You can create the CCS ESM checks using the Check Builder wizard.
The Check Builder wizard provides you with the following options to create checks:
The check execution process in ESM includes the following:
The CCS evaluation engine checks if the ESM agent reports the security messages that the corresponding CCS ESM check generates.
If the ESM agents reports security messages, then the CCS check is reported as "Fail."
In case of a failed check, the evidence report includes the following:
The ESM message title
The message name
The message information
If the ESM agent does not report any security message, then the CCS evaluation engine checks if the agent reports any error message.
If the ESM agents reports error messages, then the CCS check is reported as "Unknown" and the evidence report includes the ESM error messages.
If the ESM agent does not report any security message or any error message, then the CCS check is reported as "Pass."
Note: |
You must include the policy name and the module name in the data filter when you create an expression in an ESM check. The ESM data collector uses the policy name and module name that you specify when it collects data for the checks. |
See Creating a CCS ESM check by using the Quick Check Builder option
See Creating a CCS ESM check by using the Advanced Check Builder option
Thanks for your feedback. Let us know if you have additional comments below. (requires login)