SIEM Foundations: Configure Variables

Version 3

    Variables are used by correlation rules in various ways to help identify suspicious and malicious behaviors in your environment.  In order to be most effective, variables need to be configured to properly reflect your enterprise.

     

    Variable definitions are configured in the Policy Editor.  You can open the Policy Editor via the icon in the top-right corner of the UI.

    policy-editor.png

     

    The variables below provide a recommended list of variables that should be defined early in your McAfee SIEM deployment.  Over time you may choose to tune other variables, or add new ones in order to optimize your SIEM deployment.

     

    • Application/DAY_END
    • Application/DAY_START
    • Application/HOUR_END
    • Application/HOUR_START

    These variables allow you to define your standard working days and working hours.  There are several correlation rules that leverage these variables to identify anomalous activities outside of standard working times.  Keep in mind that the HOUR variables are defined in GMT timezone; you will need to convert your working time to GMT in order for these variables to be effective.

     

    • Networks/HOME_NET

    This legacy variable is used in place of the Local Networks/Homenet to identify internal IP addresses in some correlation rules.  It should include the same IP ranges as Local Networks.

     

    • Servers/DNS_SERVERS
    • Servers/HTTP_SERVERS
    • Servers/SMTP_SERVERS

    These variables are used by correlation rules that identify anomalous activities related to specified protocols.

     

    • Reputation/CORP_GEOS
    • Reputation/SUSPICIOUS_GEOS

    Corporate geographic location is typically defined as countries where your company has corporate offices.  Suspicious geographic locations are typically defined as those where you would not expect to receive communication from during normal business operations.

     

     

    « previousoutlinenext »