To help you understand what is going on in your environment in just a couple of clicks, and to help you tune your rules better, McAfee SIEM 9.4 now shows you the details about what caused a rule to trigger. In this document, we are going to investigate a Brute Force Attack and see how the new correlation rules details and the look around features will help us.
You can also watch the steps described in this document by viewing the video below.
1. Quicklook at the correlation details
Let’s see an example. Let’s take a look at our standard ESM Incident dashboard. One incident that catches our attention is the “Successful Brute Force Attack.” We want to investigate this incident further and understand exactly what happened and why that incident triggered.
First we are going to drill down to that specific incident by clicking on it. The whole dashboard refreshes with only the information relevant to that incident.
I would like to know why this rule triggered. In the Event pane, I can see the correlated events that made up this incident. It’s great information, but it’s not telling me the logical reason why the rule triggered. In order to find out, we are going to use the new correlation detail feature of the 9.4 version. We’ll expand the Events pane to have a better view. For that, click on the "Expand" icon at the top right corner ofthe Event pane.
To see the details for one event, select it by clicking on it. Then click on the "Details" tab in the bottom half of the screen.
Notice the Correlation Detail tab, that’s new in 9.4. If we click on it, we can now see why the rule triggered. We can see that the SIEM saw 20 failed logins, followed by a successful login, all of those happening in less than 5 minutes.
Also notice the plus sign next to the event. If you expand it, you can see the detail of each of the 21 events that made up this single incident. And you can see by scrolling down those events that those logins happened from the same IP address, using a different username each time, until the login was successful. You even see the name of the account that was compromised.
Thanks to the new Correlation Details feature of 9.4, we were able to determine exactly what happened very quickly.
2. Configure the correlation details feature
Now let’s take a quick look at where the configuration this new feature resides. For that, click on the "Correlation" icon in the top right corner of the console.
The policy editor open.
Click in the "Details" column for the rule you want to gather details for. There are two gathering modes to choose from: "on-demand" and "real-time." Under the on-demand" mode, information about the events that triggered the correlation rules will be gathered at the time you request the details. The "on-demand" mode is enabled by default. Under the "real-time" mode, information about the events is gathered immediately after the rule is triggered. This makes "real-time" a better mode for rules that use dynamic watchlist or other values that change often. But keep in mind that this mode comes with a bigger overhead on the ESM component, so use it only of you need it.
In our example we have only selected one rule, but you can select multiple rules at a time, by using control click, to select discontinuously or by using shift click to select contiguous rules.
You can also see the details for all rules that triggered in one place. For that, let’s close the policy editor and, in the system navigation tree, expand the ACE device.
Click Rule Correlation under the ACE device.
Select the Event View -> Event analysis dashboard.
The Event Analysis View opens
Then click the event you want to view.
Click the Correlation Details tab to view the details of why the rule triggered.
3. Looking around
One good thing to find out at this point would be: what else happened around the same time, which would help me get a complete picture? Version 9.4 can answer this question with a new feature called Lookaround. To know what happened around an event, click the dropdown menu at the top left corner of the All Events pane and select Look Around.
The lookaround window opens. You can choose the time window to look around for. We’ll leave it at 5 minutes. You can also filter based on the field of your choice, so you don’t see all events, which could be a lot. In our case, we are going to filter based on the source IP address because we want to know what else that system did. To summarize, we are going to see what happened with the system with IP address 172.25.161.131, within 5 minutes of the event that we selected in our incident.
And we can see very quickly that this IP has been up to no good as it’s involved in many other suspicious events.
Some of our next steps could be to open a case to have someone investigate further, or take action through and blacklist that IP address from communicating with the rest of our network, which you can do from the SIEM console if you use the McAfee IPS solution, or apply an ePO tag to your endpoints to block communications from that system.
You’ve seen how the correlation details in the McAfee SIEM 9.4 helps investigate incidents faster. That feature can also help understand how rules work and to fine tune them according to your needs.
And finally, the look around feature complements the correlation details by showing you the events that took place around the same time as the event you are investigating.
For more information about the McAfee SIEM, visit:
McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales