SIEM Foundations: Working With Alarms

Version 3

    Alarms are used by the SIEM to drive actions in response to incoming events.  Perhaps the most common action is sending an email to administrators to provide real-time notification of a critical security incident; however, McAfee ESM supports a wide range of other actions that can be used to automate various tasks related to incident response. 

     

    Note: This doc provides a quick overview of working with alarms.  For a more comprehensive dicussion, see SIEM Best Practices: Setting up and Managing Alarms on the McAfee Knowledge Center.

     

    An important part of having a sustainable, operational SIEM is having a set of alarms that provide proactive notifications of the most critical incidents.  In most environments, it’s not practical to have an incident responder watching a dashboard on a monitor 24x7.  With a proper set of alarms, the SIEM provides critical continuous monitoring functionality.

     

    “Proper set of alarms” is a subjective term, and each enterprise must ultimately determine what conditions merit notification based on business requirements.  In circumstances where you are using alarms to trigger incident response activities, you must consider the people resources you have available to respond.  Configuring too many alarms, or a few alarms that trigger too frequently on relatively low-severity incidents, only serves to create a great deal of noise.  Alarms should be carefully tuned to escalate the items that are most critical in your environment.

     

    Key actions for creating and maintaining alarms include:

     

    • Enable pre-built alarms.  McAfee ESM comes with a minimal set of pre-built alarms to provide notifications of important events related to the ESM itself (such as device failures, unusually high event rates, user modifications, etc.)  These alarms can be viewed in the Alarm Manager (System Properties/Alarms).  They are disabled by default; as a starting point for your deployment, review the canned alarms and enable alarms that represent a handful of critical events. (Note: canned alarms were introduced in ESM 9.4)

     

    To enable canned alarms:

      • Open the Alarm Manager (System Properties/Alarms).  Default alarms can be seen below.

    default-alarms.png

      • Select the alarms you would like to enable.  You may shift-click and control-click to multi-select.
      • Click the Enabled checkbox to enable the alarms of your choice, and then OK to save your changes.

     

    • Create alarms for events critical to your environment. In your investigations, over time you will discover repeated patterns of behavior that represent incidents that merit real time alerting or other actions.  Often there will be specific correlation rules (canned or custom) that you will use to identify these incidents.


    To create a new alarm for critical events:

      • Identify and select the critical event in any view, and from the popup menu select Actions/Create new alarm

    create-new-alarm.png

      • The Alarm Wizard will appear. 
        • Summary tab: Give your alarm a name, assignee, and severity. 
        • Condition tab: Should be pre-populated as an Internal Event Match alarm, based on the signature ID of your selected event.  You might like to change the type to Field Match, which gives you much more flexibility over the triggering conditions. 

    Note: See this doc for more details on Field Match alarms.

    Also consider modifying the trigger frequency if necessary to throttle the alarm appropriately.

        • Devices tab: Select the devices in your environment that might possibly generate the events that will trigger this alarm.  If you are triggering based on a correlated event, select only your Correlation Engine.
        • Actions tab: Select desired actions.  For testing, it's often helpful to enable the visual alert, so you can see a notification in the UI in real time as the alarm is generated.
        • Escalation tab: Leave disabled unless you have a need for more advanced alarm workflow.
      • Click Finish to save your new alarm.


    • Tune alarms to reduce noise. Some alarms may trigger too often, for situations that are considered low priority.  You may need to consider adding additional filter conditions to Field Match alarms, or adjusting trigger frequency, to reduce the overall level of alarming to sustainable levels.


    • Review alarm actions available, look for opportunities to automateUp until now we have discussed alarms as a tool to notify a human analyst to conditions that require attention in the SIEM.  However, alarms provide much more power than this.  Alarms can be used to trigger policy updates in various McAfee security products, launch custom scripts, update watchlists, and other actions.  This doc provides some excellent details on using the SIEM to orchestrate actions outside of the SIEM. 

     

     

    « previousoutlinenext »