You are on page 1of 72

RSA enVision 4.

1
Users Guide

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks
RSA, the RSA Logo, RSA enVision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC
Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective
owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to
third-party software in this product may be viewed in the thirdpartylicenses.pdf file.
Portions of this application include technology used under license from Visual Mining, Inc. 2000 - 2010.
Portions of this application include iAnywhere technology, 2001 - 2010.

Note on encryption technologies


This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.

Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2011 EMC Corporation. All Rights Reserved. Published in the USA.
September 2011

RSA enVision 4.1 Users Guide

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA enVision Documentation............................................................................................ 5
Related Documentation....................................................................................................... 6
Support and Service ............................................................................................................ 6
Before You Call Customer Support............................................................................. 7

Chapter 1: RSA enVision Users and User Tasks ........................................ 9


RSA enVision Users ........................................................................................................... 9
RSA enVision User Tasks................................................................................................... 9
Log On to RSA enVision .................................................................................................. 10
Log Off of RSA enVision ..................................................................................................11

Chapter 2: Managing Your User Information .............................................. 13


User Information ............................................................................................................... 13
Modify Your User Information......................................................................................... 13

Chapter 3: Monitoring the System Performance ...................................... 15


Events Per Second............................................................................................................. 15
Collector EPS Rates................................................................................................... 15
Monitor the EPS Rates............................................................................................... 17
Monitor Process Statistics................................................................................................. 17
Monitor Data Server Session Details and Usage Information .......................................... 18

Chapter 4: Viewing Incoming Events ............................................................... 21


Incoming Events ............................................................................................................... 21
Event Viewer..................................................................................................................... 21
Display Incoming Events .................................................................................................. 24
Copy Events for Further Analysis ............................................................................. 25
Graph Events by Event Type ............................................................................................ 25
Graph Event Types by Time ............................................................................................. 26

Chapter 5: Monitoring Events and Alerts ...................................................... 29


Events and Alerts .............................................................................................................. 29
Dashboard ......................................................................................................................... 29
Dashboard Reports............................................................................................................ 30
Design and Use Your Dashboard...................................................................................... 31
Dashboard Examples......................................................................................................... 32

Chapter 6: Managing Alerts ................................................................................... 35


Alert Management............................................................................................................. 35
Views and Collections ...................................................................................................... 36
Views ......................................................................................................................... 36
Collections ................................................................................................................. 36
Monitoring Peak Status of Multiple Views Concurrently ................................................ 37

Contents

RSA enVision 4.1 Users Guide

Enterprise Dashboard................................................................................................. 37
Enterprise Dashboard Modes..................................................................................... 37
Collection and View Icons in Enterprise Dashboard................................................. 39
Monitor Peak Severity Using Map Mode .................................................................. 40
Monitor Peak Severity Using a List........................................................................... 41
Toggle Between Modes ............................................................................................. 42
Monitor Incoming Alerts .................................................................................................. 42
Monitor Alerts in the Database ......................................................................................... 44
Review Alert Details......................................................................................................... 44

Chapter 7: Accessing Historical Data .............................................................. 47


Historical Data .................................................................................................................. 47
Tools for Accessing Data.................................................................................................. 47
Query................................................................................................................................. 48
Create a Query ........................................................................................................... 50
Run a Saved Query .................................................................................................... 51
Reports .............................................................................................................................. 52
Standard Reports........................................................................................................ 52
Run an Ad Hoc Report............................................................................................... 53
Schedule a Report ...................................................................................................... 56
Display Generated Scheduled Reports ...................................................................... 59

Appendix A: Troubleshooting .............................................................................. 61


Logon Issues ..................................................................................................................... 61
Event Viewer Issues.......................................................................................................... 62
Dashboard Issues............................................................................................................... 62
Real-Time Details and History Issues............................................................................... 63
Query Issues ...................................................................................................................... 63
Report Issues ..................................................................................................................... 64

Glossary ............................................................................................................................. 65
Index ..................................................................................................................................... 71

Contents

RSA enVision 4.1 Users Guide

Preface
About This Guide
This guide contains information that helps users to get started using the RSA enVision
platform. It is designed to be used with the enVision Help. This guide includes
instructions for performing the most common end-user tasks.

RSA enVision Documentation


For information about the RSA enVision platform, see the following documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. The latest version of the
Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.
Overview Guide. Provides an introduction to RSA enVision platform features and
capabilities.
Hardware Setup and Maintenance Guide. Provides instructions on setting up and
maintaining RSA enVision appliances. Intended audience is the system
administrator.
Configuration Guide. Provides instructions on configuring an RSA enVision site.
Intended audience is the system administrator.
Migration Guide. Provides instructions on migrating data from a previous version
of the RSA enVision platform to the current version.
Virtual Deployment Guide. Provides instructions on installing an RSA enVision
single appliance site or Remote Collector on a virtual infrastructure.
Administrators Guide. Provides instructions on the basic setup and maintenance
of the RSA enVision platform. Includes instructions for the most common
administrator tasks.
Users Guide. Provides information that helps users to get started using the
RSA enVision platform. Includes instructions for the most common user tasks.
Backup and Recovery Guide. Provides instructions on backing up an
RSA enVision system and recovering from a hardware failure.
Security Configuration Guide. Provides an overview of security configuration
settings in the RSA enVision platform.
Universal Device Support Guide. Describes how to add log collection and
analysis support for event sources that the RSA enVision platform does not
support.
RSA enVision Help. Provides comprehensive instructions on setting up
RSA enVision processing options and using RSA enVision analysis tools.

Preface

RSA enVision 4.1 Users Guide

RSA continues to assess and improve the documentation. Check RSA SecurCare
Online for the latest documentation.

Related Documentation
For information about the RSA enVision Event Explorer module, see the following
documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues.
Installation Guide. Provides instructions on installing the RSA enVision Event
Explorer module on your client machine in separate guides for Microsoft
Windows and Apple Macintosh operating systems. Intended audience is the end
user.
RSA enVision Event Explorer Help. Provides comprehensive instructions on
setting up and using the RSA enVision Event Explorer module.
For information about the RSA enVision EventSource Integrator, see the following
documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues.
Overview Guide. Provides an introduction to RSA enVision EventSource
Integrator features and capabilities.
RSA enVision EventSource Integrator Help. Provides comprehensive
instructions on using RSA enVision Event Source Integrator.

Support and Service


RSA SecurCare Online

https://knowledge.rsasecurity.com

Customer Support Information

www.rsa.com/support

RSA Secured Partner Solutions Directory

www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common


questions and solutions to known problems. SecureCare Online also offers
information on new releases, important technical news, and software downloads.
The RSA Secured Partner Solutions Directory provides information about third-party
hardware and software products that have been certified to work with RSA products.
The directory includes Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

Preface

RSA enVision 4.1 Users Guide

Before You Call Customer Support


Make sure that you have direct access to the computer running the RSA enVision
software.
Please have the following information available when you call:
One of the following:

On a 60-series appliance, the serial number of the appliance.


