cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee ESM 10x - How To Use The Field Match Alarm In McAfee ESM 10x

Contents

Overview

There are times when you need to be alerted as soon as possible, if one type of event happens, without needing the event to go through the usual correlation process. Such events might include disabling auditing, privilege escalation on an account, or logs being cleared, which is the example we will use in this document. This document explains how to create such an alarm, based on the fields of one single event matching one or more criteria. It will trigger when one or multiple fields of an event are matched, and it will trigger as soon as the receiving device, that can be the event receiver, advanced correlation engine, enterprise log manager or application data monitor, receives and parses the event. It does not need to go through the correlation process to trigger.

Procedure

Setting up the alarm

Let’s log on our McAfee ESM to see if such events have occurred. Here, we see that our event logs were cleared.

As we mentioned earlier, that could be a sign that someone is trying to cover their tracks and we want to be alerted immediately when such an event happens.

To be alerted right away let’s create an alarm for this event. In the console click on the event you want to create an alarm for. In our case, we’ll click on “Log file cleared.”

Then pull down the menu at the top left corner of the pane where the event is displayed.

Select “Create Alarm.”

The Alarm settings window opens. Let’s give this new alarm a name, a description and assign it to a user.

Now, let’s click on the Condition tab to define what fields need to match for the alarm to trigger.

Here, we see the Signature ID that is associated with the event I want to be alerted on. Since the signature ID is a quick way and sure way to identify this event is to use its signature ID, I recommend that you copy the signature ID from this field, so we can use it in the next step.

Note: This signature ID applies to Windows Security logs being cleared. Windows Application and System logs being cleared use their own signature ID.

So, let’s select FieldMatch as our type. The Filter window opens.

Now, we are going to drag and drop the filter icon into the view.

The add filter field window opens.

Enter Signature ID.

Then click on the start on the right side of the window.

The default value editor opens. Paste the signature ID that copied earlier on.

Then I’m going to click Add. The copied signature ID appears in the default value pane. Click OK.

Click OK one more time. We can see that our filter is added. It will trigger the alarm when the signature ID of an event matches the one we just copied, which is when the Windows security event log is cleared.

But now, let’s say we only want to be alerted if this happens on our mission critical servers.

So, let’s drag and drop then AND logical operator.

To filter on the server name, we need to drag and drop another filter. Let’s do that.

A new Add Filter Window opens.

This time, we are going to select Host. Click on the start again on the right to define the host value to match.

In this case, we know that Host is a custom type, so we’ll click on the custom type tab.

Click in the value column next to Host, and enter the name of your server. In our case, our server name is “Winserver,” so, that’s what we will enter here.

Click Add and click OK. Click OK again.

Our two conditions have been added. The event’s signature ID will have to match a window log cleared event and the host will have to be name “Winserver.”

In the Maximum Condition Trigger Frequency field, you can select the amount of time to allow between each condition to prevent a flood of notifications. Each trigger will contain the first event that matches the trigger condition within the trigger frequency period. If you set it to zero, all matching events will generate an alarm.

Click Next. We are going to check the alarm for our Receiver. That means the alarm will be enabled only for events coming through this receiver. You can check the other devices of your choice if you want to enable this alarm on them too. This also means that the alarm will trigger as soon our receiver sees it, without even being sent to the ESM.

Click Next. Now we are going to select what happens when the alarm triggers. We are going to choose to log the event and have a visual display on our console.

Click next. Here we can setup an escalation process. We are going to set 5 minutes .

Triggering the Alarm

Now let’s clear the security log on our windows server.

And we can see the visual alarm icon at the top right corner of the console.

You’ve seen how to create an immediate alarm based on the fields of one single event matching one or more criteria. And you’ve seen how quickly this alarm shows up. You can now set up alarm on events you want to be alerted on right away.

Conclusion

We’ve looked at the new Field Match Alarm feature available in McAfee ESM 10x. This is a great feature to use to be alerted faster when one type of event occurs. It is different from the traditional alarms that already exist in the product because it will trigger as soon as the device receiving events sees a matching event.

Tags (1)
Version history
Revision #:
1 of 1
Last update:
‎11-08-2017 04:33 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community