In this course, you will learn the RSA enVision functions and data flows. You will learn the essentials of data collection, event management, alerting, and reporting. You will practice creating views, queries, correlated alerts, reports, watchlists, and event traces.

Through hands-on labs, you will explore how to create and deploy event-source support files for unknown devices using the Event Source Integrator (ESI) tool, thereby extending the compliance and security capabilities provided by enVision.

What You'll Learn

• Basic enVision data flows
• Collect data from event sources and configure enVision
• Create users
• View data in real time and from an historical perspective
• Create queries and various types of reports
• Create and manage dashboard reports
• Create alerts and correlated rules
• Set up an enterprise dashboard
• Create a watchlist
• Manage vulnerabilities and assets
• Back up data and obtain content updates
• Create and manage incidents
• Investigate incidents using event traces
• Event-source-integration process
• Collection methods for different types of logs
• Extract events from an unknown event source
• EventSource Integrator (ESI) tool

Who Needs to Attend

System, security, or help desk personnel who need to administer the RSA enVision product

Prerequisites

Functional knowledge of computer operations and networking fundamentals

Follow-On Courses

• RSA enVision Advanced Administration

Course Outline

1. RSA enVision

• Functions of the RSA enVision product and its primary components
• Operational data flows
• Services

2. enVision Configuration and Data Collection

• Tour the user interface for management functions
• Management of monitored devices and assets
• Creating users

3. Monitoring Event Data

• Using the event viewer to view real-time data
• Using the query function to define and refine data-retrieval parameters

4. Reporting

• Using RSA enVision to monitor and retrieve historical data for use in compliance and policy reporting
• Report creation and scheduling
• Report customization
• Dashboard reports

5. Alerting

• Correlating certain events to trigger an alert
• Creating basic and correlated Alerts

6. Enterprise Dashboard

• Functions and how to manage the Dashboard layout

7. Watchlists

• Use of the Watchlist function to filter events for alerting and reporting purposes

8. Vulnerability and Asset Management

• Vulnerability and asset management functionality to use information about enterprise assets and known vulnerabilities in conjunction with IDS systems

9. enVision Maintenance

• Backup and restore methodologies and recommendations
• Event-source updates

10. Incident Handling

• enVision Event Explorer feature to retrieve and analyze data
• Using Incident Management functionality to create, view, and refine incidents
• Using Event Traces for incident investigation

11. Principles of Logging

• Events vs. log messages
• Organizing log messages
• Using syslog protocol in enVision
• Identifying the structure of support files

12. Log Collection Methods and Formats

• enVision's alternative log-collection methods
• Using a particular collection service
• Setting up an alternative collection service
• Extracting log files

13. Creating Support Files

• EventSource Integrator (ESI)
• Headers and payloads defined in ESI
• Creating support files for an unknown event source
• Creating and deploying the event source packageTesting the event source integration

Labs

In addition to lecture and demonstrations, this course includes hands-on labs designed to give you practical experience.