You can find the seven-character serial number on the chassis tag on the back
of the appliance, or open a Dell Openmanage Server Administrator session,
and click System > Properties > Summary to find the serial number in the
chassis service tag field.

On a virtual appliance, the serial number of the RSA enVision software.


Open the C:\WINDOWS\system32\drivers\etc\Nie-oe.dat file, and locate
the line that begins with S/N=.

RSA enVision software version number.


The name and version of the operating system under which the problem occurs.
On a virtual appliance, the VMware ESX or ESXi server details.

Preface

RSA enVision 4.1 Users Guide

RSA enVision Users and User Tasks

RSA enVision Users

RSA enVision User Tasks

Log On to RSA enVision

Log Off of RSA enVision

RSA enVision Users


RSA enVision users perform tasks in the RSA enVision system. An enVision
administrator creates the user account and assigns the relevant permissions for these
tasks based on the role that the user performs. Some examples of roles that enVision
users can perform in the organization include the following:

Security, Compliance, and Network Analyst

Security, Compliance, and Network Engineer

Security and Compliance Manager

Event source owner

Internal Auditor

RSA enVision User Tasks


You can perform the following tasks depending on the permissions that the RSA
enVision administrator assigns to your user account.
Tasks

Description

Modify user information

You can modify your own user information.


For more information, see Chapter 2, Managing Your User
Information.

Monitor EPS

You can monitor the events per second (EPS) rate of the
enVision Collector to ensure that the EPS rate remains within
the licensed range. If you consistently have an EPS rate over
your limit, enVision drops messages.
For more information, see Chapter 3, Monitoring the
System Performance.

1: RSA enVision Users and User Tasks

RSA enVision 4.1 Users Guide

Tasks

Description

View incoming events

You can view incoming events in real time. You can


graphically represent the incoming events based on event
type or event time.
For more information, see Chapter 4, Viewing Incoming
Events.

Monitor events and alerts

You can monitor events and alerts using reports and graphs
on the Dashboard.
For more information, see Chapter 5, Monitoring Events
and Alerts.

Manage alerts

You can manage the alerts generated by enVision for the


events.
For more information, see Chapter 6, Managing Alerts.

Access historical data

You can access historical data stored in enVision using the


Event Viewer, queries, and reports.
For more information, see Chapter 7, Accessing Historical
Data.

Log On to RSA enVision


You can log on to RSA enVision from your computer.
Note: If you have upgraded to RSA enVision 4.1 from an earlier version, an Invalid

User/Password pair message may appear when you log on for the first time after the
upgrade. Contact your enVision administrator for assistance.
To log on to enVision:

1. Go to the URL that your enVision administrator provided, for example,


http://<address:port>. If you connect through HTTPS and your browser displays a
certificate validation message, click Continue to open the Log In page.
2. Enter your user name and password.
Note: RSA recommends that you change your password after you log on to

enVision the first time. For instructions, see Modify Your User Information.
3. Click Log In.
Note: If you use a Web browser, such as Internet Explorer, to access RSA enVision

from the appliance, you may receive a number of warning messages. RSA
recommends that you access RSA enVision only from a client machine.

10

1: RSA enVision Users and User Tasks

RSA enVision 4.1 Users Guide

Log Off of RSA enVision


To log off of RSA enVision:

Click Log Out in the bottom left of the window.

1: RSA enVision Users and User Tasks

11

RSA enVision 4.1 Users Guide

Managing Your User Information

User Information

Modify Your User Information

User Information
Every RSA enVision user has an individual user account and is assigned a unique user
ID, created by the enVision administrator. User account passwords are stored securely
to prevent unauthorized access and data corruption.
As a user, you can modify only your first name, last name, enVision password, and
description in your user account.

Modify Your User Information


To modify your user information:

1. Click Overview > System Configuration > Modify User Information.


The window displays the information that you can modify.
2. Update any of the following information as necessary:

First name

Last name

Password

Description
For information on the fields, see the Help topic Add/Modify User Window.

2: Managing Your User Information

13

RSA enVision 4.1 Users Guide

This example shows the fields that user sjohn can modify.

3. Click Apply.

14

2: Managing Your User Information

RSA enVision 4.1 Users Guide

Monitoring the System Performance

Events Per Second

Monitor Process Statistics

Monitor Data Server Session Details and Usage Information

Events Per Second


The events per second (EPS) rate measures the average number of events collected by
the RSA enVision Collector per second. RSA enVision collects events at your licensed
EPS rate and provides a buffer of 10 to 30 percent to allow for an occasional excess of
events:

If the EPS rate exceeds by 10 percent of the maximum EPS, enVision generates a
warning message (NIC-4-400019).

If the EPS rate exceeds by 30 percent of the maximum EPS, enVision generates an
alert message (NIC-1-400020) indicating the condition and number of events
dropped.

If you consistently receive these warning and alert messages, notify the enVision
administrator.

Collector EPS Rates


You can monitor the EPS rates for the Collector using the System Performance
window. The System Performance window provides the following information about
event collection:
EPS licenses. Displays the aggregate number of EPS licenses for the collectors
that are currently displayed.
Collector. Displays the name of the Collector. If you have multiple Collectors,
select the Collector for which you want to view EPS rates.
Collection gauges. Display the percentage of the EPS license being used, in total
and for each collection protocol. The colors of the gauges indicate the rate of
event collection as a percentage of the EPS license limit as follows:

Green: Less than or equal to 80 percent


Orange: Between 80 and 90 percent
Red: Greater than 90 percent

The gauges also provide the following information:

Instant is the running average of the last ten seconds.


Average is the average number of events per second since the event source
started.

3: Monitoring the System Performance

15

RSA enVision 4.1 Users Guide

Peak is the highest number of events received in a one-second period since the
event source started.
At Peak is when the event source is currently at that highest recorded level of
EPS.

The RSA enVision administrator sets the refresh rate for the gauges (between one and
ninety-nine seconds).
RSA recommends that you monitor the EPS rate for your enVision appliance. Based
on the EPS gauges, you can determine the health of the enVision system. If you are
consistently exceeding the EPS limit, events will not be collected by the specified
Collector. If the EPS rate is between 80 and 90 percent of the enVision license limit,
you should notify the enVision administrator.
This example shows EPS rates from the Collector named Doc-ES that are all in the
normal range.

Collector list

EPS rate

16

3: Monitoring the System Performance

RSA enVision 4.1 Users Guide

This example shows the EPS rates from the Collector named Doc-ES that are
exceeding the enVision license limit. The red highlights indicate that if this condition
continues, events may be lost.
Collector list

EPS rate

Monitor the EPS Rates


To monitor the EPS rates of a Collector:

1. Click Overview > System Performance.


2. If you have multiple sites, select the site for which you want to view the EPS rates.
3. If you have multiple Collectors, from the Collector drop-down list, select the
Collector for which you want to view the EPS rates.

