In order to allow you to detect the latest attacks, and to collect data from new data source, McAfee provides regular updates to the SIEM. This document will explain how you can update your McAfee SIEM, either manually or automatically. The McAfee SIEM ships with a default set of data source and correlation rules; however, these rules are frequently updated to support additional event parsing and correlation incident logic.
You can update the rules automatically if your SIEM can access the Internet. Or, if your SIEM does not have Internet access, you can update the rules manually. We are going to see both methods.
You can also watch the steps described on this page by viewing the video below:
1. Updating rules
First, login to your McAfee ESM console.
Click the System properties icon in the upper right corner of the interface.
If you are updating your SIEM for the first time, like right after the initial setup, you’ll notice that the last update field says “never.” Otherwise, it will show the date at which the last update was performed. In addition, if you have not yet set your permanent credentials, you will see the number of days left before your access expires.
Click on Rules Updates.
The Rules Update dialog box opens.
2. Manual Update
We are going to start with a Manual Update. This is valid for SIEM deployments that do not have access to the Internet. But first, we need to download the appropriate files from the McAfee web site.
Your landing page will be different depending on the entitlement associated with your grant number.
Find the SIEM section.
In our example, we are going to select the virtual ESM, Event Receiver, Log Manager combo, because this is what we are running. The SIEM options available to you will also depend on your entitlement.
Click on the SIEM link.
Click on the MFE Nitro Rules Downloads link.
Rules updates are version specific, so make sure you download the rules update files for your version of the McAfee SIEM. At the time of this video, we are running version 9.3.2, so, that’s the file we are going to download.
Save the file.
Now that we have downloaded it, let’s go back to the EMS console.
Click the Manual Update button.
The File Upload window opens.
Browse to the location of the rule update file you just downloaded.
You will see no further indication that the update is being applied, until later, when the update process is done. This can take several minutes.
Click Cancel again.
When the update is done, a Manual Rule Update Successful window willappear. This dialog when you log onto the console when the rules updates havebeen recently applied.
Now, let’s double check that the update was successful.
Click on the system properties icon in the top right corner.
Now, next to rule updates, instead of never, you will see Manual Update and the date the ESM was updated, which is a good way to tell when updates are successful.
3. Automatic Update
Now we are going to do an automatic update. This will only work if your SIEM is connected to the Internet and if you have requested and obtained a customer ID and password from McAfee. You can do that by sending an email to email@example.com with your grant number, company name, address, name and email address.
Click Rules Update.
The Rules Update window opens.
Click the Credential button.
Enter our customer ID and password.
The way to know that it worked is that you don’t get any message at all and the credential window disappears. If it does not work, you will get an error message.
Now you can configure your SIEM to auto check for updates on a regular basis.
Check the Auto Check Interval box.
The default interval is every 12 hours.
You can also choose to check for updates now
Click the Check Now button
The Rules Update Progress window opens.
Just like for the manual process, a pop-up window will later inform us when the update has been successful. And if you are not logged into the console when the success occurs, you will get the pop-up the next time you log on to the SIEM.
Click on Hide.
Notice that the information next to Rules Update has changed again. It now says “Auto Update”. Again, this is a good way to know how and when the last update occurred.
Also notice that the number of days before we could not access the product has disappeared.
That’s because we entered our permanent credentials as part of theautomated rules update process.
Our customer ID also appears at the top of the page.
The SIEM will now automatically check for updates at the interval you specified.
Now you know how to update your McAfee SIEM.
In addition, if your SIEM does not have access to the Internet, you can subscribe to the McAfee Support Notification Services to be notified when a major update becomes available, so you can go and download it. To sign up for this service, go to https://SNS.SNSSECURE.MCAFEE.COM/CONTENT/SIGNUP_LOGIN
Finally, every week, new signature reports are created for the SIEM products. You can view these in the KnowledgeBase article KB75608 (to view this article, you have to log into the ServicePortal. For information on how to register via the ServicePortal, see KB54031).
For more information about the McAfee SIEM, visit: