1. Click Overview > System Performance.

2. If you have multiple sites, select the site of interest.

3. If you have multiple Collectors, from the Collector drop-down list, select the Collector for which you want to view the EPS rate.



The example shows the EPS rate for the Collector named Vancouver-LC1. This configuration supports 10,000 EPS as shown in the upper-left corner.

Review Data Storage Options

RSA enVision stores reports, query results, and alerts on disks that are available to the system. You can set the disk and directories enVision uses to store this data. This data accumulates and can eventually fill the disk. RSA enVision sends an alert when disk usage exceeds the usage threshold. The alert message is “100002 Disk capacity d percent on drive x:\ is exceeding x percent.”

If you receive this alert, you should archive the reports, query results, and alerts to a separate archival system to free up space. If you do not free up space before enVision exceeds the system shutdown threshold, collection-related services shut down.

For detailed information about storage options, see the Help topic “Disk Usage.”

EPS Rate

ListCollector



To review the directories and the alert and shutdown thresholds:

1. Click Overview > System Configuration > Directories > Set Up Directories and Disk Usage.

2. Review the directories, and, if needed, click the browse button ( ) next to a directory name to select a different directory.

Note: RSA recommends that you do not change the Report directory because, if you do, the generated reports will not be available in the Scheduled Reports menu.

3. Review the disk usage alert and shutdown parameters, and, if needed, change the thresholds.

Drive Rotation Options and Drive Status

RSA enVision stores all the events collected from the event sources that you have configured on your network. Depending on the number of event sources, enVision can be collecting hundreds of thousands of events per day. A high volume of data can quickly exhaust existing disk space.

When disk usage exceeds the notify threshold, enVision issues an alert. When disk usage exceeds the system shutdown threshold, enVision shuts down services and stops collecting messages.

To avoid system shutdown, you can add additional event storage locations and use the drive rotation feature to manage storage on the disk drives. For information about managing and monitoring disks, see the Help topics “Disk Usage” and “Event Storage Locations.”



RSA enVision rotates drives as follows:

• When a disk drive reaches the rotate threshold, the system rotates to the next directory specified for data storage, at the beginning of the next GMT day. Data stored on other drives is still accessible for reports and queries.The system monitors the drive to ensure that the disk has space for two days of data, based on current disk usage. If the disk does not have sufficient space, the system rotates to the next directory specified for data storage, at the beginning of the next GMT day.

• As disks become full and the system cannot locate a drive in the rotation with sufficient space on which to store data, enVision sends an alert, warning of the condition. On reaching capacity, enVision drops messages and notifies of the condition, and then begins shutting down collection and packaging services.

If enVision is running out of available disk space, you can archive data from a drive after it is replaced in the rotation. For instructions, see the Help topic “Archive Event Storage Data.”

Review Drive Status

To review drive status:

1. Click Overview > System Configuration > Directories > Manage Storage Locations.The following example shows the rotate and notify thresholds for each directory path.



2. In the Directory Path column, click the path of the directory for which you want to review disk usage.The following example shows the disk usage for the E:\nic\lsnode storage location.

3. Review the disk usage. If necessary, change the rotate and notify parameters. For detailed instructions, see the Help topic “Event Storage Locations.”

Monthly Maintenance Tasks

On a monthly basis, you should perform tasks to ensure that RSA enVision is properly handling events and that users are appropriately assigned to groups:

• Review monitored event sources

• Review users and system access

• Review views



Reviewing Monitored Event Sources

The NIC Collector Service collects and stores events from all monitored event sources. To ensure that enVision is properly handling events from the all monitored event sources, you must do the following tasks:

• Ensure that event sources are monitored

• Ensure that events are collected

Ensure Event Sources are Monitored

Use the Manage Monitored Devices window to ensure that the event source is listed and it status is Active.

To ensure that event sources are monitored:

1. Click Overview > System Configuration > Devices > Manage Monitored Devices.

2. If necessary, use the filter to specify specific event sources. Click Apply.

3. Ensure that all event sources are listed, have an Active status, and have a check mark in the rightmost column (the column with the magnifying glass). Selecting the event source in the rightmost column sets enVision to include events from the event source in any data retrieval that enVision performs, making the events available for analysis.

4. To enable event sources that are not enabled, click the event source IP address, and select Active from the Collection drop-down list. Click Apply. For detailed instructions on adding or modifying event sources, see the Help topic “Add/Modify Monitored Device Window.”

If a configured event source is not listed, contact Customer Support.



Ensure Events are Collected

To ensure that an event source is sending events to enVision as expected, view events from the event source in the Event Viewer.

This topic provides the basic procedure to view events. For detailed information about using the Event Viewer, see the Help.

To ensure that events are collected:

1. Click Analysis > Event Viewer > Message View.

2. Click Update Now. The default Event Message View window shows all events received in the last thirty minutes.

3. To view events from a specific event source, follow these steps:

a. From the Device type drop-down list, select a device type. Click Update Now.

b. If a device type returns events from multiple event sources, from the Device drop-down list, select the IP address of the specific event source. Click Update Now.

Users and System Access

You cannot change permissions assigned to the system-defined groups. For more information on the system-defined groups, see “User Groups” on page 23.

You can create your own user groups and modify the permissions of those groups. You can grant or deny individual access permissions for each user and for each user group that you have created. For information about setting permissions for users and user groups, see “User Permissions” on page 24 and the Help topic “Add/Modify Group Window.”



Note: In some environments, a security engineer may set up and monitor users, groups and permissions. In this case, you should review the security policy with the security engineer to ensure adherence to the security policy.

Reviewing Users, User Groups, and User Permissions

Review user accounts, user group associations, and permissions to confirm appropriateness as follows:

• Review user accounts to ensure that the users should have access to enVision.

• Review user groups and permissions to ensure that the groups and associated permissions are appropriate.

• Review Access Denied Options to ensure that enVision responds appropriately to failed authentication attempts.

Review User Accounts

To review user accounts:


2. If necessary, set the filter so that the set of users that you want to review is displayed in the Filtered Users section. For instructions on setting filter parameters, see the Help topic “Manage Users Window.” The following example shows the filter set to show the list of users with access permission for the Reports module.

3. Review each user name in the Filtered Users section.



Review User Groups and User Permissions

To review user group members and permissions:

1. Click Overview > System Configuration > Manage Groups.

2. Click a group name and, on the Add/Modify Group window, follow the steps:

a. To review the users associated with the group, click the Group Membership drop-down list.

b. To review the permissions associated with the group, click the various permissions drop-down lists.

3. Repeat step 2 for each group.

Review Access Denied Options

Access denied options determine how enVision responds to failed authentication attempts. These options also set time-outs for idle sessions. Review these settings to be sure that they are appropriate, for example, in sensitive environments, you can set accounts to be disabled after a user exceeds the configured number of failed authentication attempts rather than locking the account for a period of time.

To review access denied options:

1. Click Overview > System Configuration > Users > Set Up Access Denied.

2. Review the access denied message and other options.The following example shows the default access denied options.



Reviewing Views

Note: If your organization has a security engineer, he or she should work with you on all of the tasks in this topic to ensure adherence to your security policy.

