Article Number
000031179
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA), Reporting Engine, Security Analytics UI
RSA Version/Condition: 10.4.1.0
Platform: CentOS
O/S Version: EL6
RSA Product/Service Type: Event Stream Analysis (ESA), Reporting Engine, Security Analytics UI
RSA Version/Condition: 10.4.1.0
Platform: CentOS
O/S Version: EL6
Task
Example:
User wants to get information about blacklisted IP addresses in order to have a list with the IP addresses in the Reporting Engine.
He then wants to get ESA alerts based on events matching this Blacklisted IP list.
ESA rules only work with meta so as a workaround it is possible to use the 'In Memory Enrichment feature' in ESA in order to refer to this Blacklist IP list on the ESA Module.
To do this, the steps below must be followed.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
User wants to get information about blacklisted IP addresses in order to have a list with the IP addresses in the Reporting Engine.
He then wants to get ESA alerts based on events matching this Blacklisted IP list.
ESA rules only work with meta so as a workaround it is possible to use the 'In Memory Enrichment feature' in ESA in order to refer to this Blacklist IP list on the ESA Module.
To do this, the steps below must be followed.
- Export the Reporting Engine list, as shown below.
Image description
Image description
- Add an In-Memory Table as an Enrichment Source on the ESA.
Image description
- Import the Blacklisted IP's file as a csv file by using the Import button on the In-Memory Table screen.
Image description
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
Notes
For more information on the In-Memory Enrichment Table, refer to the Security Analytics User Guide.
In this article
