How to use Compliance Regulations in ESM 10.x Dashboards and Filter Sets  For Investigation

Version 3

    The following article explains the steps to use compliance regulations in ESM 10 - however, the content is available since McAfee ESM version 10.0 and above.

    The complete list of supported compliance regulations is available under the following URL:

    Compliance regulations available in McAfee ESM 10.x

     

     

    They can be accessed from the field called "Compliance ID" of the ESM and applied to any view.  Additionally, they can be accessed  using the available search toolbar (no need to create a filter set if that is not desired), or from the query wizard for a view component or a report component, so that view or report will only include events that meet the compliance regulation.

     

     

    Here is an example on how to apply a Compliance filter to the Normalized Dashboard.

     

     

    Open the filter sets drop-down menu and select “Manage Filter Sets”. That action will launch the Configuration tab.

     

    Under the Configuration tab, click on  “Add Filter Set”

     

    Type in “Compliance ID” and select the suggested field as indicated below:

     

    Click on the Funnel icon and browse the compliance tree until you find PCI DSS 2.0. Expand this option and select 10.2.2 entry which looks for "All actions taken by any individual with root or administrative privileges" based on the regulatory standard.

     

    Click OK and save the filter as “Compliance PCI DSS2-10_2_2”.

     

     

    Back to the Normalized Dashboard, select your new filter “Compliance PCI DSS2-10_2_2”

     

     

    Apply your new filter to the current dashboard with the magnifier glass icon as indicated below:

     

     

     

    Once the compliance regulation is selected, this action will update the view to include only the events that were initiated by administrators for the time period specified for the view.  The results for this example are below:

     

     

    The advantage of using the compliance filters is that they can be used against any default views or custom views.  Above is the default Event Summary view that has the same PCI DSS 2.0 10.2.2 filter applied to it.