Reviewing a view involves the following tasks:

• Review the messages defined for a view to ensure that the view relies on appropriate event sources and message categories.

• Review all correlation rules to ensure that alerts are triggered from appropriate events.

• Create thresholds, filters, and watchlists as needed to ensure that alerts are not triggered unnecessarily.

• Create output actions to ensure that all relevant users are properly notified of events and alerts.

Review Messages

Event sources can generate many messages for a variety of enVision message categories. Often, only a subset of these messages is appropriate for triggering alerts. Use enVision message categories to show security-relevant messages. For more information about message categories, see the Overview Guide.

To display categorized messages for an existing view:


2. Click an existing view.

3. On the Modify View window, click Next.

4. On the Select Devices and Correlation Classes window, click Next.

5. In the Customize Alert Configuration window, click Add.

6. In the pop-up window, in the Filter section, from the Attribute drop-down list, select Taxonomy / Alert Category.

7. From the Criteria drop-down list, select the appropriate message category, and click Apply.



8. Review the messages in the Filtered Messages section. The following example shows the messages in the alert category Attacks.Access for the Cisco PIX firewall.

Review Correlation Rules

Review correlation rules to ensure that the rules trigger correlated alerts based on appropriate events and conditions. For example, you can create a correlation rule that triggers a correlated alert if enVision receives 10 attack-related messages within a sixty-second period. This topic describes how to review existing correlation rules. For instructions on creating a custom correlation rule, see “Create Correlated Alerts” on page 63 and the Help.

Note: If your organization has a security engineer, he or she may review correlation rules for views other than the NIC_View. In this case, you should review the security policy with the security engineer to ensure adherence to the security policy.



To review correlation rules:


2. Click a message ID to review details for that rule. The following example shows the correlation rule for CRL-00109.

Create Thresholds

You can create a threshold for a message based on changes to the alert baseline score. For information on the alerts baseline, see the Help topic “Threshold Definition Popup Window.”

To create a threshold for a message based on changes to the alert baseline score:


2. Click an existing view that contains a message of interest.



5. In the Customize Alert Configuration window, click the Threshold link of the message of interest.



6. Set the threshold, and click Select.The example shows setting a threshold of 25 percent above the daily baseline.

7. Click Add or Finish.

Create Filters

If you or your analysts determine that enVision generates unnecessary alerts, you can create filters to narrow the alert conditions. You can create filters for a message based on event message content.

To create message filters:


2. Click an existing view of interest.



5. In the Customize Alert Configuration window, click the Filter link in the message of interest.

6. In the Add Filter window, click Add Filter.



7. Select the filter parameters from the drop-down lists, and enter the criteria.The example shows a filter that checks whether the variable in the Foreign Address field of the message matches any of the foreign addresses listed in the watchlist “Suspicious Activity.”

8. Click Apply.

Create Watchlists

You can use a watchlist as a shortcut to filtering events on which you want to alert or report. For more information on creating a watchlist, see “Add Watchlists” on page 75.

You can use the watchlist in one of the following ways:

• Use the watchlist in a correlation rule. For instructions, see the Help topic “Set Up Correlated Alerts.”

• Use the watchlist within your view for a single message. For instructions on modifying the view to include a filter with a watchlist, see the Help topic “Modify View.” An example is shown in the preceding topic, “Create Filters.”

Create Output Actions

Review whether enVision routes alerts to the appropriate people or processes. If not, you can use output actions to specify appropriate dispatch methods for alerts.

Output actions send alerts to various endpoints such as AOL instant messenger screen names, e-mail addresses, and cell phone numbers.



To create an output action:


2. Enter the data as needed. For detailed explanations of fields, see the Help topic “Add/Modify Output Action Window.”The example shows setting up an output action to send alerts through SNPP to a cell phone.

3. Click Test to send a test message over the channel.

4. Click Apply to save the output action.

5. Assign an output action to alerts in either of the following ways:

• Assign the action to a specific combination of device class, alert, and alert severity level within a view in the Manage Views - Add/Modify Output Action Information window. The exception is that you cannot assign the Task Triage output action using this method.

• Assign the action to a specific message in a view in the Manage Views - Customize Alert Configuration Window.

For instructions on assigning alerts using these methods, see the Help topic “Modify View.”



Quarterly Maintenance Tasks

Quarterly you should perform the maintenance tasks of archiving event data and installing service packs. RSA recommends adding these tasks to your company policies:

• Archive event data

• Install service packs

Archive Event Data

Event data accumulates continuously in the IPDB. If you do not move the data from the IPDB to an external archival system on a periodic basis, the disk can fill up, causing enVision services to stop and events to be lost. Quarterly archival of event data can help avoid disk usage problems in most environments.

You can use the Maintenance utility (lsmaint.exe) to archive data by time period (day, month, or year) or by event source. You can use job scheduling to automate archival.

The following instructions describe the basic procedure to archive and delete data. For detailed instructions, see the Help topic “Manage Stored Event Data.”

To archive event data for a single day:

1. Log on to the enVision appliance.

2. Open a command prompt, and type:

install_dir\bin\lsmaint -show destdir -device d -time start end

where:

• destdir is the full pathname of the archive directory.

• d is a regular expression that specifies an event source name or filter.

• start is the beginning of the time period, which cannot be the current day.

• end is the ending time of the time period, which cannot be the current day. For example, the following command shows the data for the specified event source for January 15, 2011 through January 16, 2011 (one day):

E:\nic\4100\nodename\bin\lsmaint -show \\10.10.0.1\c$\backupdata -device 10.10.1.10 -time 20110115 20110116

Ensure that the files returned are the files that you want to archive. If these files are not the expected result set, modify the arguments appropriately, and execute the show command until you have the result set that you want.

3. To copy the data to an external location, type:

install_dir\bin\lsmaint -copy destdir -device d -time start end



4. After you have copied data to an external location, delete the event data using a -delete command like the following:

install_dir\bin\lsmaint -delete -gmt -time start end

The following example removes event data for the time period of January 15, 2011 through January 16, 2011, Greenwich Mean Time:

E:\nic\4100\nodename\bin\lsmaint -delete -gmt -time 20110115 20110116

Note: You can use the move command to archive and delete data in one operation. If you use the move command, you can add the command as a scheduled task to run every day so that all data over a specified age is always removed. For information on the move command, see the Help topic “Maintenance Command Line Interface Utility (lsmaint.exe) Actions and Arguments.” For information on scheduling tasks, see the Help topic “Manage Scheduled Tasks.”

Service Pack Installation

RSA periodically issues service packs, which contain valuable features and address critical issues.

RSA issues RSA Secure Care Online notes to notify customers when service packs and other updates are available for download. The Secure Care Online note for a service pack provides a description of the service pack contents and instructions for downloading the service pack.

You can subscribe to receive these e-mail notifications. For more information, log on to Secure Care Online, and click Notes.

Yearly Maintenance Tasks

On a yearly basis, you should perform the maintenance tasks of renewing the RSA enVision maintenance contract, and scheduling a health check. RSA recommends adding these tasks to your company policies:

• Renew your enVision maintenance contract

• Arrange for Professional Services enVision Healthcheck

Maintenance Contract Renewal

RSA recommends that you renew your maintenance contract annually. The maintenance contract provides valuable support services and continued access to software updates. To renew your contract, perform these tasks:

• Update your contact information

• Renew your maintenance contract

For detailed information about RSA support and maintenance plans, see the Customer Guide to RSA Technical Support available at http://www.rsa.com/support/pdfs/CUSUP_GD.pdf.



Update Your Contact Information

Before your maintenance contract expires, RSA sends a courtesy e-mail to the registered RSA enVision contact, notifying him or her of the pending expiration.

To update your contact information:

Contact your RSA Maintenance Renewals Representative by calling 1-800-495-1095 (US and Canada only) and following the prompt for sales.

Renew Your Maintenance Contract

To renew your maintenance contract:

1. (Optional) Register your product on RSA SecurCare Online so that you can view information about your maintenance contract.

2. If you registered your product on RSA SecurCare Online, browse to your account, and determine the expiration date of your enVision maintenance contract.

3. To renew your maintenance contract, do one of the following:

• If you purchased enVision through an authorized RSA reseller, contact your reseller.

• If you have a direct contract with RSA, contact your RSA Maintenance Renewals Representative at 1-800-495-1095 (US and Canada only), and follow the prompt for sales.

Professional Services RSA enVision Healthcheck

RSA enVision requires regular review and analysis of configuration settings to ensure that you are getting the most out of your investment.

A Professional Services enVision Healthcheck provides valuable system optimization and performance troubleshooting to ensure your RSA enVision deployment is delivering the best service possible. The enVision Healthcheck includes installation of product and operating system patches, file and database clean-up, and troubleshooting for reports and alerts.

Arrange for an RSA enVision Healthcheck by contacting your RSA account executive.

Ongoing RSA enVision Updates

Ongoing RSA enVision updates include:

• New product releases, containing new and improved features

• Content and event source updates, containing updates and support for new event sources

• Vulnerability and Asset Management (VAM) and IDS Signature updates for handling emerging and changing threats

• Operating system security updates



• Data backup

New Releases

RSA is continually improving enVision, refining and adding features based on research and feedback from customers. RSA recommends that you migrate to a new version when it becomes available.

The Migration Guide, which is available on the RSA SecurCare Online web site, provides instructions on migrating to the new enVision version from an earlier version.

When a new product release is available, RSA uses Product Update Notification to send an e-mail notification to the contact registered on the RSA SecurCare Online web site. The notification describes how and where to obtain the new software and documentation.

Register to receive automatic notification of updates for all technical information, including new releases, service packs, event source support, and the latest Windows patches that have been certified for RSA enVision customers to install. For detailed instructions, see the Help topic “Product Update Notification.”

Event Source Updates

RSA provides monthly Event Source Updates to enVision software. Event Source Updates include message specifications for new event sources and new versions of event sources, and new reports and correlation rules.

Installing Event Source Update packages can help you to quickly and efficiently respond to security threats and compliance needs of your organization without the need to extend the infrastructure and applications with new upgrades. For example, new correlation rules may help counter emerging threats without requiring adjustment or reconfiguration of event sources at the network perimeter.

You must also ensure that you re-index the data in the Internet Protocol Database as mentioned in the Event Source Update.

When Event Source Updates become available, RSA uses Product Update Notification to send an e-mail notification to the contact registered on the RSA SecurCare Online web site. The notification describes how and where to obtain the documentation and download software. For detailed instructions on registering contact information, see the Help topic “Product Update Notification.”

For more information about event sources, see the Help. For more information about Event Source Update documentation, see RSA SecurCare Online.

VAM and IDS Signature Updates

RSA is constantly updating enVision Vulnerability and Asset Management data and providing new IDS event source threat signature files.

RSA enVision maintains event source vulnerability data to minimize false positive alerts and to prioritize alerts. RSA updates vulnerability information in two ways:

• As new vulnerabilities are discovered in supported event sources, RSA adds the vulnerabilities to the enVision vulnerability data.



• As enVision adds support for new event sources, RSA adds these event source vulnerabilities to the enVision vulnerability data.

As network threats emerge and change, RSA updates the threat signatures for supported IDS event sources to handle the latest threats and more accurately map threats to enVision correlation rules.

Whenever updates become available, RSA uses Product Update Notification to send an e-mail notification to the contact registered on the RSA SecurCare Online web site. The notification describes how and where to obtain the update and documentation. For detailed instructions on registering contact information, see the Help topic “Product Update Notification.”

Operating System Security Updates

RSA enVision relies on the underlying operating system for proper and secure operation. You must maintain the operating system by installing Microsoft patches and security updates, as RSA qualifies them.

RSA reviews Microsoft security patches each month and posts a list of patches supported by enVision on Secure Care Online in the OS Updates section. This list contains links to the Microsoft patches. Review the list, and download and install the appropriate patches on an ongoing basis.

RSA reviews patches that Microsoft releases outside of the monthly schedule (these patches are usually critical) and posts these patches to SecurCare Online by the end of the next business day after Microsoft announces the patch.

Data Backup

You must make regular backups of the RSA enVision log data and configuration files to safeguard the data in case of hardware failures. For more information on backup and recovery, see the Backup and Recovery Guide.



A Best Practices

• Best Practices for Using RSA enVision

• Best Practices for Alerting

• Best Practices for Compliance

• Best Practices for Reporting

• Best Practices for Dashboard

Best Practices for Using RSA enVision

Many of the best practices for using RSA enVision come from the enVision user community. The RSA enVision Intelligence Community is an online portal for enVision customers to share information and best practices.

To join the RSA enVision Intelligence Community:

Go to http://rsaenvision.lithium.com, and click Register Now.

RSA recommends the following general best practices:

• Perform the maintenance procedures described in this guide to keep your system optimized and running with appropriate accounts and permissions.

• Use lsmaint to move files from the IPDB to external storage to avoid running out of disk space.

Best Practices for Alerting

RSA recommends the following best practices for configuring views to ensure alerts are appropriately triggered:

• Create alert thresholds using the alert baseline score.

• Create alert statements by selecting similar devices. For example, select either Firewall or Windows devices in a given statement. Avoid combining messages from different types of devices in a given statement.

• When using messages for alerts, create filters for specific content in messages so that enVision issues alerts only for appropriate instances.

• When creating security views to monitor network access or access to systems containing sensitive data, such as accounting data, payroll data, medical records, or intellectual property, create alerts that monitor the message category User.Activity.Privileged Use.Denied using a filter that contains the IP addresses or hostnames of the servers containing this sensitive data.

A: Best Practices 175


• When creating compliance views, review the standard compliance reports to determine the types of activity that you may want to monitor.

• When creating policy management views to alert on Sarbanes Oxley Data Access Control, alert on messages in the Policies.ACL.Denied message category. Set the thresholds for these messages to alert on a 50 percent increase from the minute, hour, or day baseline.

• When creating policy management views to alert on Sarbanes Oxley Common Security Settings, alert on Windows Event (NIC) 612 (Policy Change) messages. Set the thresholds for these messages to alert on a 50 percent increase from the minute, hour, or day baseline.

