I have recently been on the training course for ESM and am looking to play around with this feature in order to get more familiar. In my ESM build (9.3.0) I have ePO added as a device, and am focusing on VirusScan Enterprise. When looking at the events within ESM, my current scenario is that I want to quickly see what VSE DAT level the host has that generated the original alerts. Using default event aggregation settings (SigID, Source IP, Destination IP), the hostname should be present in the aggregated events as the Source IP in question is the source IP of the host detecting the malware. I also have two test endpoints, both of which I have tested with EICAR.
Questions at the bottom of this post, with screenshots of my current configuration below:
For the data enrichment, I have configured as follows:
ESM > System Properties > Data Enrichment > Add
Note: not sure here if this should be the ERC that is the selected device. The Product Guide p59 simply states "select the devices you want to write the data enrichment rules to". VSE DAT is a custom field I have added, discussed further below.
ESM > System Properties > Custom types
Existing types 'Analyzer_DAT_Version' and 'DAT_Version' are both decimal data types, and the DAT field within the ePO DB is a string. Therefore, I created a custom type as below. This may need to be reviewed as as per the warning, 'Random' string may need to be used - although the string will not change very frequently, it will change a lot over time. Not sure about this one at the moment.
- As per the 9.3.0 Product Guide p58, data acquisition takes place on the ESM, and not on the devices. When the data acquisition takes place, are the stored events within ESM themselves enriched, and if so are all of them enriched or only events from a specific time period relevant to the acquisition, or is it the event displays that are enriched (ie the events themselves are left untouched, but when we view the events in a drill down view, the relevant custom fields are added)
- If I set the device to enrich to be the ePO server, will the events I am looking to enrich actually be enriched, as within the ESM events themselves, the actual device is '<EPO server> - <EPO server>_VirusScan (ePO)'. Ie - which device should I select for this specific case? If I select the event receiver that is sending the aggregated events to ESM, will that work or not (I am assuming not).
- Just for completeness, as the enrichment process is actually taking place on the ESM, I am assuming that if a specific field is missing (or may go missing) as a result of aggregation, then using it as a lookup field will not work. This makes sense to me, but there may be things i am not taking into account - I am still fairly new to this!
Thanks in advance!