Variables are used by correlation rules in various ways to help identify suspicious and malicious behaviors in your environment. In order to be most effective, variables need to be configured to properly reflect your enterprise.
Variable definitions are configured in the Policy Editor. You can open the Policy Editor via the drop-down menu in the top-left corner of the UI.
Here is the Policy Editor where variables are configured:
The variables below provide a recommended list of variables that should be defined early in your McAfee SIEM deployment. Over time you may choose to tune other variables, or add new ones in order to optimize your SIEM deployment.
These variables allow you to define your standard working days and working hours. There are several correlation rules that leverage these variables to identify anomalous activities outside of standard working times. Keep in mind that the HOUR variables are defined in GMT timezone; you will need to convert your working time to GMT in order for these variables to be effective.
This legacy variable is used in place of the Local Networks/Homenet to identify internal IP addresses in some correlation rules. It should include the same IP ranges as Local Networks.
These variables are used by correlation rules that identify anomalous activities related to specified protocols.
Corporate geographic location is typically defined as countries where your company has corporate offices. Suspicious geographic locations are typically defined as those where you would not expect to receive communication from during normal business operations.