Professional Documents
Culture Documents
McAfee SIEM POC Setup Guide (9.4)
McAfee SIEM POC Setup Guide (9.4)
McAfee SIEM
Security Information & Event Management Platform
Proof of Concept Setup Guide
V2.0
Jul 2014
Introduction
This document is intended to provide a walkthrough of the steps necessary to complete a McAfee
SIEM installation as part of an evaluation/proof of concept. It outlines the best practices to ensure a
successful demonstration of the ease-of-use and rapid value delivered from the platform.
McAfee SIEM
Table of Contents
Proof of Concept Setup Guide ...................................................................................................................................................................................................... 1
McAfee SIEM ....................................................................................................................................................................................................................................... 1
A McAfee SIEM Architecture Primer ........................................................................................................................................................................................ 4
ESM - Enterprise Security Manager .................................................................................................................................................................................... 4
REC - Event Receiver ................................................................................................................................................................................................................. 4
ELM - Enterprise Log Manager ............................................................................................................................................................................................. 4
ESM/REC/ELM ............................................................................................................................................................................................................................. 5
ACE - Advanced Correlation Engine ................................................................................................................................................................................... 5
ADM - Application Data Monitor .......................................................................................................................................................................................... 5
DEM - Database Event Monitor ............................................................................................................................................................................................. 5
Getting to Know the Intel Hardware ........................................................................................................................................................................................ 6
Standard 2u Appliance Rear ............................................................................................................................................................................................... 6
Front Bezel ..................................................................................................................................................................................................................................... 6
Installation and Configuration of VM Images ....................................................................................................................................................................... 7
Step 1: Initial Power-Up and Configuration ....................................................................................................................................................................... 13
Step 2: Connecting to the ESM via Web GUI ....................................................................................................................................................................... 14
Step 3: Completing the Initial ESM Configuration Wizard .......................................................................................................................................... 15
Step 4: Performing a Manual Rules Update ........................................................................................................................................................................ 18
Step 5: Configuring Event, Flow and Log Retrieval Polling Interval ....................................................................................................................... 19
Step 6: Configuring ESM Data Allocation Policy ............................................................................................................................................................... 20
Step 7: Configuring ESM SMTP Mail Settings .................................................................................................................................................................... 21
Step 8: Configuring ESM Backup Settings [Optional] ..................................................................................................................................................... 22
Step 9: Adding (Keying) Additional SIEM Appliances ................................................................................................................................................... 23
Step 10: Configuring Event Inactivity Settings ................................................................................................................................................................. 25
Step 11: Adjusting Default Port Index Settings ................................................................................................................................................................. 26
Configuring Common Data Sources for Event Collection ............................................................................................................................................. 27
Configuring a SYSLOG Data Source ........................................................................................................................................................................................ 27
Creating a Windows Data Source Profile............................................................................................................................................................................. 30
Configuring a Windows Data Source ..................................................................................................................................................................................... 31
Creating a McAfee ePolicy Orchestrator Data Source .................................................................................................................................................... 34
Configuring Advanced ePO Integration ............................................................................................................................................................................... 40
Preparing for a SIEM Software Update ................................................................................................................................................................................ 44
Performing a SIEM Software Update ESM ....................................................................................................................................................................... 45
Performing a SIEM Software Update REC, ELM, ACE, ADM, DEM ......................................................................................................................... 48
Configuring Event-Specific Aggregation .............................................................................................................................................................................. 50
Configuring Rule-Based Correlation on an Event Receiver ........................................................................................................................................ 57
Connecting the SIEM to a Windows Domain Controller ............................................................................................................................................... 58
McAfee SIEM
2.
Pull event/log data is collected from the data source using SQL, WMI, etc.
3.
Agent data sources are configured to send event/log/flow data using a small-footprint agent such as
SNARE, Lasso, OPSEC, etc.
The Event Receiver can also be configured to collect scan results from existing vulnerability assessment platforms
such as McAfee MVM, Nessus, Qualys, eEye, Rapid7, etc. In addition, the REC supports the configuration of rulebased event correlation as an application running on the Receiver.
McAfee Event Receivers come in physical appliances with EPS ratings ranging from 5k to 22k events per second as
well as VM-based models with event collection rates ranging from 250 to 1k EPS.
Multiple REC appliances (or VM platforms) can be deployed centrally to provide a consolidated collection
environment or can be geographically distributed throughout the enterprise. Typical deployment scenarios will
locate an Event Receiver in each of several data centers, all of which will feed their collected events back to a
centralized ESM (or to multiple ESM appliances for redundancy and disaster recovery purposes).
ELM - Enterprise Log Manager
The McAfee ELM stores the raw, litigation-quality event/log data collected from data sources configured on Event
Receivers. In SIEM environments where compliance is a success factor, the ELM is used to maintain event chain of
custody and ensure full non-repudiation.
In addition to providing compliant-quality raw event archival, the ELM also supports the full-text index (FTI) for all
event details. The McAfee SIEM supports the ability to perform ad-hoc searches against the unstructured data
maintained in the archive.
McAfee SIEM
ESM/REC/ELM
The ESMRECELM - also called an All-in-One (AIO) or a combo box - provides the combined functions of the
McAfee Enterprise Security Manager (ESM), Event Receiver (REC) and Enterprise Log Manager (ELM) in a single
appliance.
As most SIEM POC deployments are intended to showcase functionality rather than performance, the
ESMRECELM is commonly used to demonstrate the features and ease of use delivered by the McAfee SIEM. It
can be deployed with minimal disruption (single appliance, minimal rack space and power, single network
connection and IP address).
In larger POC or production SIEM environments, a combo box may be inadequate to handle the sizable EPS
performance requirements of an enterprise. The largest ESMRECELM peaks at 5k EPS and provides no local
storage for ELM archive but instead requires supplemental storage by means of a SAN connection, NFS or CIFS
share.
ACE - Advanced Correlation Engine
The ACE provides the SIEM with unmatched advanced correlation capabilities that include both rule- and risk-based
options. In addition to performing real-time analysis, the ACE can be configured to process historical event/log data
against the current set of rule and risk profiles. The ACE provides native risk scoring for GTI (for SIEM) and MRAenabled customer environments. It also allows custom risk scoring to be configured to highlight threats performed
against high-value assets, sensitive data and/or by privileged users.
Typical production SIEM deployments will include two ACE appliances one performing real-time rule and risk
correlation and another configured for historical rule and risk correlation of events.
ADM - Application Data Monitor
The ADM provides layer 7 application decode of enterprise traffic via four promiscuous network interfaces. It is used
to track transmission of sensitive data and application usage as well as detect malicious, covert traffic, theft or
misuse of credentials and application-layer threats.
Not to be confused with a true DLP, the integration with the SIEM provides advanced forensics value by preserving
full transactional detail for sessions violating the user-defined policy managed from within the McAfee ESM common
user interface. Complex rule correlation can leverage policy violation or suspicious application usage events to
identify potential security incidents in real-time.
DEM - Database Event Monitor
The DEM provides a network-based solution for real-time discovery and transactional monitoring of database activity
via two or four promiscuous network interfaces. It works in lieu of OR in parallel with the McAfee (Sentrigo) agentbased database activity solution to provide comprehensive, transaction-level database monitoring of user or
application DB usage.
McAfee SIEM
10
7. VGA Video
8. RAID NIC
9. USB Ports
Front Bezel
1.
Power Button
2.
Bezel Lock
McAfee SIEM
2.
3.
Browse to the location of the VM SIEM appliance and select the .ovf file.
4.
5.
McAfee SIEM
The OVF Template Details window displays the Product, Download size and Size on disk (both thin and thick
provisioned) for the selected virtual SIEM image.
The Name and Location window allows the unique naming of the virtual SIEM image as well as the location in the
ESX inventory.
7.
McAfee SIEM
8.
From the Resource Pool window, select the appropriate ESX resource pool within which you wish to deploy the
virtual SIEM template.
9.
10. From the Storage window, select an appropriate destination for the virtual SIEM image. Make certain you select a
location that has sufficient free disk space to host the entire guest image.
McAfee SIEM
12. From the Disk Format window, choose Thick Provision Eager Zeroed.
10
McAfee SIEM
16. From the Deploy OVT Template Summary window, confirm the virtual SIEM appliance configuration options.
19. Once the OVF template has been fully deployed, a Success dialog box
will indicate completion.
11
McAfee SIEM
21. To make additional changes to the virtual SIEM appliance guest configuration, click
Edit virtual machine settings.
