The McAfee SIEM version 9.4 includes new features that make your case management and investigation abilities even more powerful. You can now create a case directly from an event, and add events to a case. When you are investigating a case, you can now see events that happened around the same time as the events that are part of the case. And finally, you can create custom status for your cases. In this document, we are going to see how those features help us create a case to have someone investigate Bit Torrent traffic.
You can also watch the steps described in this document by viewing the video below:
Creating a Case from an Event
Let’s start by creating a case directly from any event. Go to your favorite view. In our case, we are going to go to a custom view, but this would work with any view that contains events, such as the incident dashboard.
Once in your view, click on the event you want to create a case for. Here, we are going to select the Bit Torrent handshake event because we want someone to investigate why bit torrent downloads are started from our network.
Click on the icon at the top left corner of the events component of the view. Select Action -> Create a new case.
The case detail window opens.
Give the case a summary. Assign it to the user you want. The message is pre-populated with the event you are creating the case for. You can assign the severity of your choice. Notice another new feature, you can now see the color coding for the severity you assign to the event.
Click OK. The window closes.
Click on the Case tab at the bottom left of the main console, you can see that our case has been added.
The case is created but it is good practice to see what else happened around the time this event occurred. This could help you get the complete picture of what happened and even gather other clues that would otherwise go unnoticed. It’s now even easier to find out with the new look around feature of version 9.4.
Let’s click on our event again. This time, in the top left corner of the event component, select Look Around.
The look around window appears. You can choose how along around the event we want to look around. In this case, we want to know what else this system did within 5 minutes of the bit torrent communication starting, so we’ll leave the time frame at 5 minutes.
We can also choose to filter on specific criteria. We are only interested in this specific system for now. So we are going to filter on its IP address, which is automatically populated for us when we select Source IP. It’s convenient so we don’t need to backtrack to remember what the IP was.
Notice that additional filtering options are added as we select one filter.
The Look Around view opens.
All the events matching our time frame and filter appear. The original event is marked in blue.
We can even see details regarding each event by clicking on the plus sign on the left of the rule message.
Those events can be pertinent to the case and the analyst assigned to it might benefit from getting that information right into the case. That is something we can do easily in version 9.4. Select all the events you want to add.
Then click on the icon at the top left corner of the Look Around component.
Select Actions -> Add events to a case
The Case Append Event window opens
Select the case you want to add the events to. Here, we are going to select our Bit Torrent Case.
You can see the events are added to the case.
Click OK to return to the main view.
Create Custom Case Status
One last thing that enhances case management in the 9.4 version is the ability to create your own case status, to best match your own workflow. For example, you can create a status for “Under Review” to reflect cases that an analyst has started to investigate, or “Escalated to Tier 2” to reflect cases that need advanced analysis.
To do so, click the “Open Case Management” icon at the top right corner of the Cases pane.
The case management window opens.
Click the case management icon at the bottom right of the window.
The case management settings window opens.
Click on Add.
Here we are going to add “Under Review” as a status.
You can see that our new status is available.
Now let’s change our case status to “Under Review.” For that, let's double click on our case in the case pane.
We’ll open the Status dropdown list and chose “Under Review.”
In the far right, in the status column, you can see that our case status has changed to “Under Review.”
We’ve seen how the McAfee SIEM 9.4 allows you to create a case directly from an event, and to look around that event to find out what else has been going on around the time that event was triggered. If you uncover more events pertinent to the case, you can easily add them to the case. And finally, you can create custom status that you can use to track tickets through the process of your choice. Those powerful features will make your case management and investigation much faster and more efficient.
For more information about the McAfee SIEM, visit:
McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales