Backtrace in the McAfee ESM

Version 2

     

    Backtrace allows a Cyber Threat Feed to detect any matches between an IOC and events in your environment. It allows for rapid threat detection and reduces the risk of prolonged exposure. Every time an IOC is sent to the McAfee ESM, it will parse it and look through existing events to see if any elements of the IOC matches the details of an event. It can provide a real time alarm and perform a number of automated actions if it finds a match. For example, if an IOC contains an IP address that indicates a compromise, it will look back at the ip address field of existing events. If any of the events also contain that IP address, you can configure it to automatically take an action.

     

    The Backtrace feature can be configured in the Cyber Threat Feeds properties in the properties menu.

    01.png

     

    Select the feed that you want to modify and click Edit. In my example, I'm going to edit the Mcafee Threat Feed.

     

    02.png

     

    Now, click on the Backtrace tab for the Backtrace Options.

     

    03.png

     

    There are several options available for us here.

     

    At the top in the Time Frame dropdown, we can configure how far back Backtrace will search for event hits.

    Next to it, we can choose to detect Events and Flows.

    With the Assignee dropdown, we can select who is assigned to the alarm when it is generated and set the severity of the Alarm right next to that.

    Also available, we can set up the same actionable commands as an alarm trigger. For example, we can create a case, execute a remote command, or send out an email to specified users with the Send Message option.

     

    After you have Backtrace set up, you can send it a sample IOC with the upload button as long as the feed source is configured with Manual Upload.

     

    04.png

     

    You can see any Backtrace hits by clicking on the Cyber Threat Indcators icon in the top right. Here, you can see a list of all the IOCs that have been sent to your McAfee ESM. It’ll show you to the indicator name, feed name, date received, and Backtrace Hits, which displays the number of events that have matches up with the IOC.

     

    05.png

     

     

    To view the hits, click on the Source Events tab for events. With this list of events, we can identify machines that were potentially affected by the IOC. In my example, here are all the events that had a File Hash that was part of the IOC. We can see that the IOC has discovered artifacts that indicate this system has accessed a malicious file based on the fact that both the IOC and this event has the same file hash.

     

    06.png

     

    As we can see, Backtrace provides a powerful tool for incident response by looking at historical data in your environment.

    It can rapidly detect threats and identify systems that may have been compromised in the past.