NOTE: Each guest virtual SIEM image has a maximum Memory and CPU core limit that cannot be exceeded. It is
possible to configure values from the minimum of 8 Gb memory and 8 CPU cores to the maximum allowed for the
OVF image.
12
McAfee SIEM
Connect the power supplies to a properly grounded outlet (preferably on a sufficient Uninterruptable Power
Supply).
2.
3.
4.
ii.
iii. Using the arrow keys on the keyboard, scroll down to MGMT IP Config.
Press Enter.
iv.
Configure the MGT 1 IP address using the keyboard (accepts numeric entry).
v.
vi.
vii.
NOTE: The remaining network configuration (DNS, etc.) can be entered through the GUI.
Repeat the initial configuration process for all remaining appliances.
13
McAfee SIEM
RAM 1.5GB
2.
Click the Login link on the page that opens. The McAfee ESM application
will load and prompt you for a username and password.
5.
6.
7.
8.
9.
14
McAfee SIEM
14. Next, a dialog box will open with the following message:
15. Click OK. The McAfee ESM Startup screen will open.
Select the system logging language and the time zone setting for the NGCP user.
2.
3.
Enter the appropriate DNS values for the ESM to perform name resolution.
4.
15
McAfee SIEM
5.
If a proxy server is required for the ESM to communicate to the Internet, enter the appropriate proxy server
settings.
6.
7.
If additional static routes are required for the ESM to communicate, add them from the current screen.
8.
16
9.
McAfee SIEM
If a local Time Server is available, replace the default NTP server IP addresses with a valid network time server
address.
17
McAfee SIEM
From the Rules and Software window, click the Manual Update button.
A file upload window will open.
3.
Next, browse to the location of the rule update file from Step 1 and click Upload.
When the rule update has completed you may see the following pop-up dialog window:
NOTE: This dialog may also appear upon future logins to the SIEM after rule updates have been recently applied.
To confirm the last successful update of new rules, check the status on the ESM System Properties window.
18
McAfee SIEM
Click the ESM System Properties button in the upper right of the interface.
2.
Click Events, Flows and Logs. The Events, Flows and Logs window will open.
3.
4.
Click OK.
19
McAfee SIEM
Click the ESM System Properties button in the upper right of the interface.
2.
Select the Database menu from the list of options on the left.
Then Click the Data Allocation button.
3.
In the Data Allocation window that opens, configure the appropriate event:flow ratio by sliding the arrow right or
left. Right indicates a higher ratio of event data Left indicates a higher ratio of flow data.
4.
Click OK.
20
McAfee SIEM
From the ESM System Properties window, select the Email Settings menu option.
2.
Enter the necessary configuration settings including the email host, SMTP port, TLS (if required by the SMTP
server), username/password, title (to be used in the email message subject line) and the from address.
3.
Confirm the SMTP settings are correct by pressing the Send Test Email button and providing a destination
email account to which the test email will be sent.
4.
21
McAfee SIEM
From the ESM System Properties window, select the System Information menu option.
2.
Click Backup & Restore. The Backup & Restore window will open.
3.
4.
5.
Select the radio button for Remote Location and provide the necessary CIFS/NFS location details including the
remote IP address, share name, path, and credentials (CIFS only).
6.
Confirm the ESM can communicate to the remote location using the Test Connection button.
22
McAfee SIEM
Click the Add Device button from the Actions Toolbar in the upper right of
the user interface.
NOTE: The Actions Toolbar is context-sensitive and will change based on the
object selected in the system tree. Be certain to have either the Physical
Display or the Local ESM selected for this step.
2.
3.
4.
Provide a unique name for the device being added. This will be
the name used in the System Tree.
5.
6.
23
McAfee SIEM
8.
9.
NOTE: If during the keying process an error dialog is displayed claiming the SSH
connection failed or a similar error message, follow these steps to troubleshoot.
1.
Confirm that network link connectivity exists between the new device (MGMT
NIC 1) and a working switch port.
2.
Confirm that the network switch port connecting the ESM and the switch port connecting the new device are
either on the same VLAN or, if separated by a layer 3 device that the appropriate routing is configured to
support communication between the two devices.
3.
If the ESM and the device being added are separated by a firewall or IPS, make certain there are no traffic rules
that would prevent communication over the designated port (default:22).
4.
If the POC deployment is taking place in an ESX-based virtualized environment, it may be necessary to simply
repeat the keying process a second time. In many cases, the first attempt creates the ARP entry in the vswitch
but not until the second attempt will traffic be passed between the ESM and new SIEM device permitting the
proper key exchange.
24
McAfee SIEM
Click the System Properties button in the upper right of the interface.
2.
Click Events, Flows & Logs. The Events, Flows & Logs window will open.
3.
4.
Place a check in the Inherit option box for the ESM object. This will
force all devices and subsequent data sources added to the SIEM
to inherit the System Inactivity Threshold which is set to Days: 0,
Hours: 0, Minutes: 0.
This effectively disables the SIEM Inactivity health status warnings.
25
McAfee SIEM
Click the System Properties button in the upper right of the interface.
2.
Click Database.
3.
4.
Click the word Custom under the Events/Port heading. An option box will open.
5.
6.
Repeat the process for Flows/Port, modifying the setting from Custom to All.
7.
Click OK.
26
McAfee SIEM
Configure the Linux Data Source to forward all necessary events and logs to the IP address assigned to the
Event Receiver. Refer to the vendor-supplied instructions for each Data Source to determine the appropriate
steps necessary to perform this event forwarding.
2.
3.
27
McAfee SIEM
4.
5.
6.
7.
8.
9.
A dialog box will open warning that for a Policy Rollout will be
required for this Data Source to properly function. Click Yes.
28
McAfee SIEM
10. A dialog box will open indicating that the new Data Source
configuration must be written to the Receiver.
Click Yes.
29
McAfee SIEM
3.
Click the Add button. The Add System Profile window will open.
4.
5.
6.
7.
8.
Enter a Password.
9.
30
McAfee SIEM
2.
3.
4.
a.
b.
From the Data Source Model dropdown menu, select WMI Event Log.
c.
Enter a Username with sufficient privileges to connect to the Windows host and retrieve the WMI logs.
d.
e.
5.
31
McAfee SIEM
8.
Click the Connect button to test the connection to the Windows Data Source.
9.
10. If the connection attempt fails, a dialog box will open to provide
details that can be used to troubleshoot the connection. Common
connection problems include incorrect IP Address or NETBIOS
name, improper user credentials or insufficient user privilege
necessary to retrieve the defined WMI log source. Correct any
errors and re-test the WMI connection until the response is
successful.
32
McAfee SIEM
11. Once the WMI Connection Test is successful, click OK. The Apply Data Source Settings dialog box will open.
12. Click Yes to apply the Windows Data Source configuration to the
Event Receiver.
13. Once the Windows Data Source has been written to the
Event Receiver, a dialog box will open to confirm.
Click Close.
14. Since a new event collection source has been configured on the Event Receiver, the policy must be rolled out to
support the event formats associated with the Windows Data Source. The Rollout Policy window will open
listing the Data Sources defined on the Event Receiver that must be applied for event collection to begin.
NOTE: Some Data Sources in the list may read Skip This policy is up to date while others, like the Windows
Data Source recently added, will read Roll this policy out now. The SIEM is intelligent enough to know which
Data Source policies are new or recently modified and must be rolled out and will skip those policies that are
current.
Click OK to rollout policy to the Event Receiver Data Sources.
33
McAfee SIEM
Ensure that a SQL Login account is available with appropriate privilege to the McAfee ePO database. For this
example, an account named epo has been created using SQL authentication and a Default Database set to
that of the ePO database.
2.
34
McAfee SIEM
The following outlines the configuration steps required to add the ePO Data Source to the McAfee SIEM running
version 9.2.0 or higher.
1.
2.
From the Add Device Wizard window, select McAfee ePolicy Orchestrator (v4.6 or newer)
and click Next.
NOTE: Depending upon the appliance deployed in the POC, some of the device options may not be available
as indicated by the device type being greyed out. This is expected in POC installations deployed using an Allin-One combo appliance.
35
3.
McAfee SIEM
NOTE: Each application installed in ePO (VSE, HIPS, etc.) will be added to the ePO data source as children using
this name as a prefix.
Example: McAfee ePO_VirusScan, McAfee ePO_Application and Change Control, etc.
To prevent these child data source names from becoming truncated, use a short descriptive name for the parent
ePO data source.