Monitor Process Statistics


You can view the statistics of the different RSA enVision processes in the site from the
Process Statistics window.
The process Statistics window is displayed only on RSA enVision 4.1. If you have
multiple sites with appliances using versions 4.1, 4.0, and 3.7 of enVision, note that
the Process Statistics window is not available for enVision appliance versions 4.0 and
3.7.

3: Monitoring the System Performance

17

RSA enVision 4.1 Users Guide

To view the statistics of the different enVision processes of a site:

1. Click Overview > System Performance.


If you have multiple sites, select the site for which you want to view the process
statistics.
2. Click Process Statistics.
Note: The data in the Process Statistics window is derived from the data generated in

the Performance Monitor tool on Windows. Therefore, the values displayed for the
fields on the Process Statistics window will correspond to the values in the
Performance Monitor and may not be the same as the values displayed on the Task
Manager for the same fields.
This example shows process statistics from an enVision system ESUpgrade.

For information on each of the fields, see the enVision Help.

Monitor Data Server Session Details and Usage Information


The Data Server window displays the session details and usage information for
the Data Server (D-SRV). In single appliance setups, it shows the session details
of the NIC Server.
Note: The Data Server window is displayed only on RSA enVision 4.1. If you have

multiple sites with appliances using versions 4.1, 4.0, and 3.7 of enVision, note that
the Process Statistics window is not available for enVision appliance versions 4.0 and
3.7.

18

3: Monitoring the System Performance

RSA enVision 4.1 Users Guide

To view the statistics of the different enVision processes in a site:

1. Click Overview > System Performance.


If you have multiple sites, select the site for which you want to view the process
statistics.
2. Click Data Server.
For a multiple appliance site with multiple D-SRVs, clicking Data Server shows a
summary page with details for each of the D-SRVs. Use this window to compare
the values of the D-SRVs. Click on the specific D-SRV to display related session
details.
The following example shows the Data Server Window from an enVision system
MS4041M. For information on each of the fields, see the enVision Help.

3: Monitoring the System Performance

19

RSA enVision 4.1 Users Guide

Viewing Incoming Events

Incoming Events

Event Viewer

Display Incoming Events

Graph Events by Event Type

Graph Event Types by Time

Incoming Events
RSA enVision enables you to view the incoming events in real time. You can view the
raw events in their entirety as collected from the event sources. The severity of the
incoming events is identified by color and the severity levels are indicated by the
message content.

Event Viewer
The Event Viewer is part of the Analysis module, which allows you to perform
analysis on collected events. Using the Event Viewer, you can perform the following
tasks:

Display the incoming events in real time

Graph the incoming events based on either the event type or event time

Display historical data for a specified time frame

4: Viewing Incoming Events

21

RSA enVision 4.1 Users Guide

This example shows incoming events.

22

4: Viewing Incoming Events

RSA enVision 4.1 Users Guide

The following table describes the severity levels and the corresponding color coding.
Level

Color

Description

0, 1

Red

Emergency or panic conditions that should be corrected


immediately.

Red

Critical conditions that should be looked at immediately.

Red

Error conditions.

Blue

Warning conditions.

Blue

Notification events. Events that are not error conditions, but


may require special handling.

Grey

Informational events.

Grey

Debugging events.

4: Viewing Incoming Events

23

RSA enVision 4.1 Users Guide

Display Incoming Events


To display the incoming events in the Event Viewer:

1. Click Analysis > Event Viewer > Message View.


2. From the Site drop-down list, select the site.
3. From the Device Type drop-down list, select the device type.
4. From the Device drop-down list, select the event source.
5. From the Event types drop-down list, select the type of the event.
6. From the Timeframe drop-down list, select the time frame of event collection.
7. From the Time zone drop-down list, select the time zone.
8. To update the list of events, click Update now.
This example shows the events that RSA enVision collected from Cisco Pix Firewall
over the past ten minutes.

24

4: Viewing Incoming Events

RSA enVision 4.1 Users Guide

Copy Events for Further Analysis


You can copy the events in the Event Viewer to a comma-separated .csv file to analyze
them. Further analysis of events could assist:

Administrators to create a new correlation rule to alert on a specific set of events


in a specific time frame

Report administrators to determine what data is available to include in reports

To copy events for analysis:

1. Click Analysis > Event Viewer > Message View.


2. Display the events of interest, as described in Display Incoming Events.
3. Click anywhere within the messages pane.
4. Depending on the events that you want to select, do one of the following:

To select all events, press CTRL+A.

To select a range of events, press SHIFT and click the first and the last events.

To select individual events, press CTRL and click individual events.

5. To copy the selected events, press CTRL+C.


6. Open the program into which you want to paste the events.
7. To paste the events, press CTRL+V.

Graph Events by Event Type


To graph events by event type:

1. Click Analysis > Event Viewer > Graph View > Events by Event Type.
2. From the Site drop-down list, select the site.
3. From the Device Type drop-down list, select the device type.
4. From the Device drop-down list, select the event source.
5. From the Event types drop-down list, select the type of the event.
6. From the Timeframe drop-down list, select the time frame of event collection.
7. From the Time zone drop-down list, select the time zone.
8. Click Update Now.

4: Viewing Incoming Events

25

RSA enVision 4.1 Users Guide

This example shows events collected from Cisco Pix Firewall over the past sixty
minutes. Moving the cursor over the chart displays the event ID and the Y axis value
in a pop-up window.

Graph Event Types by Time


To graph event types by time:

1. Click Analysis > Event Viewer > Graph View > Events Types by Time.
2. From the Site drop-down list, select the site.
3. From the Device Type drop-down list, select the device type.
4. From the Device drop-down list, select the event source.
5. From the Event types drop-down list, select the type of the event.
6. From the Timeframe drop-down list, select the time frame of event collection.
7. From the Time zone drop-down list, select the time zone.

26

4: Viewing Incoming Events

RSA enVision 4.1 Users Guide

8. To configure the graph options, select Display Advanced Graph Options, and do
any of the following:

To set the graph to automatically update, select Update on selection change


or Update every 5 minutes.

From the Graph Type drop-down list, select either Bar or Line to choose
which type of graph to create.

From the Data Type drop-down list, select the data type.

From the Y Axis drop-down list, select the value to display on the Y axis.

From the X Axis drop-down list, select the value to display on the X axis. The
default value is Auto, which displays the time interval of the events.

9. Click Update Now.


This example shows events collected from Cisco Pix Firewall for thirty minutes.
Moving the cursor over the chart displays the event ID and the Y axis value in a
pop-up window.