• When creating views to alert on virus detection, alert on messages in the Attacks.Malicious Code message category. Set the thresholds for these messages to alert on a 25 percent increase from the minute, hour, or day baseline.

• When monitoring vulnerability assessment tools, make sure that vulnerability assessment data is being imported regularly for both monitored event sources and assets. RSA enVision uses vulnerability assessment data to calculate the asset value that it uses to calculate the overall severity level of an alert category.

• When regulatory compliance is critical, configure enVision to alert for changing conditions by setting up a view to alert on VAM NIC System messages. This view will alert on conditions such as discovery of a new asset, change in configuration of an asset, or changes to the vulnerability of an asset.For instructions, see the Help topic “VAM Alerts - Comparison of New State to Previous.”

Best Practices for Correlation Rules

• Logical operators between circuits are not evaluated based on precedence. Circuits are evaluated from top to bottom irrespective of the operator that is present between two circuits.

• The evaluation of logical operators between statements also happens from top to bottom.

• Evaluation of logical operators between filters happens from top to bottom. For example, if within a statement there are three filters denoted by F1, F2, and F3, and these filters have logical operators in between like:(F1 or F2 and F3)

The evaluation of the filters happens from top to bottom in the following manner:

((F1 or F2) and F3)

If within a statement there are five filters denoted by F1, F2, F3, F4, and F5, and these 5 filters have logical operators in between like:

(FI AND F2 OR F3 AND F4 OR F5).

The evaluation of the filters happens from top to bottom in the following manner:

((((F1 AND F2) OR F3) AND F4) OR F5).

• The same variable cannot be used more than once in the same filter.

176 A: Best Practices


• Filters can be set on multiple variables, and also on multiple values for each of these variables, in the same statement.For example, consider an event from Ciscopix device type with event ID 113011:

%PIX-6-113011: AAA retrieved user specific group policy (PBTC) for user = (abc)

This event contains two variables, Rule = (PBTC) and Username = (abc).

A rule should be configured such that an alert is fired if the variable "Rule" contains (PBTC) or (RSBC), and also if the variable "Username" contains values abc or def.

To configure a correlation rule to match this:

Create a circuit and a statement within the circuit.

In the statement set the device type to Ciscopix and the event ID to be 113011.

Under the Set Filter option, add a filter for the variable "Rule" and set the comparison operator as IN with the value (PBTC) in the criteria. You can set more values for a single variable in the filter by clicking on the (+) symbol. In the new Criteria field, add the value (RSBC).

Add another filter for the variable "Username" and set the two values for the variable as abc and def.

The first filter and the second filter should have the AND operator between them.

When the rule is configured as mentioned above, it fires an alert for all of the following events:

AAA retrieved user specific group policy (PBTC) for user = abc

AAA retrieved user specific group policy (PBTC) for user = def

AAA retrieved user specific group policy (RSBC) for user = abc

AAA retrieved user specific group policy (RSBC) for user = def

If you want an alert only for a specific pair of variable values, such as:

If Rule is (PBTC) AND Username is abc, OR

If Rule is (RSBC) AND Username is def,

In this case, the correlation rule configuration is different. You must create two statements.

The first statement has a filter to match the value (PBTC) for the variable Rule AND value abc for the variable Username.

The second statement has a filter to match the value (RSBC) for the variable Rule AND value def for the variable Username.

These two statements must have the OR operator between them.

This rule alerts for the following messages:

AAA retrieved user specific group policy (PBTC) for user = abc

AAA retrieved user specific group policy (RSBC) for user = def



• Cache variables are created at the rule level, and are created to compare values of two variables in a message.

• If a threshold value is defined at both the view and correlated rule level, both the conditions must be satisfied for firing the alert. The result of the threshold criteria at the rule level is taken as input to the threshold criteria defined at the view level.

Best Practices for Views

Most views fit into one of two categories: Security or Compliance.

To create or fine-tune your view to alert for security concerns or compliance regulations, you can do any of the following:

• Use the message category taxonomy (NIC category.alert category.event category) in RSA enVision to identify the messages on which you want to alert for security concerns or compliance regulations.You can display the available messages using the taxonomy while adding or modifying the view on the Customize Alert Configuration pop-up window. To open this pop-up window, do one of the following:

– While adding a view, on the Manage Views - Select Devices and Correlation Classes window, click Next.

– While either adding or modifying a view, on the Manage Views - Customize Alert Configuration window, click Add.

The following figure shows an example of the messages in the Attacks.Access alert category for the Cisco PIX firewall.



• Create a threshold for the message based on changes to the alert baseline score. You create a threshold for the message on the Threshold Definition pop-up window (click in the Threshold column next to the message on the Manage Views - Customize Alert Configuration window). The following figure shows an example of a threshold.

When you base alerts on baseline values using thresholds, the alerts adjust automatically over time. To make an alert more sensitive to small fluctuations, use the Minute Baseline or make the percentage change smaller. To make an alert less sensitive to small fluctuations, use the Daily Baseline or make the percentage change larger. You can also fine-tune the baseline blending weights for each of the alert rates used in the baseline score calculation (click the alert message category on the Manage Views - Modify Severity Level Information window to open the Specify Severity Level Values pop-up window).

• Create filters for messages containing specific content so that RSA enVision issues alerts only for specific instances. You can create filter for a message on the Manage Views - Add Filter window (click in the Filter column next to the message on the Manage Views - Customize Alert Configuration window). The filter allows you to narrow the requirements for the view to issue an alert for the message. The following figure shows an example of a filter for events containing specific content.

Best Practices for Security Views

The event sources and device types of activity included in a security view are largely dependent upon the requirements of the organization, the type of business, and the event sources on the network.



In addition to the typical types of perimeter security monitoring, you should consider monitoring sensitive internal data and systems. For example, create alerts that specifically monitor User.Activity.Privledged Use.Failed with a filter applied containing the IP address or hostname of the servers containing this sensitive data. RSA recommends this type of assessment for:

• Financial data

• Customer records

• Credit card information

• HR systems

• Medical records

• Corporate proprietary knowledge and secrets

• Payroll systems

• Executive officer systems



Best Practices for Compliance Views

The event sources and device types of activity included in a compliance view are largely dependent upon the type of business and the compliance regulations to which your business must adhere.

The following table lists the types of activity that RSA recommends that you monitor for various compliance packages. This list is not a complete list, but rather a starting point for your compliance views. The addition of these alerting practices does not in any way ensure that you are in compliance with the respective legislation.

Activity Type Compliance Regulation Suggested Actions

Compliance in general Compliance in general Review the standard compliance reports supplied with enVision to determine the types of activity that you want to monitor.

Policy Management Sarbanes Oxley (SOX)

Sec. 302 Corporate Responsibility for Financial Reports Administrative Access Control: Data Access Control

Alert on specific messages as follows:

1. Select messages in the Policies.ACL.Denied message category.

2. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline.

: Sarbanes Oxley (SOX)

Sec. 302 Corporate Responsibility for Financial Reports Administrative Access Control: Common Security Settings


1. Select to alert on Windows Event (NIC) 612 (Policy Change).

2. Set the threshold for this message to alert on a 50% increase from the minute, hour, or day baseline.

Vulnerability Assessment (VA Tools)

Compliance in general Make sure that VA data is being imported regularly for both monitored devices and assets. RSA enVision uses VA data to calculate the asset value. RSA enVision uses asset values to calculate the overall severity level of an alert category.



Configuration Management

Compliance in general Alert on specific messages as follows:

• Alert on “change” messages: The following are some examples of the “change” message categories:

– Config.Changes

– Policies.Rules.Added

– Policies.Rules.Deleted

– Policies.ACL.Added

– User.Management

– Config.Versions

• Set the thresholds for these messages to alert on a 25% increase from the minute, hour, or day baseline.




Intrusion Detection (IDS event sources)

Compliance in general Alert on deviations to the attack and denied message baselines as follows:

• Select messages in the Attacks.DenialofService message category. Set the thresholds for these messages to alert on a 25% increase from the minute, hour, or day baseline.

• Select messages in the Network.DeniedConnections message category. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline.

• Select messages in the Recon.Scans message category. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline.

• Select messages in the Recon.Brute Force message category. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline.

• Select messages in the User.Activity.FailedLogins message category. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline.

Virus Detection Compliance in general Alert on specific messages:

• Select messages in the Attacks.Malicious Code message category.

• Set the thresholds for these messages to alert on a 25% increase from the minute, hour, or day baseline.




Resource Management Sarbanes Oxley (SOX)

Sec. 802 Criminal Penalties for Alerting Documents 1519 Destruction of Records in Federal Investigations


• Alert on Windows Event (NIC) 517 (Security Event Log Cleared). Alert on every message received.

• Select messages in the User.Activity.FileAccess message category, alerting on the deletion of database, UNIX, Linux and other types of system logs.

Authorization Control Compliance in general Alert on messages in the Privileged Access.Denied message category.

Sarbanes Oxley (SOX)

Sec. 302 Corporate Responsibility for Financial Reports Administrative Access Control: Administrator Access by Computer


• Select messages in the User.Activity.FailedLoginsmessage category. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline. Set up the filter for messages that contain Client User Name: Administrator.

• Select messages in the User.Activity.Privileged User message category. Set the thresholds for these messages to alert on a 50% increase from the minute, hour, or day baseline. Set up the filter for messages that contain Client User Name: Administrator.




Best Practices for Compliance

RSA recommends the following best practices for conformance with NISPOM standards for protecting classified data:

• Enable audit logging on all NISPOM IS systems.

• Group all NISPOM IS systems into one or more enVision device groups.

• Restrict NISPOM IS system access to responsible personnel.

• Automate audit trail analysis.

• Protect audit trail information.

• Maintain all audit logs for a minimum of one year.

For instructions, see the Help topic “Compliance - NISPOM National Industrial Security Program Operating Manual.”

Best Practices for Reporting

RSA recommends the following best practices for reporting.

Speeding Up Report Generation

Use the following best practices to make reports run faster:

• Speed up processing by selecting Enable preprocess filters on the Select Additional Report Options window. This option pushes data query out to the Internet Protocol Database rather than bringing all the data into enVision for local processing, which is time-consuming.

• If possible, do not select Use DNS Resolution (resolving addresses to hostnames) on the Select Additional Report Options window as this process adds significant time to report generation.

Sarbanes Oxley (SOX)

Sec. 302 Corporate Responsibility for Financial Reports Administrative Access Control: Account Policies


• Select messages in the Polices.Rights.Failed.PrivilegedUsemessage category. Set the thresholds for these messages to alert on a 25% increase from the minute, hour, or day baseline.

• Select to alert on Windows Event (NIC) 539 (Account Lockout). Set the thresholds for these messages to alert on a 25% increase from the minute, hour, or day baseline.




• Use device groups to improve report performance. Device groups limit reports to only relevant event sources, minimizing the time needed to retrieve data.

• To generate summarized data, if possible use one of the summary tables, where the data has already been summarized, rather than using detailed table data.

• To improve the performance of a query, specify a query where the decision of data availability in any device-time group is made using the EXACT MATCH clauses. The EXACT MATCH clause can be defined using '=' and 'IN' operators. The following are examples of exact match clauses:

– To view the events generated by user ‘Watson’ with message IDs Security_538_Security or Security_540_Security specify the WHERE clause as follows:

WHERE MessageID IN ('Security_538_Security','Security_540_Security') AND UserName = 'Watson'

– To view the events generated by event sources ‘Cisco PIX firewall’ or ‘Cisco Router’ and containing message ID Security_540_Security, specify the following WHERE clause:

– WHERE MessageID = 'Security_540_Security' AND (EventSource = 'Cisco PIX Firewall' OR EventSource = 'Cisco Router') m

• For a report that will contain a lot of data, ensure the SQL WHERE clause contains all conditions that match the result set. This WHERE clause results in filtering the data into a sizable result set. For example, to find all the activities performed by a user whose name starts with “admin-” or ends with “-admin”, specify the following WHERE clause: 'Username' LIKE 'admin-%' OR 'Username' LIKE '%admin'

Note: Reports that do not contain WHERE clauses with conditions may not have significant improvement in performance, for example, summary reports.

• enVision has indexes of certain variables. Whenever possible, search on indexed fields when creating reports. Indexing variables improves query performance by reducing the amount of data returned when you run a query against an exact match in a filter. This function improves report performance by reducing the report generation time. The following steps detail how to improve report performance using this feature.For fresh installations, and to create new reports, you must do the following:

a. Install the July 2011 or later ESU and VAM updates.

b. Ensure the indexed variables are used in the SQL statements. To view the list of indexed variables, see the ESU Help topic “Content 2.0 variables” or run the lsmaint command utility with the varsWithFilter option. For more information, see the Help topic "Maintenance Command Line Interface Utility (lsmaint.exe) Actions and Arguments."



Note: If you want a specific variable to be indexed, you must contact RSA Customer Support.

For upgrades, and if you already have existing reports, you must do the following:

a. Ensure that the ESU and VAM updates installed are of July 2011 or later.

b. Identify the variables used in the report and check if those variables are in the list of indexed variables. To view the list of indexed variables, see the ESU Help topic "Content 2.0 Variables" or run the lsmaint command with the varsWithFilter option. For more information see the Help topic "Maintenance Command Line Interface Utility (lsmaint.exe) Actions and Arguments."

Note: If you want a specific variable to be indexed, you must contact RSA Customer Support.

c. Plan and estimate the time for re-indexing existing data. For more information, see the Help topic “Planning for Re-Indexing.”

d. Re-index the existing data that has been collected. You can re-index the data as follows:

• Re-index the historical data for all the devices on which you are reporting.

• Re-index the historical data for a specific device on which you are reporting.

For more information on re-indexing, see the Help topic “Maintenance Command Line Interface Utility (lsmaint.exe).”

Improving Report Quality

Use the following best practices to make reports more useful:

• Always analyze the results for usefulness and correctness to ensure reports are providing the exact data needed.

• Consider limiting result sets and breaking up report objectives to ensure all data is evaluated and analyzed every time the report runs.

• Apply date and time ranges to limit the result set to the relevant time frame so that the report includes only relevant information and does not run longer than is necessary.


• Too much data makes a report unreadable. Limit the amount of data in a report by restricting the result set. You must also limit the report to only those fields that contain relevant or required data.

• For scheduled reports, you can override report results restrictions for an individual report on the Schedule Reports window. Use the Results set size field. Overriding restrictions allows the report to display as many rows as allowed by the value set on the Manage Reports window. The same is applicable to Ad hoc Reports.



Tips for Easier Use

Use the following tips to simplify use and avoid problems:

• By default, all users can run existing reports. Limit a user’s access to specific reports using the Manage Report Permissions window, for example, you may want to restrict Human Resources-related reports to users associated with the Human Resources department.

• Avoid typographical errors when constructing SQL where clauses by using the Insert SQL Column, Insert SQL Operator, and Insert Param fields rather than manually entering the SQL where clause.

• RSA enVision parses event messages to many different tables depending on the message type. Determine which table a message is parsed to by using the Help topic “When to Use Each Database Table.”

• Improve the results of a custom report by running a query first to see what data comes back for a given message. After you know what data elements are returned and what the data looks like, you can better design your report to handle the returned data.

• When customizing reports that users who are not security analysts will run, using report parameters in the SQL where clauses provides user-friendly ways for these users to run and control reports. Report parameters add labeled fields to the main report screen where users can easily enter search targets such as user names, hostnames, domain names, and other variables. You can then delegate report generation to the user groups that need the reports.

• When creating a report, use the dtype (device type) SQL clause to distinguish between two device types in the same category.

• You can run reports on enVision servers to get system statistics related to performance, access, and other operational conditions. Reports for enVision are located in Reports > Ad Hoc Reports > Network > System.

• If you mistakenly start a report, you can cancel it. Canceling frees up resources for use by other actions.

Localizing Report Headings

To generate PDF reports containing embedded localized report headings and event data, be certain to install the appropriate Unicode font and register it with the enVision Reports engine. For instructions, see the Help topic “Unicode Font Registration for PDF Report Generation.”



Best Practices for Dashboard

RSA recommends the following best practices:

• If possible, do not select Use DNS Resolution (resolving addresses to hostnames) on the Select Additional Report Options window because this process adds significant time to report generation.

• Use device groups to improve report performance. Device groups limit reports to only relevant event sources, minimizing the time needed to retrieve data.

• RSA enVision parses event messages to many different tables depending on the message type. To determine to which table a message is parsed, see the Help topic “When to Use Each Database Table.”


• Specify a time frame to limit the data retrieved for a report. Limiting the number of rows to display in a report does not by itself limit the amount of data retrieved. For example, if you specify to include information from the last hour, enVision pulls all of the data from the last hour during processing, even if you have limited the display to 40 rows.

• Ensure that you do not run a report so often that one run does not finish before the next run is requested. RSA enVision delays all additional run requests until the current report run is finished.

• Use criteria to narrow down the retrieval, especially using pre-processor type criteria that will be processed on the backend.

Best Practices for Event Export

RSA recommends the following best practices for exporting events:

• When configuring recurrence intervals, you must keep in mind the tradeoff between maximizing the export of event data and optimizing the recovery of exported data. For example, setting very small recurrence intervals allows for less parallelization and requires more context setup. On the other hand, setting a very large recurrence interval requires more effort to recover exported data.

• Use filtering where appropriate. Querying for excessive data, especially historical data queries, can slow down the process.

• Create individual data export jobs where necessary. For example, data from different devices or collectors may reach the IPDB in separate blocks. Setting up separate export jobs for data from these devices ensures better performance.



B Troubleshooting

• Event Viewer Issues

• Reporting Issues

• Event Export Issues

• Web Server Issues

This appendix provides solutions to resolve common problems that you may encounter while using RSA enVision.

You can find answers to some technical questions by visiting the RSA SecurCare Online knowledgebase at https://knowledge.rsasecurity.com. Also, RSA recommends that you join the RSA enVision Intelligence Community as described in “Best Practices for Using RSA enVision” on page 175.

Event Viewer Issues

This topic describes issues that you may encounter with the Event Viewer and the solutions to resolve these issues.

Events Do Not Appear in the Event Viewer

If expected event messages do not appear in the Event Viewer, there may be several causes. To troubleshoot this issue, perform each step until resolution.

To troubleshoot this issue:

1. Confirm that the NIC Collector Service is running.

2. Confirm that the time frame and time zone for retrieving events is correct.

3. Confirm that the NIC Collector Service is properly configured. Follow these steps:

a. Click Overview > System Configuration > Services > Manage Collector Service.

b. Confirm that Discovery Enabled and Discovery Auto Activate are selected.

c. Under Site/Node, click the appropriate entry and confirm the settings.

d. If needed, correct any settings, select Restart Collector Services on Apply, and click Apply.

If these steps do not resolve the problem, contact Customer Support.

B: Troubleshooting 191


Reporting Issues

This topic describes issues that you may encounter with Reporting and the solutions to resolve these issues.

Reports Do Not Contain Any Data

If no messages appear in a report, there may be several causes. To troubleshoot this issue, perform each step until resolution.

To troubleshoot this issue:

1. Ensure that the event source is analyzed so that its data is available to RSA enVision. Follow these steps:

a. Click Overview > Configuration > Devices > Manage Monitored Devices.

b. Ensure that Analyze is selected for the event source.

2. Ensure that you have assigned the correct device type to the event source. For a list of supported event sources and associated device type identifiers, see the Help topic “Supported Devices (Event Sources),” and click latest update package help.

3. To ensure that the messages are known to enVision, confirm that the messages of interest are selected for the appropriate database tables. For more information, see the Help topic “Select Messages for Database Tables.” If you change the messages that you have selected, ensure that you restart the NIC Web Server Service. For instructions, see the Help topic “Web Server Service.”

4. Ensure that you are using the right database table. For information about selecting database tables, see the Help topic “When to Use Each Database Table.”

5. Ensure that the report specifies the correct time frame.

6. Ensure that the SQL WHERE clause of your report includes the messages for which you are looking.

7. Ensure you re-index the event data in the Internet Protocol Database if you install an Event Source Update that instructs you to re-index. For more information on re-indexing, see the Help topic “Maintenance Command Line Interface Utility (lsmaint.exe).”

Queries or Reports Fail

If queries or reports are failing to complete, there may be several causes. You can create a log file for the operation that may provide information that will help you or Customer Support diagnose the problem. For example, a “host not found” error may indicate a network outage that is preventing report completion.

To create a log file for a query or report:

1. Click Reports > Report Configuration > Set Up Reports.

2. To enable debugging for reports, select Report Logging.

192 B: Troubleshooting


3. Click Apply.

4. Run the report or query.RSA enVision creates a log file, E:\%_envision%\logs\nsdatabase.log.

Finding the Right Database Table

To determine the database table to which a message is parsed:

Do any of the following:

• See the Help topic “When to Use Each Database Table.”

• Determine which messages for an event source are parsed to a table as follows:

a. Click Overview > System Configuration > Messages > Manage Messages to Parse.

b. Select the event source.

c. Click a table name.

