Trying to get my head around custom fields, and the fact that not all of them apparently can be used as custom fields (example post here).
Using an example I am working through in a lab, I have ESM9.3.0 and ePO added as a device, with VSE running on test endpoints. On the endpoints, I have ran through a simple EICAR test (repeated 5 times).
ePO event ID: 1278
ESM sig ID: 357-1278 (Settings accessible via Policy Editor > <select ePO sever next to 'Default Policy'> > Data Source Rule Types
With the rule setting at default, I end up with an aggregated alert in ESM as follows:
As per this post, I am currently playing around with Data Enrichment, and want to make it so another field appears under the custom types tab in the above. While trying to get this to work (and trying to fully understand how it works!), I have created a new custom type field called 'VSEDAT' - and that is the field I am trying to insert in future events.
As there are already custom types in the existing event, I have created the below table based on the 2nd image above, and the details found in ESM > System Properties > Custom Types
|Custom Type Name||Data Type||Event Field|
|Application||String||Custom Field - 1 (short)|
|Object_Type||String||Custom Field - 2 (short)|
|Host||String||Custom Field - 4 (short)|
|Object||String||Custom Field - 5 (short)|
|Destination User||String||Custom Field - 6 (short)|
|Destination_Filename||Random String||Custom Field - 9 (short)|
|Device_Action||Random String||Custom Field - 21 (long)|
|Detection_Method||Random String||Custom Field - 22 (long)|
|Analyzer_DAT_Version||Long Custom (16 byte) Decimal||Custom Field - 24 (long)|
|Threat_Category||Random String||Custom Field - 25 (long)|
|Threat_Handled||Random String||Custom Field - 27 (long)|
- If I add a new custom type, with name 'VSEDAT' of data type 'string' and set the events field to 'Custom Field - 1 (short)', then add a data enrichment rule with the enrichment field set to 'VSEDAT', does the receiver ignore this completely, or would the 'Application' field in the above be overwritten?
- Do I need to modify the specific rule to include my newly created field? If so, how is this achieved? I have tried to use 'Operations > Browse Reference' but get a message advising that documentation for the requested rule is not available.
- Are rules and signatures essentially the same thing?...
- If I set my field to 'Custom Field 3' (clashing with 'Recipient_Count', 'Filename', 'Domain', 'Elapsed Time' and 'Count'), would this be better than using 'Custom Field 1', as 3 isnt used in the current custom fields for this particular signature?
At the moment it all looks a little bit messy - I am sure with a little more experience it will start to make sense, but my mind is boggled at present!