4: Viewing Incoming Events

27

RSA enVision 4.1 Users Guide

Monitoring Events and Alerts

Events and Alerts

Dashboard

Dashboard Reports

Design and Use Your Dashboard

Dashboard Examples

Events and Alerts


RSA enVision collects events that occur on monitored event sources. An event or set
of events, such as a disk failure, an unexpected spike in network traffic, or the
signature of a known threat, may warrant further investigation. Your enVision
administrator configures enVision to recognize these specific events and issue
real-time alerts. You can monitor events and alerts using the Dashboard.

Dashboard
The Dashboard opens when you log on to RSA enVision. The Dashboard shows the
reports and graphs that you select, providing an immediate summary of events that
you choose to monitor.
You can customize your Dashboard in real-time to show the dashboard items (reports
and graphs) of your choice. However, the enVision administrator selects the dashboard
items from which you can select and sets up the parameters for the dashboard items.

5: Monitoring Events and Alerts

29

RSA enVision 4.1 Users Guide

This example shows the default Dashboard with user-selected dashboard items.

Dashboard Reports
The Dashboard has standard reports and graphs that display as Dashboard items.
Standard reports and graphs for the Dashboard are available in the following
categories:

30

Alerts

Antivirus

E-mail

Firewall

Host

IDS

Network

5: Monitoring Events and Alerts

RSA enVision 4.1 Users Guide

Proxy

Task Triage

VAM

For detailed information on the Dashboard standard reports, see the Help topic
Dashboard Standard Reports.
For detailed information on creating and modifying the Dashboard reports, see the
Help topic Dashboard Reports.

Design and Use Your Dashboard


You can select the reports and graphs that display on your Dashboard. You can also
select whether the reports will be displayed in a large version or a small version. The
selections are saved as your default settings when you leave the window.
To design your dashboard:

1. Click Overview > Dashboard.


2. From the left pane of the Dashboard window, select the reports that you want to
display.
Note: The RSA enVision administrator assigns permission for you to view the

reports that you need to monitor based on your role.


3. To set the size of the visual display, select either Large report view or Small
report view.

5: Monitoring Events and Alerts

31

RSA enVision 4.1 Users Guide

Dashboard Examples
You can use the dashboard to review multiple dashboard items. This section includes
some examples of Dashboards designed for different purposes.
The following figure shows a default Dashboard that displays the following reports:

32

Alerts - Top Categories

Alerts - Trends

Alerts - Weighted Average

Alerts - Recent Alert

5: Monitoring Events and Alerts

RSA enVision 4.1 Users Guide

The following figure shows a Dashboard that is set up for the purpose of monitoring
alerts, threats, and network traffic and displays the following reports:

Alerts - Top Categories

Alerts - Trends

Alerts - Weighted Average

Alerts - Recent Alerts

IDS - Recent Threats

Network - Bandwidth by Department

Host - Top Failed Login Accounts

5: Monitoring Events and Alerts

33

RSA enVision 4.1 Users Guide

The following figure shows a Dashboard that is set up for the purpose of monitoring
organizational threats and displays the following reports:

34

IDS - Top Threats

Network - Activity by Category

Task Triage - Open Tasks by Priority

VAM - Most Vulnerable Assets by Severity

5: Monitoring Events and Alerts

RSA enVision 4.1 Users Guide

Managing Alerts

Alert Management

Views and Collections

Monitoring Peak Status of Multiple Views Concurrently

Monitor Incoming Alerts

Alert Management
An alert is a notification that a specific event or set of events, as defined by the
RSA enVision administrator, has occurred that requires further investigation. One of
the following conditions can generate an alert:

A single event, such as one reporting an asset malfunction

A string within an event, such as content that matches a configured list of known
spammers

A specified combination of events within a given time frame, such as a series of


logon attempts that suggest a possible denial-of-service attack

RSA enVision analyzes all incoming events and issues an alert immediately when a
set of circumstances that an administrator has specified is met. The alert is reported in
the enVision GUI and can be directed to other destinations, such as e-mail, instant
message, or a text file stored on the local system. An alert can also be configured to
automatically generate an incident-response task.

6: Managing Alerts

35

RSA enVision 4.1 Users Guide

Views and Collections


RSA enVision manages alerting using views and collections.
To monitor alerts in real time, you can use the following tools in the Alerts module:

Use the Enterprise Dashboard window to monitor the peak status information of
multiple views (called a Collection) concurrently from a single screen. For more
information, see Monitoring Peak Status of Multiple Views Concurrently.

Use the Real-Time Details window to monitor the alerts as they occur in real time
for a single view. For more information, see Monitor Incoming Alerts.

Views
A view defines the event sources, events, correlated alerts, and user-defined criteria
for which enVision issues alerts. An enVision administrator creates views and assigns
users access to the views. Within a view, an administrator can set up filters and
thresholds, such as a percentage increase of activity above the baseline, to rate the
severity of the events and focus on those of highest priority. Views can also use
watchlists, which filter events by string, IP address, port, protocol, or regular
expressions.
Views can include correlation rules for alerts. A correlation rule specifies a set of
events within a time period and a set of conditions that will generate an alert. The
correlation rule includes a message ID and message text for the alert.

Collections
A collection is an aggregation of view data that can contain information from multiple
sites. A collection can include other collections. A collection must contain at least one
item, a view or another collection. The collection inherits the status of the highest peak
alert severity status of all the views contained in the collection or collections that roll
up into that collection. A view can be assigned only to a single collection. Each
collection has attributes, such as collection name, description, and the collection map
that is used in map mode.

36

6: Managing Alerts

RSA enVision 4.1 Users Guide

Monitoring Peak Status of Multiple Views Concurrently


You can monitor the peak status of a collection of views using the Enterprise
Dashboard in the Alerts module. Peak status is the highest severity level of the alerts
in the alert category, based on the current alert synchronization.

Enterprise Dashboard
The Enterprise Dashboard allows you to monitor the peak status information of
multiple views at the same time and quickly drill down into a view to display detailed
information.
You can use the Enterprise Dashboard to:

View a map-based report

View the hierarchy and statuses of views and collections

View the high-level information as well as detailed information within the


Enterprise Dashboard

Drill down using the Real-Time Detail tool in the Alerts module to display
detailed information about the current view

View detailed alert status information for any item

You have access to the views depending on the permission that the enVision
administrator sets for each view. If you display a collection containing a view to which
you do not have access, no information about that view is visible. The alert severity
status for that collection is calculated as if the restricted view did not exist.

Enterprise Dashboard Modes


The Enterprise Dashboard window has two modes:
Map mode. Displays alert information for each collection on a background image
or geographical map.
List mode. Displays the alert details for all collections and views in a list format
to allow for more details about the alert status to be displayed. Each collection or
view is displayed in its own row.

6: Managing Alerts

37

RSA enVision 4.1 Users Guide

The following figures show the Enterprise Dashboard in Map mode and List mode.