• On the Manage Messages window, use the filter to view specified messages, and generate the Message Information Report, which lists all of the message processing details, including the database table to which the message is parsed. For instructions, see the Help topic “Message Information Report.”

Other Reporting Issues

The following table lists common reporting issues and the corresponding resolutions.

Problem Resolution

Create New Report is not available to a user.

Ensure the user permissions are set correctly.

Outbound reports (HTTP, FTP, TELNET, SMTP) are not reporting traffic correctly.

Ensure that the IP address file (ipAddr.tab) is configured to distinguish outbound traffic from inbound traffic. By default, enVision considers all traffic inbound unless you configure each local IP address to distinguish between inbound and outbound messages.

A report does not include all the results and the message “Displaying X of Y results (where X is the number of rows displayed in the report and Y is the total number of rows that met the report query criteria)” appears in the report.

If you want all the results, ensure that the result set size has not been restricted on the Set Up Report window.

If the result set size is greater than the recommended result set size (defined in the Set Up Reports window) and Return all results has been selected for the report, the system saves the report as a CSV file and as an HTML file including the maximum allowed number of rows.



Event Export Issues

This topic describes issues that you may encounter with event export and the solutions to resolve these issues.

EDI logs are sent to the NIC Logger. The log message IDs start at 2000000. Default log levels are 3 (Error), 4 (Warning) and 5 (Notice).

Note: You must have installed the ESU from February 2011 or later to enable EDI log collection.

There are no pre-defined system alerts or reports defined for these log messages.

Some of the most common causes of issues include:

• Incorrect query configuration

• No space on the target destination specified

If you encounter issues, such as an event export job not completing or EDI logs not getting generated, check for any or all of the following:

• The NIC EDI service is running.

• The NIC server is running.

• Scheduling and job start and stop logs are generated.

• Queries are configured correctly with all required parameters specified.

Report options are not carried out in a report.

Check whether other users are running reports at the same time. Multiple users can make report modifications concurrently. However, the last user’s changes override the previous changes that earlier users made.

The Scheduled Reports window does not display any information.

Ensure that the following conditions are met:

• The pireport folder is located in the default directory (E:\installdir\webapps\pi\pireport).

• The NIC Scheduler Service has generated at least one scheduled report.

DNS resolution to hostname is not provided in reports that need hostnames.

Ensure that you select Use DNS Resolution (resolving addresses to hostnames) on the Select Additional Report Options window and DNS resolution on the Set Up Reports window

Problem Resolution

194 B: Troubleshooting


Unable to View the Job Status

If you are unable to view the status of an event export job, the size of the buffer that the EDI server uses to communicate to the EDI command line utility is too small. You must estimate the memory needed based on the number of jobs that are running and configure the size of the buffer and the time-out period in milliseconds, before you run any jobs.

To configure the buffer size and time-out:

1. Open the config.txt file in the directory E:\nic\enVision_version\node_name\edi\etc.

2. Configure the following parameters:

edi.admin.buffer.size.bytes

edi.admin.timeout.ms

For example, set the buffer size and time-out information as follows:

edi.admin.buffer.size.bytes=32768

edi.admin.timeout.ms=30000

3. Restart the EDI service for the new configuration to be applied. For more information, see “Start or Stop the NIC EDI Service” on page 140.

Web Server Issues

This topic describes issues that you may encounter with the Web server and the solutions to resolve these issues.

Unable to Log On to the Web Server UI

If you are unable to log on to the enVision Web server UI and an “OutofMemoryError: Java heap space issue” is recorded in the Web server log, this may be due to high memory usage.

RSA enVision is shipped with a JVM memory of 768 MB. When the memory usage is high, this existing memory value may be insufficient. To resolve this issue you must increase the JVM memory. You can increase the JVM memory up to 1.8 GB. You can perform this increase by updating the e:\nic\4100\<sitename>\etc\webserver.vmi file.

To perform this update:

1. Open the webserver.vmi file.

2. Search for “option=-Xmx768m.”

3. Update it appropriately, up to a maximum of “option=-Xmx1843m.”



Glossary

A-SRVSee Application Server.

ad hoc reportAn unscheduled report that runs immediately.

ADBSee Asset Database.

administratorA user responsible for setting up and maintaining the RSA enVision platform. An administrator has access to all enVision functions.

alertAn indication that an event, or a sequence of events, requires further investigation. The enVision platform sends alerts based on messages received under a configured set of circumstances such as filters. The administrator defines alerts for each view.

Alert History toolThe RSA enVision tool that is used to display alerts from the events database.

Alerts moduleThe RSA enVision module that provides tools to monitor, display, and configure alerts.

Analysis moduleThe RSA enVision module that provides tools to view, query, and analyze collected data.

applianceThe hardware on which RSA enVision software is deployed. See single appliance site and multiple appliance site.

Application Server (A-SRV)The appliance or component of the RSA enVision platform that supports interactive users and runs the suite of enVision analysis tools. In a single appliance site, the Application Server (A-SRV) is a component of the enVision system. In a multiple appliance site, the A-SRV is installed on its own appliance. See single appliance site and multiple appliance site.

assetA system, such as a host, software system, workstation, or device, that is within a network and makes up the enterprise environment.

Asset Database (ADB)A unified view of assets created by merging data from supported vulnerability assessment (VA) tools and imported asset information in the asset tracking tools. The ADB provides security managers with insight into their operations.

Glossary 197


attribute categoryA group of categories defined by the RSA enVision platform for device and asset attributes. The nine categories are properties, location, organization, owner, physical, function, importance, vulnerability, and zone. Users can define custom categories.

bind reportA group of reports that can be scheduled to run as a single report.

collectionThe process of collecting, analyzing, and storing logs from event sources. the RSA enVision platform stores the logs, with descriptive metadata, in the Log Smart Internet Protocol Database (IPDB).

CollectorThe appliance or component of the RSA enVision platform that captures incoming events. In a single appliance site, the Collector is a component of the enVision system. In a multiple appliance site, the Collector is installed on its own appliance.

Common Storage Directory (CSD)A single directory that contains the configuration and statistical information for data collected on a site. The Common Storage Directory (CSD) can be located on a single appliance site, on the Database Server of a multiple appliance site, or on the Remote Collector of a distributed system.

computer nameSee node.

confidence level filteringA filter defined by the administrator to determine if a supported intrusion detection system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness and applicability. The confidence level detects if a message from an IDS or an IPS should be considered an alert.

Configuration database (nic.db)A repository that stores a user’s configuration settings such as user information, permissions, and views.

correlationA relationship between a set of events and a set of specific conditions.

D-SRVSee Database Server.

Database Server (D-SRV)The appliance or component of the RSA enVision platform that manages access and retrieval of captured events. In a single appliance site, the Database Server (D-SRV) is a component of the enVision system. In a multiple appliance site, the D-SRV is installed on its own appliance. See single appliance site and multiple appliance site.

device See event source.

device classIdentifies the classification of the event source. A device class provides a framework for organizing event sources by their general function.

