McAfee SIEM - How to perform rules updates

Version 1

    Contents

     

     

     

    Overview

     

    In order to allow you to detect the latest attacks, and to collect data from new data source, McAfee provides regular updates to the SIEM. This document will explain how you can update your McAfee SIEM, either manually or automatically. The McAfee SIEM ships with a default set of data source and correlation rules; however, these rules are frequently updated to support additional event parsing and correlation incident logic.

     

    You can update the rules automatically if your SIEM can access the Internet. Or, if your SIEM does not have Internet access, you can update the rules manually. We are going to see both methods.

     

     

    Video

     

    You can also watch the steps described on this page by viewing the video below:

     

     

     

     

    Procedure

     

     

    1. Updating rules

     

    First, login to your McAfee ESM console.

     

    Click the System properties icon in the upper right corner of the interface.

     

    Capture1.PNG

     

     

    If you are updating your SIEM for the first time, like right after the initial setup, you’ll notice that the last update field says “never.” Otherwise, it will show the date at which the last update was performed. In addition, if you have not yet set your permanent credentials, you will see the number of days left before your access expires.

     

    Capture2.PNG

     

     

    Click on Rules Updates.

     

    The Rules Update dialog box opens.

     

    Capture3.PNG

     

     

    2. Manual Update

     

    We are going to start with a Manual Update. This is valid for SIEM deployments that do not have access to the Internet. But first, we need to download the appropriate files from the McAfee web site.

     

    In the browser of a system that has access to the Internet, go to www.mcafee.com/us/downloads/downloads.aspx

     

    Enter your grant number.

     

    Capture4.PNG

     

     

    Your landing page will be different depending on the entitlement associated with your grant number.

     

    Find the SIEM section.

     

    Capture5.PNG

     

     

    In our example, we are going to select the virtual ESM, Event Receiver, Log Manager combo, because this is what we are running. The SIEM options available to you will also depend on your entitlement.

     

    Click on the SIEM link.

     

    Click on the MFE Nitro Rules Downloads link.

     

    Capture6.PNG

     

     

    Click Agree.

     

    Rules updates are version specific, so make sure you download the rules update files for your version of the McAfee SIEM. At the time of this video, we are running version 9.3.2, so, that’s the file we are going to download.

     

    Capture7.PNG

     

     

    Save the file.

     

    Now that we have downloaded it, let’s go back to the EMS console.

     

    Click the Manual Update button.

     

    Capture8.PNG

     

     

    The File Upload window opens.

     

    Browse to the location of the rule update file you just downloaded.

     

    Capture9.PNG

     

     

    Click Upload.

     

    You will see no further indication that the update is being applied, until later, when the update process is done. This can take several minutes.

     

    Click Cancel.

     

    Capture10.PNG

     

     

    Click Cancel again.

     

    When the update is done, a Manual Rule Update Successful window willappear. This dialog when you log onto the console when the rules updates havebeen recently applied.

    Click OK.

     

    Capture11.PNG

     

     

    Now, let’s double check that the update was successful.

     

    Click on the system properties icon in the top right corner.

     

    Capture12.PNG

     

     

    Now, next to rule updates, instead of never, you will see Manual Update and the date the ESM was updated, which is a good way to tell when updates are successful.

     

    Capture13.PNG

     

     

    3. Automatic Update

     

    Now we are going to do an automatic update. This will only work if your SIEM is connected to the Internet and if you have requested and obtained a customer ID and password from McAfee. You can do that by sending an email to licensing@mcafee.com with your grant number, company name, address, name and email address.

     

    Click Rules Update.

     

    The Rules Update window opens.

     

    Click the Credential button.

     

    Capture14.PNG

     

     

    Enter our customer ID and password.

     

    Click Validate.

     

    Capture15.PNG

     

     

    The way to know that it worked is that you don’t get any message at all and the credential window disappears. If it does not work, you will get an error message.

     

    Now you can configure your SIEM to auto check for updates on a regular basis.

     

    Check the Auto Check Interval box.

     

    The default interval is every 12 hours.

     

    Capture16.PNG

     

     

    You can also choose to check for updates now

     

    Click the Check Now button

     

    Capture17.PNG

     

     

    The Rules Update Progress window opens.

     

    Just like for the manual process, a pop-up window will later inform us when the update has been successful. And if you are not logged into the console when the success occurs, you will get the pop-up the next time you log on to the SIEM.

     

    Capture18.PNG

     

     

    Click on Hide.

     

    Capture19.PNG

     

     

    Click OK.

     

    Capture20.PNG

     

     

    Notice that the information next to Rules Update has changed again. It now says “Auto Update”. Again, this is a good way to know how and when the last update occurred.

     

    Also notice that the number of days before we could not access the product has disappeared.

    That’s because we entered our permanent credentials as part of theautomated rules update process.

     

    Our customer ID also appears at the top of the page.

     

    Capture21.PNG

     

     

    The SIEM will now automatically check for updates at the interval you specified.

     

    Conclusion

     

    Now you know how to update your McAfee SIEM.

     

    In addition, if your SIEM does not have access to the Internet, you can subscribe to the McAfee Support Notification Services to be notified when a major update becomes available, so you can go and download it. To sign up for this service, go to https://SNS.SNSSECURE.MCAFEE.COM/CONTENT/SIGNUP_LOGIN

     

    Finally, every week, new signature reports are created for the SIEM products. You can view these in the KnowledgeBase article KB75608 (to view this article, you have to log into the ServicePortal. For information on how to register via the ServicePortal, see KB54031).

     

    Useful Links

     

    For more information about the McAfee SIEM, visit:

     

    McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEMCommunity: https://community.mcafee.com/community/business/siem

     

    McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales

     

    https://kc.mcafee.com/corporate/index?page=content&id=KB75608