SIEM Foundations - Index

Version 17

    Introducing McAfee SIEM Foundations

     

    In the course of ever new SIEM deployment, there comes a time when the team responsible for the new tool takes a step back and says "now what?"  This comes after the appliances are racked, networked and configured, and initial logs are flowing serenely into the SIEM.  Dashboards begin to populate with logs, canned correlation rules begin to fire, and the administrator sitting at the console becomes immediately overwhelmed by the magnitude of the problem they have tackled.  With millions, or billions, of individual events flowing into the SIEM every day, it's a daunting task deciding what's urgent today, what trends are important to watch over time, and what can be safely ignored.

     

    The McAfee SIEM Foundations program is designed as a roadmap to help users of McAfee SIEM build out their SIEM in a way that delivers value early, and is easy to expand over time in a predictable fashion.  McAfee SIEM Foundations is based on a series of deployment stages that build directly on each other.  The basic concepts and tactics outlined in McAfee SIEM Foundations may be applied to any SIEM deployment, however the bulk of this guide will focus on the details of implementing this program with McAfee Enterprise Security Manager (ESM).

     

    1 Introduction to McAfee SIEM

        1.1 Architecture Primer

        1.2 Hardware Review

     

    2 Installation and Configuration

        2.1 VM Installation and Configuration

        2.2 Basic Install and Config

        2.3 Adding (Keying) Additional SIEM Appliances

        2.4 Performing a Manual Rules Updated (optional)

        2.5 Define ELM Storage Pools

        2.6 Other Configuration Steps

        2.7 Enable Correlation

     

    3 Connect Your SIEM to Your Enterprise

        3.1 Customize Logo on Login Page

        3.2 Customize Logo in the UI

        3.3 Connect to AD for Login Authentication

        3.4 Connecting the SIEM to a Windows Domain Controller for Asset Import

        3.5 Configure User-specific ESM Settings

        3.6 Define Zones

        3.7 Configure Local Networks

        3.8 Configure Variables

        3.9 Implement Enrichment to Pull in Full Source and Dest User Name From AD

        3.10 Basic Correlation Rule Tuning

     

    4 Configure Data Sources

        4.1 Configuring a SYSLOG Data Source

        4.2 Configuring a Windows Data Source

        4.3 Creating a McAfee ePolicy Orchestrator Data Source

     

    5 Connect Your SIEM to the World

        5.1 Implement URL Actions

        5.2 Threat Feeds

        5.3 Install Content Packs

        5.4 The Cyber Threat Manager in the McAfee ESM

     

    6 Get Familiar With Your SIEM

        6.1 Verify That All Data Sources Are Logging as Expected

        6.2 Learn Basic Navigation

     

    7 Operating and Tuning Your SIEM

        7.1 Working With Alarms

        7.2 Create and Manage Cases

        7.3 Tune Correlation Rules

        7.4 Filter Out Low-Value Events

        7.5 Ramp Up With Additional Data Sources as Needed

     

    8 SIEM Maintenance

        8.1 Configuring ESM Backup Settings

        8.2 Updating SIEM Software

     

    Moving Beyond Foundations

    This framework is a simple starting point to help as you begin your SIEM deployment.  As you mature your SIEM deployment, you will discover your own tricks, techniques, and optimizations.  This forum is an excellent place to share ideas with your fellow users.  Please leverage the comment sections throughout to voice your thoughts, share your successes, and ask for help.  Enjoy the journey.