SIEM Foundations: Other Configuration Steps

Version 9

    Contents

    Step 1: Create Admin Users

    During the initial installation of McAfee ESM, you logged in and performed initial configuration with the "NGCP" user.  It's best to create additional administrative accounts to use for daily operations.  This provides better accountability for individual users, and also ensures access to the ESM console is available, even if the NGCP password is lost or forgotten.

     

    To create admin users, create administrative user accounts:

    • Log into ESM as NGCP open the ESM System Properties, and select  the Users and Groups tab
    • Enter the NGCP password when prompted
    • Define a new user (if necessary) and select the "Administrator Rights" checkbox.

     

    Note: If you will use Active Directory for user authentication, your user accounts will be created automatically when new users first log into the ESM console.  Assigning administrative rights still requires manual action.

     

    Step 2: Configuring Event, Flow and Log Retrieval Polling Interval

    Events and flows collected by an Event Receiver are stored locally until requested by the ESM. The frequency with which this happens is user definable. By default, this polling interval is it is 10 minutes. When the interval is reached, all new data is synchronized from the Event Receiver to the master database residing in the ESM.


    The best practice during initial deployment stage is to reduce this time value to 5 minutes to provide a more real-time analysis of collected event and flow data.  Depending on your environment, you may be able to reduce the polling interval further, but 5 minutes is a good start.

    The following steps describe the process.

    1. Click the ESM System Properties button in the upper right of the interface.System-Properties-Button-Small.png
    2. Click Events, Flows and Logs. The Events, Flows and Logs window will open.
    3. Adjust the Auto check interval to 5 minutes.
      Event-Flow-and-Logcircle.png
    4. Click OK.

     

    Step 3: Configuring ESM Data Allocation Policy

    Each McAfee SIEM ESM allocates storage for both Event and Flow data. By default, the ratio of events to flows is 50:50 by volume. Most SIEM deployments require a higher percentage of event allocation than flow.  Doing so optimizes your SIEM to work best with the type of data you expect it to consume.

     

    In order to adjust the database allocation ratio to favor larger event volume, follow these steps.

    1. Click the ESM System Properties button in the upper right of the interface.System-Properties-Button-Small.png
    2. Select the Database menu from the list of options on the left.  Then click the Data Allocation button.
      ESM_Propertiescircle.png
    3. In the Data Allocation window that opens, configure the appropriate event:flow ratio by sliding the arrow right or left. Right indicates a higher ratio of event data – Left indicates a higher ratio of flow data.
      Data_Allocation.png
    4. Click OK.

     

    Step 4: Configuring ESM SMTP Mail Settings

    The McAfee SIEM provides the ability to send email notifications based on alarm conditions as well as deliver scheduled forensics and analysis reports to named recipients. This requires that the ESM be configured with an operational SMTP server through which email messages will be delivered.

     

    To configure the SMTP server settings, follow these steps.

    1. From the ESM System Properties window, select the Email Settings menu option.
    2. Enter the necessary configuration settings including the email host, SMTP port, TLS (if required by the SMTP server), username/password, title (to be used in the email message subject line) and the From: address.
      ESM_SMTPcircle.png
    3. Confirm the SMTP settings are correct by pressing the Send Test Email button and providing a destination email account to which the test email will be sent.
    4. Click OK to save the SMTP settings.

     

    Step 5: Configuring Event Inactivity Settings

    The McAfee SIEM can generate a health status alert when a device stops communicating or when a configured data source stops collecting events for a specified period of time – by default 30 minutes. In a pilot or POC, it may be helpful to disable or adjust the inactivity timer as the event volumes typically observed in evaluations may be lower than a production SIEM.  Default settings may generate unnecessary alerts.

     

    To disable the Event Inactivity settings:

    1. Click the System Properties button in the upper right of the interface.System-Properties-Button-Small.png
    2. Click Events, Flows & Logs. The Events, Flows & Logs window will open.
    3. Click the Inactivity Settings button. The Inactivity Threshold window will open.
      Events-Flows-&-Logs---Inactivity.png
    4. Place a check in the Inherit option box for the ESM object. This will force all devices and subsequent data sources added to the SIEM to inherit the System Inactivity Threshold which is set to Days: 0, Hours: 0, Minutes: 0. This effectively disables the SIEM Inactivity health status warnings.  You may instead choose to use a longer inactivity timer than the default 30 minutes.
      Inactivity-Thresholdcircle.png

     

    Step 6: Adjusting Default Port Index Settings

    The McAfee SIEM is configured, by default, to index only ports 1-1024. This will sometimes be exhibited in the user interface as a value described as ‘others’. Best practice is to enable indexing for all ports.

     

    To enable indexing on all ports:

    1. Click the System Properties button in the upper right of the interface.System-Properties-Button-Small.png
    2. Click Database.
    3. Click Settings. The Database Indexing window will open.
    4. Click the word Custom under the Events/Port heading. An option box will open.
    5. Click All from the option box.
      Database-Indexing circle.png
    6. Repeat the process for Flows/Port, modifying the setting from Custom to All.
    7. Click OK.

     

    Step 7: Configuring Event-Specific Aggregation

    Even with the Event Receiver event aggregation set to dynamic, there are certain events that should never be allowed to aggregate during a pilot/POC (and potentially in a production SIEM deployment). In particular, the following types of events should be set to NOT aggregate in order to guarantee the highest visibility for each event.

    a. Authentication EventsEvents describing user login/logoff activities.
    b. Exploit EventsEvents describing potential Exploit behaviors.
    c. Malware EventsEvents describing potential Malware activities.
    d. Correlated EventsEvents generated from the Correlation Engine.

     

    The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit, Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then broken down further into sub-groups and even further as necessary, each lower tier representing more specific event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications in that branch are included in the selection. This allows the operator to select a more general event group, such as Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login, Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.

     

    Additionally, it is recommended that event aggregation be disabled for all correlated events. Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine.  You might also consider adjusting aggregation for events from web proxies, mail gateways, and similar data sources.

     

    Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields. Please refer to the ESM help documentation for more information regarding setting custom aggregation values.

     

    The following steps must be followed to disable event-specific aggregation for these normalized event categories.

    1. Click the Policy Editor button from the Navigation Bar located in the upper right of the user interface. The Policy Manager window will open.
      System-Properties-Buttoncircle.png
      NOTE: The policy manager groups events into various Rule Types including Advanced Syslog Parser, Data Source and Windows Events. The following steps will need to be performed against each of these event type branches.
    2. Expand the Receiver object from the Rule Types panel and select Data Source.
      Policy-Editor---DataSource-Unfilteredcircle.png
    3. Click the Advanced bar at the bottom right of the Policy Editor window beneath the Filters/Tags panel. This will hide the Tags and display the Advanced filters panel.
      Policy-Editor---Tagscircle.png  Policy-Editor---Advancedcircle.png
    4. Click the Filter button to the right of the Normalized ID form field. The Filter Variables window will open to display the top-tier Normalized event categories.Filter-Icon.png
    5. While holding the CTRL key, select each of the Normalized categories – Authentication, Exploit and Malware.
      Filter-Variables---Normalization.png
    6. Click OK.
    7. This will populate the Normalized ID form field with the IDs associated with the selected event categories.
      Normalized-ID-Filters.png
    8. Click the Run Query icon to refresh the list of Advanced Syslog Parser rules which will now be filtered to display ONLY those event rules matching the categories selected from the Normalized Taxonomy filter.
      Filters-&-Tagging---Refreshcircle.png
    9. To disable Event Aggregation for the refined list of Data Source rules, click the Aggregation column heading. The action window will open to present three options – Inherit parent value, On (enable) or Off (disable).
    10. Click the Off menu option.
      Policy-Editor---Data-Source-Aggregation.png
    11. A dialog box will open, prompting for confirmation to modify the settings for the entire list of filtered rules.
      Alert---Confirm-Disable-Aggregation.png
    12. Click Yes to confirm the modification.
    13. All Data Source rules in the filtered list will now have the Aggregation attribute set to Off (disabled).
      Policy-Editor---Data-Source-Aggregation-Disabledcircle.png
    14. From the Rule Types panel, select Windows Events.
      NOTE: The filter panel will preserve the current selection of Normalized categories. The resulting list of Windows Event rules will inherit the previous filters of Authentication, Exploit and Malware.
    15. Once again, click the Aggregation column heading. The action window will open to present three options – Inherit parent value, On (enable) or Off (disable).
    16. Click the Off menu option.
      Policy-Editor---Windows-Event-Aggregation.png
    17. A dialog box will open, prompting for confirmation to modify the settings for the entire list of filtered rules.
      Alert---Confirm-Disable-Aggregation.png
    18. Click Yes to confirm the modification.
    19. All Windows Event rules in the filtered list will now have the Aggregation attribute set to Off (disabled).
      Policy-Editor---Windows-Event-Aggregation-Disabledcircle.png
    20. From the Rule Types panel select Correlation.
    21. Next, clear the filters by clicking the orange funnel icon in the upper right of the Correlation Rules panel.
      Policy-Editor---Correlationcircle.png
    22. Once again, click the Aggregation column heading. The action window will open to present three options – Inherit parent value, On (enable) or Off (disable).
    23. Click the Off menu option.
      Policy-Editor---Correlation---Aggregation.png
    24. A dialog box will open, prompting for confirmation to modify the settings for the entire list of filtered rules.
      Alert---Confirm-Disable-Aggregation.png
    25. Click Yes to confirm the modification.
    26. All Correlation Rules in the filtered list will now have the Aggregation attribute set to Off (disabled).
      Policy-Editor---Correlation---Aggregation-Disabledcircle.png


    NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.

    1. Click the Rollout icon on the Action Bar in the upper right of the Policy Editor window. The Rollout window will open.
      rollout.png
    2. Click OK.
    3. The new Aggregation settings will be rolled out to all Event Receiver data sources.
    4. Close the Policy Editor.

     

    « previousoutlinenext »