38

6: Managing Alerts

RSA enVision 4.1 Users Guide

Collection and View Icons in Enterprise Dashboard


Collections and views are represented by device class icons on the Enterprise
Dashboard. The following table describes the icons.
Device Class

Collection

View

Host

Network

Security

Storage

The icons change color as the alert status of the collection and view changes. The
status indicates the peak security level of any of the event sources represented by the
icon. The following table defines the severity level of the icon colors.
Color

Severity Level

Green

Low

Blue

Guarded

Yellow

Elevated

Orange

High

Red

Severe

6: Managing Alerts

39

RSA enVision 4.1 Users Guide

Monitor Peak Severity Using Map Mode


Note: If the defined starting point collection for the site to which you are logged on

does not have an assigned map, or the specified map cannot be found, the Enterprise
Dashboard window opens in List mode.
To monitor peak severity using a map:

1. Click Alerts > Enterprise Dashboard.


This example shows the status of the West Coast Operations collection in Map mode.

2. Click on a collection icon on the map to display the secondary collections or


views that make up the collection. Click on a view icon on the map to display the
Real-Time Details window for the view.
For more information on using Map mode, see the Help topic Monitor Alerts Using
Map Mode on Enterprise Dashboard.

40

6: Managing Alerts

RSA enVision 4.1 Users Guide

Monitor Peak Severity Using a List


To monitor peak severity using a list:

1. Click Alerts > Enterprise Dashboard.


2. Click the List Mode icon in the tool bar. The Enterprise Dashboard is displayed in
List mode.
This example shows the West Coast Operations collection in List mode.

3. To display information about a collection, click on the collection icon in the All
Collections and Views area.
4. Click on a collection row to display the secondary collections and views in List
mode.
5. Click on a view row to display the Real-Time Details window for the view.
For more information on using list mode, see the Help topic Use List Mode on
Enterprise Dashboard.

6: Managing Alerts

41

RSA enVision 4.1 Users Guide

Toggle Between Modes


To toggle between modes:

Do one of the following:

From the Map Mode display, click the List Mode icon
Mode display.

to toggle to the List

From the List Mode display, click the Map Mode icon
Mode display.

to toggle to the Map

Monitor Incoming Alerts


You can monitor the incoming alerts in a single view on the Real-Time Detail window.
To monitor incoming alerts:

1. Click Alerts > Real-Time Detail.


2. From the left pane of the Real-Time Detail window, select the view.
3. From the Show drop-down list, select the type of alerts to display.
RSA enVision displays the status of the NIC Global Alerts categories, the status of
each of the alert levels, and the status of the selected alert category.
4. To display the resolved name in the Top Source and Top Destination drop-down
lists, select Resolve IP Addresses.
5. To sort the alert details, click a column heading.
RSA enVision continues to sort alerts in this order until you close the Real-Time
Detail window.

42

6: Managing Alerts

RSA enVision 4.1 Users Guide

This example shows the real-time details of the Compliance view.

6: Managing Alerts

43

RSA enVision 4.1 Users Guide

Monitor Alerts in the Database


You can access alerts from the database on the Alert History window. Each row on the
window displays information on one alert.
To access alerts in the database:

1. Click Alerts > Alert History.


2. From the left pane of the Alert History window, select the view.
RSA enVision displays the list of alerts available in the system. Each row on the
window displays information on one alert.
This example shows the alerts in the database for the view Data Center
Observance.

You can modify the display of the Alert History window from the Set Up Alert
History option on the Alert Configuration pane. For more information, see the Help
topic Set Up Alert History Tool Display Options.

Review Alert Details


You can review the details of an alert using the Alert Details window. The window
provides details such the alert status, the vendor's suggested resolution action, and
your organization's suggested resolution action.
You can add notes to an alert and change the status. For example, you might note
information regarding how you are investigating an alert or how you resolved an alert.
You can add as many notes as you need to each alert. Each time you add a note to the
alert, the system adds it to the scrolling list on the window.
Notes on an alert are only available while the alert is visible in the Real-Time Details
tool. After the associated alert has been resolved, you can no longer access the note.

44

6: Managing Alerts

RSA enVision 4.1 Users Guide

To review alert details:

1. Click Alerts > Alert History.


2. From the left pane of the Alert History window, select the view.
RSA enVision displays the list of alerts available in the system. Each row on the
window displays information on one alert.
This example shows the alerts in the database Data Center Observance. Clicking a
message displays the alert details.
Click a message to display alert details

3. In the Message column, click the corresponding message.


The Alert Detail window opens.

6: Managing Alerts

45

RSA enVision 4.1 Users Guide

4. In the New note field, enter the notes for this alert, including the reason for a
change of status or the status of the investigation.
This example shows the details of the alert selected from the message column in
the Alert History window.

46

6: Managing Alerts

RSA enVision 4.1 Users Guide

Accessing Historical Data

Historical Data

Tools for Accessing Data

Query

Reports

Historical Data
RSA enVision analyzes the events and stores the original events along with the
descriptive metadata for those events in the RSA enVision Internet Protocol Database
(IPDB). The IPDB secures the data from tampering and protects the data with access
authentication. As a result, enVision provides a complete and verifiable repository of
IT information.
RSA enVision creates temporary database tables as needed to generate reports and
queries. The tables exist only for the time required to create the report.

Tools for Accessing Data


The following table lists the tools that you can use to access historical data in RSA
enVision.
Tool

Purpose

Event Viewer Use the Event Viewer to graph historical data and drill down into the details.
You can also display incidents as they occur in real time in a stream or
represent the data in graphs.
For more information, see Event Viewer.
Query

Use a query to quickly access specific information from the database. You
can use a query to perform research or analysis, to fine-tune a report
definition, or to quickly look up information.
For more information, see Query.

Reports

Use reports to access large amounts of data for analysis and compliance
reporting. You can use these reports to:
Audit security and compliance policies
Allocate system usage back-charges
Track employee network usage
For more information, see Reports.

7: Accessing Historical Data

47

RSA enVision 4.1 Users Guide

Query
You can use a query to retrieve and examine any data collected by RSA enVision. You
can use queries in forensic analysis, for example, to drill quickly into an alert or other
condition discovered in RSA enVision Event Explorer or to audit a past event.
Queries use temporary database tables created from the data stored in the IPDB.
Because they retrieve smaller amounts of data, queries execute faster than reports.
Queries return data only in tabular form. Queries run on an ad hoc basis. Only you can
view and save your queries.
Query results can be based on IP addresses, dates and times, event message types, and
other criteria.
Queries use SQL syntax to construct statements for accessing database tables for
conditions and events including:

General traffic flows and events that were allowed

Accesses that were denied or prevented from happening based on policy

Status and health parameters

URL information indicating where users have visited

You can compose simple or complex queries:

A simple query is a single logical statement (a single row in the Edit query table).

A complex query consists of multiple statements (multiple rows in the Edit query
table) logically joined using AND or OR. Multiple statements can narrow a query
or extract a more accurate set of results for given criteria.

You can run a newly created query or a query saved from a previous session. When
you run a query, you can save the results to a .csv file so that you can import the
results to other applications, such as Microsoft Excel.

