Confidence Filtering
Originally Published: 2013-06-26
Article Number
Issue
What is confidence filtering and how do I configure it in Envision?
Resolution
For example, let's say you received a message from your Cisco secure IDS XML device that told you it thinks it saw an intrusion attempt. You might normally configure a correlated alert to look for any messages that come in from that device and fire an alert when that happens.
Envision has the ability to calculate a Confidence level (how confident are we that this is really an attack) with Low meaning that we are not really confident this IDS message is really an intrusion attempt and High meaning that we are very confident that this is an attack. We also have a Medium value for messages that fall in between. To determine a message confidence level, we use a field found in the message XML and the vulnerability data for an asset list in the Asset database.
When configuring the filter, you are required to select at least field that contains an IP address (Source, Destination, etc). To calculate the Confidence level, we first look at the message XML for our IDS device to see if the event we received includes a vidx field. If it does, we next look to see if the IP address in the message field we picked appears in the Asset database. Assuming both are there, we use the value contained in the vidx field as a bit lookup in the cv_mask and nav_mask fields in the AFP table for the row containing our IP address. Depending on what we find, we set the Confidence level as follows:
- cv_mask field is set to TRUE (1), set the Confidence level to HIGH
- nav_mask field is set to TRUE (1), set the confidence level to LOW
- Both the cv_mask and nav_mask fields set to FALSE (0), set the confidence level to MEDIUM
There is never a condition when both fields are set to TRUE.
For any other situation, such as when the message XML does not have the vidx field or the selected IP address does not appear in the Asset database, the Confidence level is set to MEDIUM.
If the user picks two or more fields to be compared, I believe we err on the side of caution and default to the higher severity (needs to be confirmed).
Related Articles
RSA Announces the May 2019 Release of RSA SecurID Access Number of Views RSA Authenticator 6.2 for Windows Quick Start Guide (Chinese) Number of Views Robin - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views ID Dataweb - Third-Party Identity Verification Integration - RSA Ready Implementation Guide Number of Views My Page Recovery Policy Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
