McAfee SIEM - How to use the New Field Match Alarm in McAfee SIEM v9.4

Version 1

    Contents

     

    Overview

     

    There are times when you need to be alerted as soon as possible, if one type of event happens, without needing the event to go through the usual correlation process. Such events might include disabling auditing, privilege escalation on an account, or logs being cleared, which is the example we will use in this document. That ability is a new in version 9.4. This document explains how to create such an alarm, based on the fields of one single event matching one or more criteria. It will trigger when one or multiple fields of an event are matched, and it will trigger as soon as the receiving device, that can be the event receiver, advanced correlation engine, enterprise log manager or application data monitor, receives and parses the event. It does not need to go through the correlation process to trigger.

     

    Video

     

    You can also watch the steps described in this document by viewing the video below.

     

     

     

    Procedure

     

    Setting up the alarm

     

    Let’s log on our McAfee SIEM to see if such events have occurred. Here, we see that our event logs were cleared.

     

    image002.png

     

    As we mentioned earlier, that could be a sign that someone is trying to cover their tracks and we want to be alerted immediately when such an event happens.

     

    To be alerted right away let’s create an alarm for this event. In the console click on the event you want to create an alarm for. In our case, we’ll click on “Audit log cleared.” 

     

    Then pull down the menu at the top left corner of the pane where the event is displayed. 

     

    Select “Create New Alarm.”

     

    image004.png

     

    The Alarm settings window opens.

     

    image006.png

     

    Let’s give this new alarm a name, a description and assign it to a user.

     

    image008.png

     

    Now, let’s click on the Condition tab to define what fields need to match for the alarm to trigger.

     

    image010.png

     

    Here, we see the Signature ID that is associated with the event I want to be alerted on. Since the signature ID is a quick way and sure way to identify this event is to use its signature ID, I recommend that you copy the signature ID from this field, so we can use it in the next step.

     

    Note: This signature ID applies to Windows Security logs being cleared. Windows Application and System logs being cleared use their own signature ID.

     

    Note: Under type, you can see “Internal Event Match”. This is the new label for the alarm condition that used to be called Field Match, in version of the SIEM prior to 9.4.

     

    image012.png

     

    If you drop the list down, you’ll see that in 9.4, a new Field Match alarm condition has been added. As we explained earlier, that new condition can match on one or multiple fields of an event, and triggers as soon as the receiving device receives and parses the event.

     

    image014.png

     

    So, let’s select FieldMatch as our type. The Filter window opens.

     

    image016.png

     

    Now, we are going to drag and drop the filter icon into the view.

     

    image018.png

     

    The add filter field window opens.

     

    Select Signature ID.

     

    Then click on the green arrow on the right side of the window.

     

    image020.png

     

    The default value editor opens. Paste the signature ID that copied earlier on.

     

    image022.png

     

    Then I’m going to click Add. The copied signature ID appears in the default value pane.

     

    image024.png

     

    Click OK.

     

    image026.png

     

    Click OK one more time. We can see that our filter is added. It will trigger the alarm when the signature ID of an event matches the one we just copied, which is when the Windows security event log is cleared.

     

    image028.png

     

    But now, let’s say we only want to be alerted if this happens on our mission critical servers.

     

    So, let’s drag and drop then AND logical operator.

     

    image030.png

     

    image032.png

     

    To filter on the server name, we need to drag and drop another filter. Let’s do that.

     

    image034.png

     

    A new Add Filter Window opens.

     

    This time, we are going to select Host. Click on the little green arrow on the right to define the host value to match.

     

    image036.png

     

    image038.png

     

    In this case, we know that Host is a custom type, so we’ll click on the custom type tab.

     

    image040.png

     

    Click in the value column next to Host, and enter the name of your server. In our case, our server name is “Winserver,” so, that’s what we will enter here.

     

    image042.png

     

    Click Add and click OK. Click OK again.

     

    Our two conditions have been added. The event’s signature ID will have to match a window log cleared event and the host will have to be name “Winserver.”

     

    In the Maximum Condition Trigger Frequency field, you can select the amount of time to allow between each condition to prevent a flood of notifications. Each trigger will contain the first event that matches the trigger condition within the trigger frequency period. If you set it to zero, all matching events will generate an alarm.

     

    image044.png

     

    Click Next. We are going to check the alarm for our Receiver. That means the alarm will be enabled only for events coming through this receiver. You can check the other devices of your choice if you want to enable this alarm on them too. This also means that the alarm will trigger as soon our receiver sees it, without even being sent to the ESM.

     

    image046.png

     

    Click Next. Now we are going to select what happens when the alarm triggers. We are going to choose to log the event and have a visual display on our console.

     

    image048.png

     

    Click next. Here we can setup an escalation process. We are going to keep the defaults.

     

    image050.png

     

    Triggering the Alarm

     

    Now let’s clear the security log on our windows server.

     

    image052.png

     

    And we can see the visual alarm pops-up at the bottom right corner of the console and the alarm shows up in our alarm pane at the bottom left corner of the console.

     

    image054.png

     

    You’ve seen how to create an immediate alarm based on the fields of one single event matching one or more criteria. And you’ve seen how quickly this alarm shows up. You can now set up alarm on events you want to be alerted on right away.

     

    Conclusion

     

    We’ve looked at the new Field Match Alarm feature available in the McAfee SIEM 9.4. This is a great feature to use to be alerted faster when one type of event occurs. It is different from the traditional alarms that already exist in the product because it will trigger as soon as the device receiving events sees a matching event.

     

    Useful Links

     

    For more information about the McAfee SIEM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Community: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales