Data Sheet

McAfee Product Education

McAfee Security Information Event Management (SIEM)
Administration Course
The McAfee SIEM Administration course from McAfee Education Services
provides attendees with hands-on training on the design, setup, configuration,
communication flow, and data source management of SIEM appliances. In addition,
students will understand how to effectively implement the appliances in a complex
enterprise environment.

Highlights
McAfee Enterprise Log
Manager configuration.
McAfee Enterprise Security
Manager installation and
configuration.
Working with the Receiver.
Working with the Advanced
Correlation Engine.
Adding data sources.
Working with the policy
editor.
Generating alarms and watchlists,
and developing reports.

What You Will Learn

At the end of this course, attendees should know
the benefits of the SIEM appliance; understand
the skills needed to successfully plan, design, and
implement SIEM following McAfee Professional
Services methodology; and be capable of installing
and configuring the appliance within their own
environment.
Exercises
All topics are supported by hands-on exercises that
will test appliances with real-world scenarios using
guidelines in policy management, log aggregation,
event correlation, and tips for debugging.

Who Should Take This Class

System and network administrators, security
personnel, auditors, and/or consultants concerned
with network and system security should take
this course. It is recommended that the students
have a working knowledge of Microsoft Windows
administration, system administration concepts,
a basic understanding of computer security
concepts, and a working knowledge of McAfee
ePolicy Orchestrator software administration.
Duration
Four days.

Course Outline
Chapter 1: SIEM Overview

Chapter 4: Receiver Data Source Configuration

What Is SIEM?

Receiver Data Sources

How SIEM is used

Receiver Properties

SIEM Components Overview

Adding a Data Source

SIEM Architecture

Data Source Types

Identifying Business Needs and Stakeholders

Configuring Common Data Sources

Deployment Scenarios

Client Data Sources

SIEM Sizing Overview

Data Source Profiles

McAfee Enterprise Security Manager

Interface Setup

Data Source AutoLearn

Adding VA Data Sources

FIPS

Asset Manager

Implementation Process

Real Time in Data Enrichment

Change Control

Chapter 2: McAfee Enterprise Security Manager and

Receiver Overview

McAfee Enterprise Security Manager

Properties Overview

McAfee Enterprise Security Manager Settings

Receiver Redundancy

Receiver Overview/Properties

Receiver Vulnerability Assessment

Receiver Asset Data Source

Receiver Key Management

Chapter 5: Aggregation

About Aggregation and Timestamps

Event Aggregation

Dynamic Aggregation

Setting Event Aggregation Levels

Default Aggregation Settings

Customizing Aggregation

Flow Aggregation

Port Values

Chapter 6: Policy Editor

Policy Editor Overview

Default Policy

Policy Tree: Modifying

Policy Importing and Exporting

Policy Change History

The Data Problem

Policy Status and Rollout

Log Management Challenges

Filtering and Tagging

ESMI Views

Operations and Tools Menu

Using the Toolbar

Normalization

Theft of Confidential Information

Rule Variables

Use of Unauthorized Applications

Severity Weights

Situational Awareness

Rule Types

Cyber Slacking in the Workplace

Rule Inheritance

Use of Weak Passwords

Rule Properties: Settings

McAfee User Interface

Advanced Syslog Parser Rules

Views Toolbar

Filters

Out-of-Box Dashboard Views

Custom Views

Data Binding

Receiver Connection, Device Logs, Configuration,

Redundancy

Chapter 3: McAfee Enterprise Security Manager

Interface Views

Chapter 7: Correlation

McAfee Enterprise Log Manager Logs

Optimized Risk Management

Migrating the Database

Event Normalization

McAfee Enterprise Log Manager Compression

Event Correlation Engine

SAN volumes

Advanced Correlation Engine

Full Text Indexer

Receiver Correlation

McAfee Enterprise Log Manager Storage Pools

Adding a Correlation Data Source

iSCSI Configuration

Correlation Rule Editor

Adding, Editing, or Deleting Storage Devices

Rolling out Correlation Policy

ELM Mirrored Data Storage

Creating a Custom Correlation Rule

ELM Data

Editing an existing correlation rule

Adding an ACE appliance

Chapter 11: Troubleshooting and System

Management

Using Historical mode

McAfee Technical Support

Login Troubleshooting

Creating Alarms

Operating System and Browser-Specific Issues

Alarm Settings

Hardware Issues

Alarm Details

Update and Upgrade Issues

Triggering Alarms

McAfee Health Status Flag

Watchlists

Watchlist Types: Static and Dynamic

Creating Watchlists

McAfee Enterprise Security Manager and McAfee

Enterprise Security Manager
Interface Troubleshooting

ESM Settings

Chapter 8: Alarms and Watchlists

Chapter 9: Reporting

Out-of-Box Reports

Chapter 12: SIEM Workflow

McAfee Enterprise Security Manager

Interface Desktop

Event Drilldown

Event Analysis

More About Using Specific Dashboards:

Normalized, Asset Vulnerability, Event and
Destination Geo-Location, Source User, Host,
Default Flow, Incident

Report Properties

Create Reports

Report Layout

Document Properties

Report Conditions

Query Wizard

Report Filter

Email, SMS, SNMP, Syslog Report Options

SIEM Workflow Demonstration

Viewing Reports

Case Management

Chapter 10: Working with

McAfee Enterprise Log Manager

McAfee Enterprise Log Manager Properties

ELM Terminology

Adding an McAfee Enterprise Log Manager Device

Estimating McAfee Enterprise Log Manager

Storage

McAfee Enterprise Log Manager Configuration

Settings

McAfee Enterprise Log Manager Backup and

Restore

Suggested Next Course(s)

McAfee Vulnerability Manager
Administration
Contact Information
To order, or for further information,
please contact McAfee Education at:
1-866-210-2715.
NA, LTAM, and APAC:
education@mcafee.com
EMEA:
proserv@mcafee.com

McAfee Education Services

McAfee Foundstone and McAfee Education Services
provide training on our award-winning products. We
provide this training globally with both instructorled and e-learning courses for organizations and
individuals.
We also provide product and role based
certifications through the McAfee Security
Certification Program, validating your knowledge
and ability in a variety of security-related categories.
For more information, please visit us at
www.mcafee.com/us/services.aspx, or click
on the following links:
North America and Latin America
(instructor-led training)
http://mcafee.netexam.com/catalog.html
Europe, Middle East, Africa, and Asia Pacific
(instructor-led training)
http://www.mcafee.com/uk/services/mcafeeeducation-services.aspx
McAfee Certification Program (McAfee product and
McAfee Foundstone assessment certification)
http://www.mcafee.com/us/services/securitycertification-program/index.aspx

2821 Mission College Boulevard

Santa Clara, CA 95054
888 847 8766
www.mcafee.com

McAfee, the McAfee logo, ePolicy Orchestrator, and Foundstone are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States
and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for
information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2014 McAfee, Inc.
es_ds_admin-course-siem_0914