McAfee SIEM - How to use the New Case Management Features in McAfee SIEM v9.4

Version 1

    Contents

     

     

    Overview

     

    The McAfee SIEM version 9.4 includes new features that make your case management and investigation abilities even more powerful. You can now create a case directly from an event, and add events to a case. When you are investigating a case, you can now see events that happened around the same time as the events that are part of the case. And finally, you can create custom status for your cases. In this document, we are going to see how those features help us create a case to have someone investigate Bit Torrent traffic.

     

    Video

     

    You can also watch the steps described in this document by viewing the video below:

     

     

    Procedure

     

    Creating a Case from an Event

     

    Let’s start by creating a case directly from any event. Go to your favorite view. In our case, we are going to go to a custom view, but this would work with any view that contains events, such as the incident dashboard.

     

    Once in your view, click on the event you want to create a case for. Here, we are going to select the Bit Torrent handshake event because we want someone to investigate why bit torrent downloads are started from our network.

     

    image001.png

     

    Click on the icon at the top left corner of the events component of the view. Select Action -> Create a new case.

     

    image002.png

     

    The case detail window opens.

     

    image003.png

     

    Give the case a summary. Assign it to the user you want. The message is pre-populated with the event you are creating the case for. You can assign the severity of your choice. Notice another new feature, you can now see the color coding for the severity you assign to the event.

     

    image004.png

     

    Click OK. The window closes.

     

    Click on the Case tab at the bottom left of the main console, you can see that our case has been added.

     

    image005.png

     

    Look Around

     

    The case is created but it is good practice to see what else happened around the time this event occurred. This could help you get the complete picture of what happened and even gather other clues that would otherwise go unnoticed. It’s now even easier to find out with the new look around feature of version 9.4.

     

    Let’s click on our event again. This time, in the top left corner of the event component, select Look Around.

     

    image006.png

     

    The look around window appears. You can choose how along around the event we want to look around. In this case, we want to know what else this system did within 5 minutes of the bit torrent communication starting, so we’ll leave the time frame at 5 minutes.

     

    image007.png

     

    We can also choose to filter on specific criteria. We are only interested in this specific system for now. So we are going to filter on its IP address, which is automatically populated for us when we select Source IP. It’s convenient so we don’t need to backtrack to remember what the IP was.

     

    image008.png

     

    Notice that additional filtering options are added as we select one filter.

     

    image009.png

     

    Click OK.

     

    The Look Around view opens.

     

    All the events matching our time frame and filter appear. The original event is marked in blue.

     

    image010.png

     

    We can even see details regarding each event by clicking on the plus sign on the left of the rule message.

     

    image011.png

     

    Those events can be pertinent to the case and the analyst assigned to it might benefit from getting that information right into the case. That is something we can do easily in version 9.4. Select all the events you want to add.

     

    image012.png

     

    Then click on the icon at the top left corner of the Look Around component.

     

    Select Actions -> Add events to a case

     

    image013.png

     

    The Case Append Event window opens

     

    image014.png

     

    Select the case you want to add the events to. Here, we are going to select our Bit Torrent Case.

     

    Click Add.

     

    You can see the events are added to the case.

     

    image015.png

     

    Click OK to return to the main view.

     

    Create Custom Case Status

     

    One last thing that enhances case management in the 9.4 version is the ability to create your own case status, to best match your own workflow. For example, you can create a status for “Under Review” to reflect cases that an analyst has started to investigate, or “Escalated to Tier 2” to reflect cases that need advanced analysis.

     

    To do so, click the “Open Case Management” icon at the top right corner of the Cases pane.

     

    image016.png

     

    The case management window opens.

     

    image017.png

     

    Click the case management icon at the bottom right of the window.

     

    The case management settings window opens.

     

    Click on Add.

     

    image018.png

     

    Here we are going to add  “Under Review” as a status.

     

    image019.png

     

    Click OK.

     

    You can see that our new status is available.

     

    image020.png

     

    Now let’s change our case status to “Under Review.” For that, let's double click on our case in the case pane.

     

    image021.png

     

    We’ll open the Status dropdown list and chose “Under Review.”

     

    image022.png

     

    Click OK.

     

    In the far right, in the status column, you can see that our case status has changed to “Under Review.”

     

    image023.png

     

    Conclusion

     

    We’ve seen how the McAfee SIEM 9.4 allows you to create a case directly from an event, and to look around that event to find out what else has been going on around the time that event was triggered. If you uncover more events pertinent to the case, you can easily add them to the case. And finally, you can create custom status that you can use to track tickets through the process of your choice. Those powerful features will make your case management and investigation much faster and more efficient.

     

    Useful Links

     

    For more information about the McAfee SIEM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Community: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales