There are times when you need to be alerted as soon as possible, if one type of event happens, without needing the event to go through the usual correlation process. Such events might include disabling auditing, privilege escalation on an account, or logs being cleared, which is the example we will use in this document. That ability is a new in version 9.4. This document explains how to create such an alarm, based on the fields of one single event matching one or more criteria. It will trigger when one or multiple fields of an event are matched, and it will trigger as soon as the receiving device, that can be the event receiver, advanced correlation engine, enterprise log manager or application data monitor, receives and parses the event. It does not need to go through the correlation process to trigger.
You can also watch the steps described in this document by viewing the video below.
Setting up the alarm
Let’s log on our McAfee SIEM to see if such events have occurred. Here, we see that our event logs were cleared.
As we mentioned earlier, that could be a sign that someone is trying to cover their tracks and we want to be alerted immediately when such an event happens.
To be alerted right away let’s create an alarm for this event. In the console click on the event you want to create an alarm for. In our case, we’ll click on “Audit log cleared.”
Then pull down the menu at the top left corner of the pane where the event is displayed.
Select “Create New Alarm.”
The Alarm settings window opens.
Let’s give this new alarm a name, a description and assign it to a user.
Now, let’s click on the Condition tab to define what fields need to match for the alarm to trigger.
Here, we see the Signature ID that is associated with the event I want to be alerted on. Since the signature ID is a quick way and sure way to identify this event is to use its signature ID, I recommend that you copy the signature ID from this field, so we can use it in the next step.
Note: This signature ID applies to Windows Security logs being cleared. Windows Application and System logs being cleared use their own signature ID.
Note: Under type, you can see “Internal Event Match”. This is the new label for the alarm condition that used to be called Field Match, in version of the SIEM prior to 9.4.
If you drop the list down, you’ll see that in 9.4, a new Field Match alarm condition has been added. As we explained earlier, that new condition can match on one or multiple fields of an event, and triggers as soon as the receiving device receives and parses the event.
So, let’s select FieldMatch as our type. The Filter window opens.
Now, we are going to drag and drop the filter icon into the view.
The add filter field window opens.
Select Signature ID.
Then click on the green arrow on the right side of the window.
The default value editor opens. Paste the signature ID that copied earlier on.
Then I’m going to click Add. The copied signature ID appears in the default value pane.
Click OK one more time. We can see that our filter is added. It will trigger the alarm when the signature ID of an event matches the one we just copied, which is when the Windows security event log is cleared.
But now, let’s say we only want to be alerted if this happens on our mission critical servers.
So, let’s drag and drop then AND logical operator.
To filter on the server name, we need to drag and drop another filter. Let’s do that.
A new Add Filter Window opens.
This time, we are going to select Host. Click on the little green arrow on the right to define the host value to match.
In this case, we know that Host is a custom type, so we’ll click on the custom type tab.
Click in the value column next to Host, and enter the name of your server. In our case, our server name is “Winserver,” so, that’s what we will enter here.
Click Add and click OK. Click OK again.
Our two conditions have been added. The event’s signature ID will have to match a window log cleared event and the host will have to be name “Winserver.”
In the Maximum Condition Trigger Frequency field, you can select the amount of time to allow between each condition to prevent a flood of notifications. Each trigger will contain the first event that matches the trigger condition within the trigger frequency period. If you set it to zero, all matching events will generate an alarm.
Click Next. We are going to check the alarm for our Receiver. That means the alarm will be enabled only for events coming through this receiver. You can check the other devices of your choice if you want to enable this alarm on them too. This also means that the alarm will trigger as soon our receiver sees it, without even being sent to the ESM.
Click Next. Now we are going to select what happens when the alarm triggers. We are going to choose to log the event and have a visual display on our console.
Click next. Here we can setup an escalation process. We are going to keep the defaults.
Triggering the Alarm
Now let’s clear the security log on our windows server.
And we can see the visual alarm pops-up at the bottom right corner of the console and the alarm shows up in our alarm pane at the bottom left corner of the console.
You’ve seen how to create an immediate alarm based on the fields of one single event matching one or more criteria. And you’ve seen how quickly this alarm shows up. You can now set up alarm on events you want to be alerted on right away.
We’ve looked at the new Field Match Alarm feature available in the McAfee SIEM 9.4. This is a great feature to use to be alerted faster when one type of event occurs. It is different from the traditional alarms that already exist in the product because it will trigger as soon as the device receiving events sees a matching event.
For more information about the McAfee SIEM, visit:
McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales