SIEM Foundations: Define Zones

Version 4

    ESM zones and Sub-zones provide the ability to organize your data sources and IP ranges into related groupings.  Zones are most often applied to physical groupings of systems, such as geographic regions, data centers, or office campuses.

     

    When Zones are properly defined, events that come into the ESM are enriched with zone information.  Spend some time considering how best to define zones in your environment.  This additional data can be very useful in creating customized views, reports, correlations, as well as role-based access control.  Zones also allow you to define geographic locations for events coming from internal RFC 1918-based IP addresses.

     

    pic1.png

     

    Zones are configured under the Asset Manager, under the Zone Management tab.  A zone consists of a name, a set of devices and data sources that exist in the defined zone, and, optionally, a geolocation.  Any internal RFC 1918 addresses that are not specifically mapped to a sub-zone (see below) will be mapped to this top-level zone.

     

    zone.png

     

    Underneath a zone you can define sub-zones.  Each sub-zone also has a name, along with a set of related IP ranges and associated geographic locations.  

     

    pic3.png

     

     

    « previousoutlinenext »