198 Glossary


device type (dtype)An assigned internal name for an event source that is used by RSA enVision tools and utilities. The dtype value is displayed on the enVision interface, reports, and queries.

EASee Enhanced Availability.

Enhanced Availability (EA)A site with Enhanced Availability (EA) is a multiple appliance site where the Local Collector (LC) functionality runs on Cluster Appliances (CAs).

EPSSee events per second.

event categorySystem-defined or administrator-defined group of messages for alerting and reporting that is assigned across device classes.

Event ExplorerRSA enVision module that provides advanced tools for analysis of real-time and historical data. These tools allow users to sift through logged data and apply security forensics.

event sourceAn asset such as a physical device, software, or appliance that produces a message (log) and is configured to send the log to the RSA enVision platform. Event sources include firewalls, VPNs, antivirus software, operating systems, security platforms, routers, and switches.

events per second (EPS)Events captured per second by the RSA enVision platform.

incident escalationSee task escalation.

incident managementSee task triage.

IPDBSee LogSmart IPDB.

LCSee Local Collector.

Local Collector (LC)A component of an RSA enVision multiple appliance site that captures incoming events. A multiple appliance site can have up to three Local Collectors (LCs). See multiple appliance site.

LogSmart IPDBThe LogSmart Internet Protocol Database (IPDB) stores internet protocol-based information, storing each source element in a separate container. Each log data message is identified by the IP address of the event source from which the message originated. The LogSmart IPDB maps this IP address to the originating event source and determines the format of the incoming message. The log message is the metadata that describes the event.

Glossary 199


message categoryA group of messages. Message categories are hierarchical, consisting of up to five levels: a NIC category, an alert category, and up to three levels of event category.

message variableDefines a type of data that is extracted from message payloads. Message variables are useful when analyzing and reporting on data.

monitored deviceA supported event source that has been configured to send event messages to the RSA enVision platform. The enVision platform collects and stores events from monitored devices.

multiple appliance siteAn RSA enVision site in which each enVision component (Application, Collector, and Database) is on its own appliance.

NICThe acronym used to label many essential RSA enVision components, services, and tools.

NIC databaseSee Configuration database (nic.db).

NIC domainA group of multiple appliance sites that constitute an organization's entire deployment of the RSA enVision platform. One site acts as the NIC domain master site.

NIC message IDA number that identifies a message. This number may or may not be the same as the vendor message ID.

NIC System deviceGenerates event messages to indicate the health and activity of the RSA enVision platform, such as disk space usage, current EPS, data retrieval statistics, and user activity messages.

NIC_ViewAllows users to monitor the health of the RSA enVision system. The NIC_View alerts users to problems within the enVision software environment.

nodeAn appliance in an RSA enVision site.

output actionConfigured notification method for alerts. The primary output actions are SMTP, SNMP, SNPP, Instant Messenger, syslog, run a command, text file, and task triage.

Overview moduleThe RSA enVision module that provides tools to configure the enVision platform and monitor system health and performance.

RCSee Remote Collector.

200 Glossary


Remote Collector (RC)An optional component of an RSA enVision multiple appliance site that captures incoming events at a remote location. A Remote Collector (RC) runs on its own appliance. Up to 16 RCs can be associated with a site.

Reports moduleThe RSA enVision module that provides tools to run standard network security and traffic analysis reports, or create and run custom reports.

single appliance siteAn RSA enVision site in which all enVision components (Application, Collector, and Database) are on one appliance.

siteThe basis on which the RSA enVision platform is deployed. Each site consists of three main components: Application Server, Collector, and Database Server.

site nameThe name of the site, defined during the configuration of the RSA enVision platform.

standard reportReports that are supplied within the RSA enVision platform for compliance, correlated alerts, event sources, as well as for task triage, and vulnerability and asset management.

task escalationA function that allows users to send tasks to an external application, such as a ticketing system, for offline investigation.

task triageA feature that allows users to group events into tasks for the purpose of investigation. Tasks can be further analyzed in the RSA enVision Event Explorer module, escalated to an external ticketing system, or both.

trace viewA set of parameters that define the information that is displayed in the form of tables and charts. The two forms of trace views are standard and advanced trace views.

UDCSee Universal Device Collection.

Universal Device Collection (UDC)Allows the RSA enVision platform to collect log data from any event source that logs through SNMP, ODBC, or File Reader.

VAMSee vulnerability and asset management.

VDBSee Vulnerability Knowledge Database.

viewAn administrator-defined set of event sources, messages, correlation rules, and criteria, within a single site, for which the RSA enVision platform issues alerts.

Glossary 201


vulnerability and asset managementA feature that provides unified management of assets and vulnerability incident analysis.

Vulnerability Knowledge Database (VDB)An embedded repository of vulnerability information derived from the National Vulnerability Database (NVD).

watchlistA named collection of strings that represent a list of like-values. A watchlist can easily function as a filter for events in reporting and alerting.

202 Glossary


Index

Aaccess denied options, 162alerts, 110all-applications-users permissions, 23

Bbest practices, 175

Ccompliance reports, 80correlated alerts, 164correlated alerts report, 80correlation rule review, 164correlation rule updates, 172creating a report, 84–91Customer Support, 10

DDashboard, 153dashboard

described, 109permissions, 112

database tables, 81device type identifiers, 82disk usage threshold, 155drive rotation threshold, 157

EEPS, 154event collection, 160event data archiving, 169event source review, 159–160Event Source Updates, 172event threshold, 45events, 110events per second, 154

Ggraphs, 109GUI, 79

Hhelp desk, 10host report, 80

IInternet Protocol Database. See IPDB

IPDB, 82

Llsmaint utility, 169

Mmaintenance contract renewal, 170maintenance tasks

daily and weekly, 146–158monthly, 158–168quarterly, 169–170yearly, 170–171

management task overview, 145message category review, 163message filters, 46modifying a report, 91monitor system errors, 148–150monitor system usage, 150–153

Nnavigation controls, 79network report, 80NIC_View, 148NIC_View alerts, 149

Ooperating system patches and security

updates, 173output actions, 167

Pproblem solving, 191–192Professional Services enVision

Healthcheck, 171

Rreport categories, 80report column headings, editing, 89report columns, rearranging, 90report tools, 79–80report-administrators permissions, 23

Index 203


reportsadministrator selection of, 112creating, 110, 112, 113, 116custom, 112Dashboard Standard, 111deleting, 118graphs, 109modifying, 110, 112, 117response time and, 112standard, 110tabular, 113

report-users permissions, 23running a report, 91, 98–99runtime parameters, 83

Sscheduling a report, 101–105security report, 80service pack installation, 170SQL where clause

creating, 82, 88example, 88, 89

storage report, 80summary data, 82support, technical, 10system shutdown threshold, 155

Ttask triage report, 81technical support, 10threshold

disk usage, 155drive rotation, 157event, 45system shutdown, 155

troubleshooting, 192

Uupgrading enVision, 172user account review, 161user and system access review, 23–162user group permission review, 161user group review, 162user permissions, 111

VVAM, 172VAM report, 81VAM updates, 172view review, 44Vulnerability and Asset Management, 172

Wwatchlist as a runtime parameter, 83watchlists, 54

204 Index