4.
Click Next.
36
McAfee SIEM
The ePO data source requires information relating to both the ePO Application Server and the ePO Database
Server. In some ePO deployments this may be the same host however appropriate credentials must be supplied
individually for each. Application credentials are used for the purposes of connecting to the ePO server to apply
policy tags while database credentials are used by the SIEM to retrieve events for analysis, correlation and
reporting.
The Wizard will prompt you for both the Application details as well as the Database details on separate windows
starting with the ePO Application information.
5.
6.
7.
8.
10. Click the Connect button to test the connection to the ePO
application. If the connection is completed successfully, a
confirmation dialog box will open. Click Close.
If the connection test is unsuccessful, verify the ePO user credentials
and privileges.
37
McAfee SIEM
The Wizard now prompts you for the ePO Database details.
12. Enter the IP Address of the ePO Database Server.
13. Enter the User ID of the SQL Login Account created
earlier.
14. Enter the Password assigned to the SQL Login Account.
15. Enter the appropriate SQL Communication Port
(default is 1433).
16. Enter the ePO Database Name.
NOTE: If the ePO Database Name contains a hyphen, the
value entered MUST be surrounded by square brackets.
Example: [ePO4_MCAFEE-123]
17. If multiple SQL instances are present on this database
server, enter the unique Database Instance associated
with ePO.
18. Click the Connect button to test the connection to the ePO database.
If the connection is completed successfully, a confirmation dialog box
will open. Click Close.
If the connection test is unsuccessful, verify the SQL credentials and
privileges.
38
McAfee SIEM
20. A dialog box will open regarding the use of McAfee Risk Advisor
data within the SIEM.
The McAfee SIEM can utilize Risk Advisor asset reputation
scoring as a component of a Risk Correlation policy. If Risk
Advisor is present in the ePO installation AND if the Advanced
Correlation Engine is being deployed with the SIEM, click Yes.
21. Once complete, the Add Device Wizard will present a status window indicating that the ePO data source was
successfully added and configured.
39
McAfee SIEM
1.
Click the Asset Manager icon from the Quick Launch menu in the upper
right of the interface.
2.
3.
4.
In the Homenet dialog box that appears, enter the subnet(s) that
represent the ePO managed endpoints.
NOTE: CIDR notation can be used to identify subnet ranges and
multiple address ranges can be identified using a commaseparated array.
5.
6.
40
McAfee SIEM
2.
Click the Menu button in the upper left of the Source IP Address
component.
3.
From the menu that appears, select Actions, then View in ePO.
4.
41
McAfee SIEM
5.
6.
Once authenticated, the ePO asset information window will open displaying the information related to the
endpoint selected in the McAfee SIEM.
42
McAfee SIEM
In addition to viewing the managed endpoint within ePO, McAfee SIEM also supports the assignment of ePO policy
tags directly to assets from within the SIEM console.
1.
From the SIEM user interface, select an IP address representing a managed asset within ePO.
2.
Click the Menu button in the upper left of the Source IP Address
component.
3.
4.
43
McAfee SIEM
Update Tarball
Recommended Order
ESS_Update_X.x.x.signed.tgz
ESSREC_Update_X.x.x.signed.tgz
REC
RECEIVER_Update_X.x.x.signed.tgz
ELM
RECEIVER_Update_X.x.x.signed.tgz
ACE
RECEIVER_Update_X.x.x.signed.tgz
ADM
APM_Update_X.x.x.signed.tgz
DEM
DBM_Update_X.x.x.signed.tgz
ESM/REC/ELM
The McAfee ESM maintains a file repository into which all code update tarball files can be uploaded. Once
uploaded, each tarball update can be applied to the appropriate device from within the SIEM user interface either
individually or, in the case of multiple devices of the same type, en masse.
The order in which SIEM appliances are updated must be determined by reviewing the release notes published with
each update. In most circumstances, when multiple appliances in a SIEM hierarchy are to be updated, it will be
necessary to start with the ESM (or ESM/REC/ELM). Once complete, any Event Receiver appliances should be
updated to the new version including any ELM or ACE appliances since they share the same Receiver codebase.
Lastly, any additional subordinate appliances such as ADM or BEM should be updated.