48

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

The following figure shows the Create New Query window.

Edit query

Select device
group

Select time
range
Run the query

7: Accessing Historical Data

49

RSA enVision 4.1 Users Guide

Create a Query
To create a query:

1. Click Analysis > Query > Create New Query.


2. Enter the query criteria.
This example shows a query requesting data on NIC performance for message IDs
260000 and 500022, for severity levels 3 and 7.

3. Click Save.
4. In the Saved query file name field, enter the name for the query.
5. Click Apply.

50

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

Run a Saved Query


To run a saved query:

1. Click Analysis > Query > Saved Queries.


2. Click the query that you want to run.
3. Click Run.
RSA enVision finds the records that match the saved query filter information and
displays the information.
This example shows the results of running the query.

Note: You can modify the filter information of the saved query and run the

query.

7: Accessing Historical Data

51

RSA enVision 4.1 Users Guide

Reports
The Reports module provides standard network and traffic analysis reports and
graphs. You can copy and modify these reports, or create your own custom reports to
meet specific reporting needs. You can run the reports immediately or schedule them
to run at specific times.

Standard Reports
RSA enVision provides over 1,200 standard reports.
The following table shows the available report categories.

52

Report Category

Report Contents

Archer

Control procedure reports for event sources such as Check Point


Firewall-1, SharePoint Server, Oracle WebLogic, and VMware.

Compliance

Security statistics and data for a variety of regulations, including


Sarbanes-Oxley and Gramm-Leach-Bliley.

Correlated alerts

Statistics for correlated alerts and for multiple event sources.


Correlated alerts reports provide statistics and data on event
combinations. Multiple event source reports contain statistics and
data for multiple event sources from the same IP address.

Host

Statistics and data for application servers, load balancers, mail


servers, mainframes, midrange systems, UNIX systems, web logs,
and Windows hosts.

Insider Threat
Mitigation

Standard system reports for insider threats. Insider threat mitigation


reports include UNIX, database reports and Windows reports.

Network

Configuration management and traffic analysis statistics and data


for routers, switches, systems, and wireless event sources.

Security

Network security statistics and data for access control systems,


antivirus deployments, firewalls, intrusion detection systems,
intrusion prevention systems, physical security controllers, and
virtual private network systems.

Storage

Statistics for storage and database systems.

Task Triage

Statistics and data drawn from incident open and closure rate, status
of open incidents across the enterprise, and average time to
acknowledge and time to close incidents.

VAM (Vulnerabilities
and Asset
Management)

Statistics for vulnerability occurrence, vulnerability severity, and


business rank and importance for the most vulnerable assets in the
enterprise.

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

Run an Ad Hoc Report


You can run a report using the Ad Hoc Reports tool in the Reports tab that provides
access to all the standard and custom reports. You can run a standard or custom report
whenever necessary.
This section provides basic steps for running reports. For detailed steps and
explanations of report parameters, see the Help.
To run an Ad Hoc report:

1. Click Reports > Ad Hoc Reports, and expand the report types to see the
available reports.
The example shows the Compliance > HIPAA reports menu.

7: Accessing Historical Data

53

RSA enVision 4.1 Users Guide

Note: The options that appear in the navigation panel may differ depending

on user permission settings.

54

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

2. Select a report, and click Run.


This example shows selecting the HIPAA - Access Authorization report.

RSA enVision displays the completed report in a separate browser window.

7: Accessing Historical Data

55

RSA enVision 4.1 Users Guide

Schedule a Report
You can schedule a report to run at a specified time and at recurring intervals, only if
the RSA enVision administrator has granted you permission to perform this operation.
You can schedule reports to and access reports from only those folders that are
available to the groups to which you belong. You can only use device groups to which
you or the groups you belong to have been given access.
You can also schedule the deletion or archival of multiple report folders and manage
the processing status through the Schedule Report Delete/Archive and Manage
Report Delete/Archive options in the Report Configuration panel. For more
information, see the Help.
To schedule a report:

1. Click Reports > Reports Configuration > Schedule Report.

2. Schedule a standard report as follows:


a. In the Task name field, enter a unique task name.
b. From the Report name pop-up window, select the report that you want to
schedule.
c. From the Folder name pop-up window, select the output folder for the report.
d. (Optional) Set any other runtime parameters.

56

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

e. Click Set Recurrence.


This example shows setting the report Alerts Under Investigation by View to
run as the task AlertsByView and to be output to the Default folder name.

3. Set when and how often a recurring report should run. Click Apply.
The example shows setting the report to run every day at 7:00 p.m.

7: Accessing Historical Data

57

RSA enVision 4.1 Users Guide

4. Click Apply to save the settings.

5. Click Manage Scheduled Reports to display the list of reports scheduled to run.

58

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

Display Generated Scheduled Reports


An RSA enVision administrator can give you permission to view generated reports
without giving you permission to schedule reports. If the Display Options Save
results as a PDF file or Save results as a CSV file were selected at runtime, you can
export the displayed results of a scheduled report to a PDF or to a comma-separated
(.csv) file, which you can export to other applications such as Microsoft Excel.
To display a generated scheduled report:

1. Click Reports > Scheduled Reports.


2. If the system has multiple report folders, click the name of the folder containing
the report that you want to view.
3. In the calendar, click the date to see available reports for that date.
RSA enVision stores reports in the month corresponding to the data contained in
the report and not the date on which the report ran.

7: Accessing Historical Data

59

RSA enVision 4.1 Users Guide

4. Click the report that you want to view. RSA enVision displays the report.

60

7: Accessing Historical Data

RSA enVision 4.1 Users Guide

Troubleshooting

Logon Issues

Event Viewer Issues

Dashboard Issues

Real-Time Details and History Issues

Query Issues

Report Issues

Logon Issues
Problem

Resolution

Cannot log on to RSA


enVision

If the message is Invalid User/Password pair, ensure that


you entered the correct user name and password. The values
are case sensitive. Ensure that the Caps Lock button has not
been engaged.
This message may appear when you log on for the first time
after you upgrade to RSA enVision 4.1 from an earlier
version. Contact your enVision administrator for assistance.
If the message is The login is disabled for this user, contact
your enVision administrator to ensure that your user ID is
enabled.

Forgot your user ID or


password

A: Troubleshooting

Contact your enVision administrator.

61

RSA enVision 4.1 Users Guide

Event Viewer Issues


Problem

Resolution

Unexpected event source


listed in the Device
drop-down list

The Device drop-down list contains all event sources for


which RSA enVision has data and for which you have access
and viewing rights. Some event sources may not have been
selected for monitoring in enVision. Contact your enVision
administrator for more information.

RC site not available in Site


drop-down list (Message
View)

Select the site to which the RC forwards the data. The RC


collects the data and forwards the data to another site for
storage. For more information, contact your enVision
administrator.

