How to use Content Packs in the McAfee ESM

Version 3

     

     

    Content Packs allow you to get prepackaged sets of views, alarms, reports, watchlists, variables, and correlation rules that are based around specific use cases directly from McAfee. It’s a quick and easy way to get up and running with new content without having to manually build all the various components. It also allows McAfee to release new content packs outside of a standard release cycle so that you can get the latest updates immediately. Content packs enable you to respond to threats without wasting time creating the tools from scratch.

     

    Updating ESM

     

    To get started, we'll want to make sure that we have the latest content packs available by doing a rules update. The content packs are hosted on the McAfee ESM rules server, so as long as you can communicate with it, you can download the latest set of content packs at no additional cost.

    To ensure that you have the latest update, start by going to the System Properties with it's icon in the top right.

     

    01.png

     

    Under the System Information tab, click on “Rules Update”

     

    02.png

     

    You can set it up to automatically check the rules server on a set interval, but I’m just going to click on the Check Now button to make sure that I have the latest rules.

     

    03.png

     

    After that’s complete, I can click OK and go back to the main System Properties page.

     

    Installing Content Packs

     

    On the System Properties page, there's a tab for the Content Packs.

     

    04.png

     

    When I click on that, it’ll show me the Content Packs that I have installed. My list is blank right now, but I’m going to install a new content pack in just a bit.

    To install a new content pack, click on the Browse button.

     

    05.png

     

    Here I can see a list of the available content packs for installation. New and updated content packs will be available as time goes on and notifications of new content packs will be sent out through the SNS service.

    When I highlight a Content Pack, the Details section below will provide me with information about the content pack. The details could tell me what device types this content pack is applicable to, what does it do, things I need to do before I install the content pack, things I need to do after I install the content pack, and what’s included in the content pack, such as new views or correlation rules. We’ll also see a revision history if this is an updated content pack.

     

    06.png

     

    If my McAfee ESM server can’t automatically download new content packs from the rules server, I can use the import button to install a content pack using a configuration file that I have manually downloaded.

    I’m just going to install the Domain Policy and Windows Authentication Content Packs by checking the box next to them and clicking Install.

    I have already made sure that my prerequisites have been met, but you might want to double check to make sure that you've done what's listed in the Before You Install sections of the details.

    After I click install, it’ll pop up a box that asks if I would like to roll out the policies. I’ll want to click yes to enable the content pack. The content pack will install and I can just close out of the windows to get back to the main System Properties page.

     

    07.png

     

    I can see my new content pack and its version installed. I can uninstall it by checking it and clicking the uninstall button or I can update it if there’s an update available.

     

    Customizing Content Packs

     

    After installing a content pack, there may be a few steps to perform listed in the details section. For example, in the Domain Policy content pack, we can see the details of what to do after you install the content pack here

     

    16.png

     

    Going through the list, we'll want to start by configuring the alarms to send out notifications to the proper recipients. We can do that by going to the the Alarms section. Here, we can see our two new Domain Policy alarms. I can determine if I want these alarms enabled or not and can configure it to automatically send out an email message when it’s triggered. One thing of note is that if you add new entries to a content pack alarm, they won’t be automatically overwritten when the content pack is updated. If you remove an item though, it will be repopulated during an update.

     

    17.png

     

    Another item to update is the watchlist associated with this Content Pack. I can take a look at the new Watchlist by going to the Watchlists section in the System Properties screen. Here, we have a new Watchlist called Domain Policy – Security Groups. I'll want to add any additional important security group as needed. This watchlist gets used by several new correlation rules to alert of changes to important security groups.

     

    18.png

     

    To add to the watchlist, I'm going to select my Domain Policy - Security Groups and click edit. Then, I'll click on the Values tab. Here, I can just type in my additional security groups or import a list. After I'm done, I can just click on Finish.

     

    19.png

     

    Also included in this content pack is a new report. I can review the report configurations by going to the report tab. Here, I can set up the recipients for this report with the recipients button.

     

    20.png

     

    I can also schedule a report to be automatically generated and sent out when I edit the report. To schedule a report, just click on the edit button. Here, there's an option to set when you want this report to run. After I'm done, I can just click on Save.

     

    21.png

     

    Now that I'm done with the configurations, I’m just going to click OK to close out of the System Properties screen.

     

    Reviewing Results

     

    The Content Pack has also added some new views to my dashboards. I can see that there are new views called Domain Policy Content Pack and Windows Authentication Content Pack.

     

    09.png

     

    I’m just going to take a quick look at the Windows Authentication Content Pack and select the Failed Windows Logons view as an example.

    10.png

     

    Here, I can see all of the failed logon attempts in my domain as well as details of the logon attempt such as source ip address or time attempted.

     

    11.png

     

    I’m also just going to check my new correlation rules. I can click on the correlation button and see my new Domain Policy Correlation rules as well as my new Windows Authentication Correlation rules. I can review the new correlation rules by clicking on the rule. At the bottom pane, it'll show me details of the rule and I can modify the rule by clicking on Edit > Modify in the menus.

     

    12.png

    13.png

     

    So, as we have seen, content packs allow us to benefit from new configurations immediately. They’re pretty simple to use and install and still allow us to customize them to suite our needs.