During most major (and some minor) updates, it will be necessary for the master ESM database to be rebuilt as part
of the automated code update process. Depending upon the amount of data residing in the ESM database, this
process can take anywhere from 30 minutes to several hours. In POC environments where the event volume will
likely be minimal, the database rebuild process should complete in under an hour.
44
McAfee SIEM
The following steps must be completed to perform a code update on one or more SIEM appliance.
1. Determine which update tarball files will be required and download
from the McAfee product download site.
Example: This SIEM environment consists of a standalone ESM and a
standalone REC. Both the ESS_Update and the RECEIVER_Update
tarball files would be required.
2.
Click the System Properties button in the upper right of the interface.
3.
4.
From the File Type dropdown menu, select Software Update Files.
5.
Click the Upload button. The File Upload window will open.
6.
Browse to the location of the tarball update. Select a single tarball file and click Upload.
7.
Repeat for each update file until all required tarball images have been uploaded to the repository.
45
McAfee SIEM
2.
3.
NOTE: If the POC is being performed on an ESM/REC/ELM combo, select the ESSREC_Update_X.x.x signed
tarball.
4.
Click OK.
5.
A dialog box will open warning that the ESM will reboot during the update
process and all active connections will be dropped. Click Yes to proceed.
6.
A dialog box will open indicating that the update process has been initiated
and instructing you to close the browser window
7.
Click OK.
8.
9.
The ESM will reboot multiple times to perform the update process.
Once the update is complete, open a web browser on your client
computer.
46
McAfee SIEM
14. If the ESM is still performing any portion of the code update, you
may be presented with an error indicating that the system is not
ready. Simply wait another minute and attempt once again to log
into the SIEM.
15. Once the server is ready and your credentials are accepted, you will
likely see a dialog box indicating that you have recently performed an
upgrade and instructing you to read the necessary release notes to
determine if additional actions are required.
16. Continue with the update process on each of the remaining SIEM
appliances, starting with any Event Receiver devices (REC, ACE, ELM),
then continuing with any remaining device (ADM, DEM).
NOTE: If the POC is being performed on an ESM/REC/ELM combo you can proceed to
Step 12 as the ESSREC_Update tarball provides both the ESM as well as REC feature update.
47
McAfee SIEM
3.
4.
5.
6.
Click OK.
48
McAfee SIEM
7.
A dialog box will open indicating that the device will reboot when the
update process begins.
8.
Click YES.
9.
The device will restart. A dialog box will open, counting down
from 3 minutes while the device update is applied.
NOTE: If the device has not completely updated after 3
minutes, the counter will restart. You must wait until the
device has fully updated and communication has been
restored to continue.
10. A dialog box will indicate the successful restart of the device
once connectivity has been restored.
11. Click OK.
12. After the successful update of an Event Receiver appliance, it is necessary to perform additional configuration
updates.
13. Click on Data Sources.
14. Click the Write button.
49
McAfee SIEM
Repeat these steps to apply all necessary update tarball files to remaining subordinate devices.
Authentication Events
b.
Exploit Events
c.
Malware Events
d.
Correlated Events
The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The
taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit,
Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then
broken down further into sub-groups and even further as necessary, each lower tier representing more specific
event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications
in that branch are included in the selection. This allows the operator to select a more general event group, such as
Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login,
Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.
Additionally, it is recommended that event aggregation be disabled for all correlated events.
Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known
patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the
SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine.
Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields.
Please refer to the ESM help documentation for more information regarding setting custom aggregation values.
50
McAfee SIEM
The following steps must be followed to disable event-specific aggregation for these normalized event categories.
1.
Click the Policy Editor button from the Navigation Bar located in the upper
right of the user interface. The Policy Manager window will open.
NOTE: The policy manager groups events into various Rule Types
including Advanced Syslog Parser, Data Source and Windows Events. The
following steps will need to be performed against each of these event type branches.
2.
Expand the Receiver object from the Rule Types panel and select Data Source.
51
McAfee SIEM
3.
Click the Advanced bar at the bottom right of the Policy Editor window beneath the Filters/Tags panel. This will
hide the Tags and display the Advanced filters panel.
4.
Click the Filter button to the right of the Normalized ID form field.
The Filter Variables window will open to display the top-tier Normalized event categories.
5.
6.
Click OK.
7.
This will populate the Normalized ID form field with the IDs
associated with the selected event categories.