Out of Memory (Message


View)

The events used for the Message View window are stored in
memory. If you select a high value in the Number of
buffered events field, Internet Explorer may run out of
memory. If this occurs, click OK in the Internet Explorer Out
of Memory message pop-up window and select a lower value
for the Number of buffered events field on the Message
View window.

Dashboard Issues
Problem

Resolution

Enterprise Dashboard
Either the map has not been assigned to the collection or the
displays List mode by default specified map image for the site cannot be found. Contact
your enVision administrator.
Icon for a view is displayed
as
Icon for a collection is
displayed as

62

RSA enVision cannot retrieve the information from the


A-SRV. Contact your enVision administrator.
RSA enVision cannot retrieve information from the A-SRV
for one or more views in the collection. Contact your
enVision administrator.

A: Troubleshooting

RSA enVision 4.1 Users Guide

Real-Time Details and History Issues


Problem

Resolution

Alerts are no longer


displayed on the Real-time
Detail tool or the History
tool, but are displayed in
Query results (for the Alerts
table)

Periodically, RSA enVision resynchronizes the alerts in the


event database so that only the more recent alerts display on
the Real-time Detail and History windows.
If Alerts do not get displayed because of this
resynchronization, the issue can be resolved by configuring
the timeframe with which the Alert History works, in the Set
Up Alert History window.
For more information on alert synchronization, see the
enVision Help. Contact your enVision administrator for
information on the alert synchronization maximum for the
NIC Alerter Service.

Alert indicator and severity


levels are not correct

Click the recalculate icon. RSA enVision recalculates the


severity levels and sets the alert indicators back to green.

Query Issues
Problem

Resolution

Query takes too long to


complete

A query that retrieves a large number of rows can be very


costly in terms of processing time and disk space. If you do
not define any specific filter information, a query displays all
records in the selected table. Consider restricting your query
using the filtering capabilities. For example, specify a range
or list of message IDs, or specify a particular event source.
You may also want to consider specifying a time range.

Need to distinguish between Use the device address, or create and use a device group for
two event sources that are the the required device if you are monitoring multiple event
same type
sources of the same type, for example, if you want to
distinguish between Cyberguard Firewall and Cisco PIX
firewall.
The RSA enVision administrator must select Resolve
Resolve IP addresses is
selected, however query does Hostname on the Set Up DNS Resolver Service window in
order to resolve hostnames.
not show DNS resolved
names

A: Troubleshooting

63

RSA enVision 4.1 Users Guide

Report Issues
Problem

Resolution

Report doesnt contain any


data (messages)

Ensure that you are using the correct database table. For
information on selecting database tables, see the Help topic
When to Use Each Database Table.
Ensure that the report specifies the correct time frame.
Ensure that the SQL where clause for the report includes the
messages that you are expecting.

Create New Report option


does not display in the menu

64

You do not have permission to create a report. Contact your


enVision administrator.

A: Troubleshooting

RSA enVision 4.1 Users Guide

Glossary
A-SRV
See Application Server.
ad hoc report
An unscheduled report that runs immediately.
ADB
See Asset Database.
administrator
A user responsible for setting up and maintaining the RSA enVision platform. An
administrator has access to all enVision functions.
alert
An indication that an event, or a sequence of events, requires further investigation.
The enVision platform sends alerts based on messages received under a configured set
of circumstances such as filters. The administrator defines alerts for each view.
Alert History tool
The RSA enVision tool that is used to display alerts from the events database.
Alerts module
The RSA enVision module that provides tools to monitor, display, and configure
alerts.
Analysis module
The RSA enVision module that provides tools to view, query, and analyze collected
data.
appliance
The hardware on which RSA enVision software is deployed. See single appliance site
and multiple appliance site.
Application Server (A-SRV)
The appliance or component of the RSA enVision platform that supports interactive
users and runs the suite of enVision analysis tools. In a single appliance site, the
Application Server (A-SRV) is a component of the enVision system. In a multiple
appliance site, the A-SRV is installed on its own appliance. See single appliance site
and multiple appliance site.
asset
A system, such as a host, software system, workstation, or device, that is within a
network and makes up the enterprise environment.
Asset Database (ADB)
A unified view of assets created by merging data from supported vulnerability
assessment (VA) tools and imported asset information in the asset tracking tools. The
ADB provides security managers with insight into their operations.

Glossary

65

RSA enVision 4.1 Users Guide

attribute category
A group of categories defined by the RSA enVision platform for device and asset
attributes. The nine categories are properties, location, organization, owner, physical,
function, importance, vulnerability, and zone. Users can define custom categories.
bind report
A group of reports that can be scheduled to run as a single report.
collection
The process of collecting, analyzing, and storing logs from event sources. the
RSA enVision platform stores the logs, with descriptive metadata, in the Log Smart
Internet Protocol Database (IPDB).
Collector
The appliance or component of the RSA enVision platform that captures incoming
events. In a single appliance site, the Collector is a component of the enVision system.
In a multiple appliance site, the Collector is installed on its own appliance.
Common Storage Directory (CSD)
A single directory that contains the configuration and statistical information for data
collected on a site. The Common Storage Directory (CSD) can be located on a single
appliance site, on the Database Server of a multiple appliance site, or on the Remote
Collector of a distributed system.
computer name
See node.
confidence level filtering
A filter defined by the administrator to determine if a supported intrusion detection
system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness
and applicability. The confidence level detects if a message from an IDS or an IPS
should be considered an alert.
Configuration database (nic.db)
A repository that stores a users configuration settings such as user information,
permissions, and views.
correlation
A relationship between a set of events and a set of specific conditions.
D-SRV
See Database Server.
Database Server (D-SRV)
The appliance or component of the RSA enVision platform that manages access and
retrieval of captured events. In a single appliance site, the Database Server (D-SRV) is
a component of the enVision system. In a multiple appliance site, the D-SRV is
installed on its own appliance. See single appliance site and multiple appliance site.
device
See event source.
device class
Identifies the classification of the event source. A device class provides a framework
for organizing event sources by their general function.

66

Glossary

RSA enVision 4.1 Users Guide

device type (dtype)


An assigned internal name for an event source that is used by RSA enVision tools and
utilities. The dtype value is displayed on the enVision interface, reports, and queries.
EA
See Enhanced Availability.
Enhanced Availability (EA)
A site with Enhanced Availability (EA) is a multiple appliance site where the Local
Collector (LC) functionality runs on Cluster Appliances (CAs).
EPS
See events per second.
event category
System-defined or administrator-defined group of messages for alerting and reporting
that is assigned across device classes.
Event Explorer
RSA enVision module that provides advanced tools for analysis of real-time and
historical data. These tools allow users to sift through logged data and apply security
forensics.
event source
An asset such as a physical device, software, or appliance that produces a message
(log) and is configured to send the log to the RSA enVision platform. Event sources
include firewalls, VPNs, antivirus software, operating systems, security platforms,
routers, and switches.
events per second (EPS)
Events captured per second by the RSA enVision platform.
incident escalation
See task escalation.
incident management
See task triage.
IPDB
See LogSmart IPDB.
LC
See Local Collector.
Local Collector (LC)
A component of an RSA enVision multiple appliance site that captures incoming
events. A multiple appliance site can have up to three Local Collectors (LCs). See
multiple appliance site.
LogSmart IPDB
The LogSmart Internet Protocol Database (IPDB) stores internet protocol-based
information, storing each source element in a separate container. Each log data
message is identified by the IP address of the event source from which the message
originated. The LogSmart IPDB maps this IP address to the originating event source
and determines the format of the incoming message. The log message is the metadata
that describes the event.