52
McAfee SIEM
8.
Click the Run Query icon to refresh the list of Advanced Syslog
Parser rules which will now be filtered to display ONLY those event
rules matching the categories selected from the Normalized
Taxonomy filter.
9.
To disable Event Aggregation for the refined list of Data Source rules, click the Aggregation column heading.
The action window will open to present three options
Inherit parent value, On (enable) or Off (disable).
11. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
12. Click Yes to confirm the modification.
13. All Data Source rules in the filtered list will now have the Aggregation
attribute set to Off (disabled).
53
McAfee SIEM
17. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
18. Click Yes to confirm the modification.
19. All Windows Event rules in the filtered list will now have the
Aggregation attribute set to Off (disabled).
54
McAfee SIEM
22. Once again, click the Aggregation column heading. The action window will open to present three options
Inherit parent value, On (enable) or Off (disable).
23. Click the Off menu option.
55
McAfee SIEM
24. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
25. Click Yes to confirm the modification.
26. All Correlated rules in the list will now have the Aggregation attribute
set to Off (disabled).
NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy
Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.
a.
Click the Rollout icon on the Action Bar in the upper right of the Policy
Editor window. The Rollout window will open.
b.
Click OK.
c.
The new Aggregation settings will be rolled out to all Event Receiver
data sources.
d.
56
McAfee SIEM
2.
Click the Add Data Source button from the Actions Toolbar. The Add
Data Source window will open.
3.
4.
5.
6.
Click OK.
7.
A dialog box will open indicating that Data Source Settings have changed
and must be applied to the Event Receiver. Click Yes.
8.
When the Data Source Settings have been written to the Event
Receiver, a dialog box will provide confirmation. Click Close.
9.
Since each Data Source must have a policy applied, the Rollout
window will appear. It is a requirement that policy be properly rolled
out to the Event Receiver and all corresponding Data Sources after making any changes. Click OK.
57
McAfee SIEM
Click on the Asset Manager icon from the Quick Launch menu. The Asset
manager window will open.
2.
3.
Select the ESM object from the list of available devices. It is from this
device that the Active Directory connection will be made.
4.
5.
6.
7.
8.
9.
10. Configure the retrieval interval and time. The default settings
will query the Active Directory once daily at midnight.
11. Click the Connect button to test the connection to the Domain
Controller.
58
McAfee SIEM
12. If the connection test is successful, a dialog box will open to confirm. Click
OK.
13. If the connection to the Domain Controller is unsuccessful, a dialog box will open
indicating that the connection test failed. If this happens, confirm the IP address of
the Domain controller, the port number across which the LDAP query will occur
(default 389), the username (in the correct username@domain.tld format), the
password and the Search Base. Determine from the customer if TLS is required to
connect to this Domain Controller and, if so, enable it using the check box provided
on the Asset Data Source form.
14. Once the connection test to the Domain Controller is successful, click OK.
15. Click the Write button in the bottom left of the Asset Sources window. The Writing changes to device window
will open.
16. After the changes have been successfully written to the
device, click Close.
17. Select the newly created Active Directory Domain Controller from the list of available asset sources.
18. Click the Retrieve button.
59
McAfee SIEM
19. A Dialog box will open indicating that the Active Directory user and group data is being retrieved. Depending on
the size of the customer Active Directory, this process may take several minutes or longer to complete.
20. When the Active Directory data retrieval has successfully completed, a
dialog box will open.
Click OK.
21. Close the Asset Manager window.
To confirm the successful retrieval of Active Directory user and group information, follow these steps.
1.
Scroll down the list of objects in the Filter Panel to the Source User form field.
2.
Click the Filter icon beside the Source User field. The Filter
Variables window will open.
You should see the domain from which you retrieved user and
group information.
3.
Expand the domain object to display the groups enumerated from the
Active Directory.
4.
Now that the Active Directory user and groups have been enumerated
into the SIEM, their values can be used in future filter queries, correlation
rules and reports.
60
McAfee SIEM
Conclusion
Your McAfee SIEM environment is now installed, configured, and you have begun the process of tailoring it to meet
your business requirements. Next steps from here will include outlining your initial use cases, importing necessary
content, and developing processes for monitoring and remediation.
You can find more assistance, documents, and videos at the McAfee Community:
https://community.mcafee.com/community/business/siem
61