Glossary

67

RSA enVision 4.1 Users Guide

message category
A group of messages. Message categories are hierarchical, consisting of up to five
levels: a NIC category, an alert category, and up to three levels of event category.
message variable
Defines a type of data that is extracted from message payloads. Message variables are
useful when analyzing and reporting on data.
monitored device
A supported event source that has been configured to send event messages to the
RSA enVision platform. The enVision platform collects and stores events from
monitored devices.
multiple appliance site
An RSA enVision site in which each enVision component (Application, Collector, and
Database) is on its own appliance.
NIC
The acronym used to label many essential RSA enVision components, services, and
tools.
NIC database
See Configuration database (nic.db).
NIC domain
A group of multiple appliance sites that constitute an organization's entire deployment
of the RSA enVision platform. One site acts as the NIC domain master site.
NIC message ID
A number that identifies a message. This number may or may not be the same as the
vendor message ID.
NIC System device
Generates event messages to indicate the health and activity of the RSA enVision
platform, such as disk space usage, current EPS, data retrieval statistics, and user
activity messages.
NIC_View
Allows users to monitor the health of the RSA enVision system. The NIC_View alerts
users to problems within the enVision software environment.
node
An appliance in an RSA enVision site.
output action
Configured notification method for alerts. The primary output actions are SMTP,
SNMP, SNPP, Instant Messenger, syslog, run a command, text file, and task triage.
Overview module
The RSA enVision module that provides tools to configure the enVision platform and
monitor system health and performance.
RC
See Remote Collector.

68

Glossary

RSA enVision 4.1 Users Guide

Remote Collector (RC)


An optional component of an RSA enVision multiple appliance site that captures
incoming events at a remote location. A Remote Collector (RC) runs on its own
appliance. Up to 16 RCs can be associated with a site.
Reports module
The RSA enVision module that provides tools to run standard network security and
traffic analysis reports, or create and run custom reports.
single appliance site
An RSA enVision site in which all enVision components (Application, Collector, and
Database) are on one appliance.
site
The basis on which the RSA enVision platform is deployed. Each site consists of three
main components: Application Server, Collector, and Database Server.
site name
The name of the site, defined during the configuration of the RSA enVision platform.
standard report
Reports that are supplied within the RSA enVision platform for compliance,
correlated alerts, event sources, as well as for task triage, and vulnerability and asset
management.
task escalation
A function that allows users to send tasks to an external application, such as a
ticketing system, for offline investigation.
task triage
A feature that allows users to group events into tasks for the purpose of investigation.
Tasks can be further analyzed in the RSA enVision Event Explorer module, escalated
to an external ticketing system, or both.
trace view
A set of parameters that define the information that is displayed in the form of tables
and charts. The two forms of trace views are standard and advanced trace views.
UDC
See Universal Device Collection.
Universal Device Collection (UDC)
Allows the RSA enVision platform to collect log data from any event source that logs
through SNMP, ODBC, or File Reader.
VAM
See vulnerability and asset management.
VDB
See Vulnerability Knowledge Database.
view
An administrator-defined set of event sources, messages, correlation rules, and
criteria, within a single site, for which the RSA enVision platform issues alerts.

Glossary

69

RSA enVision 4.1 Users Guide

vulnerability and asset management


A feature that provides unified management of assets and vulnerability incident
analysis.
Vulnerability Knowledge Database (VDB)
An embedded repository of vulnerability information derived from the National
Vulnerability Database (NVD).
watchlist
A named collection of strings that represent a list of like-values. A watchlist can easily
function as a filter for events in reporting and alerting.

70

Glossary

RSA enVision 4.1 Users Guide

Index
A
alerts
accessing in database, 44
Alert History tool, 4446
described, 35
history, 44
in Enterprise Dashboard, 37
managing alerts, 35
monitoring incoming alerts, 4243
Real-Time Details, 42
reviewing details, 4446
severity levels, 4243
status, changing, 4546
troubleshooting, 63

C
changing your password, 1314
collections
described, 36
icons, 39
Customer Support, 6

events per second (EPS)


Collector EPS rates, 15
described, 15
limits, 15
monitoring rates, 17
peak, 16
events. See incoming events

G
graphing events
by time, 26
by type, 25

H
help desk, 6
historical data
accessing, 47
alerts, 44
described, 47
queries, 4851
reports, 5260
tools, 47

D
Dashboard
customizing, 31
described, 29
designing, 31
examples, 3234
report categories, 30
troubleshooting, 62

E
Enterprise Dashboard tool
described, 37
icons, 39
list mode, 41
map mode, 40
toggling between modes, 42
EPS. See events per second
Event Viewer tool
described, 21
severity levels, 23
troubleshooting, 62

Index

I
incoming events
copying, 25
described, 21
displaying, 24
graphing by time, 26
graphing by type, 25
severity levels, 23
Internet Protocol Database (IPDB), 47
IPDB. See Internet Protocol Database
issues, 61

L
log off, 11
log on, 10
logon issues, 61

M
modifying user information, 1314

71

RSA enVision 4.1 Users Guide

monitoring
EPS rates, 17
incoming alerts, 4243
incoming events, 24
peak severity, 4041
peak status, 42

P
passwords, changing, 1314
peak status
described, 37
of a collection, 37
of a view, 42

Q
queries
creating, 50
described, 4849
running, 51
troubleshooting, 63
Query tool
described, 4849
troubleshooting, 63

R
Real-Time Details
described, 42
severity levels, 4243
troubleshooting, 63
real-time events, 24

reports
ad hoc, 5355
categories, 52
described, 52
displaying, 5960
running, 5355
scheduled, 5960
scheduling, 56
standard reports, 52
troubleshooting, 64
unscheduled, 5355
viewing, 5960
Reports tool
described, 52
troubleshooting, 64

S
severity levels
icons, 39
in Enterprise Dashboard, 39
in Event Viewer, 23
Real-Time Alert Details, 4243
support, technical, 6
System Performance tool, 15

T
technical support, 6
troubleshooting, 61

U
user tasks, 910
users
changing passwords, 1314
described, 9
modifying information, 1314
tasks, 910

V
views
described, 36
icons, 39

72

Index

You might also like