cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM - How to perform rules updates

Overview

 

In order to allow you to detect the latest attacks, and to collect data from new data source, McAfee provides regular updates to the SIEM. This document will explain how you can update your McAfee SIEM, either manually or automatically. The McAfee SIEM ships with a default set of data source and correlation rules; however, these rules are frequently updated to support additional event parsing and correlation incident logic.

 

You can update the rules automatically if your SIEM can access the Internet. Or, if your SIEM does not have Internet access, you can update the rules manually. We are going to see both methods.

 

 

Video

 

You can also watch the steps described on this page by viewing the video below:

 

 

 

 

Procedure

 

 

1. Updating rules

 

First, login to your McAfee ESM console.

 

Click the System properties icon in the upper right corner of the interface.

 

Capture1.PNG

 

 

If you are updating your SIEM for the first time, like right after the initial setup, you’ll notice that the last update field says “never.” Otherwise, it will show the date at which the last update was performed. In addition, if you have not yet set your permanent credentials, you will see the number of days left before your access expires.

 

Capture2.PNG

 

 

Click on Rules Updates.

 

The Rules Update dialog box opens.

 

Capture3.PNG

 

 

2. Manual Update

 

We are going to start with a Manual Update. This is valid for SIEM deployments that do not have access to the Internet. But first, we need to download the appropriate files from the McAfee web site.

 

In the browser of a system that has access to the Internet, go to www.mcafee.com/us/downloads/downloads.aspx

 

Enter your grant number.

 

Capture4.PNG

 

 

Your landing page will be different depending on the entitlement associated with your grant number.

 

Find the SIEM section.

 

Capture5.PNG

 

 

In our example, we are going to select the virtual ESM, Event Receiver, Log Manager combo, because this is what we are running. The SIEM options available to you will also depend on your entitlement.

 

Click on the SIEM link.

 

Click on the MFE Nitro Rules Downloads link.

 

Capture6.PNG

 

 

Click Agree.

 

Rules updates are version specific, so make sure you download the rules update files for your version of the McAfee SIEM. At the time of this video, we are running version 9.3.2, so, that’s the file we are going to download.

 

Capture7.PNG

 

 

Save the file.

 

Now that we have downloaded it, let’s go back to the EMS console.

 

Click the Manual Update button.

 

Capture8.PNG

 

 

The File Upload window opens.

 

Browse to the location of the rule update file you just downloaded.

 

Capture9.PNG

 

 

Click Upload.

 

You will see no further indication that the update is being applied, until later, when the update process is done. This can take several minutes.

 

Click Cancel.

 

Capture10.PNG

 

 

Click Cancel again.

 

When the update is done, a Manual Rule Update Successful window willappear. This dialog when you log onto the console when the rules updates havebeen recently applied.

Click OK.

 

Capture11.PNG

 

 

Now, let’s double check that the update was successful.

 

Click on the system properties icon in the top right corner.

 

Capture12.PNG

 

 

Now, next to rule updates, instead of never, you will see Manual Update and the date the ESM was updated, which is a good way to tell when updates are successful.

 

Capture13.PNG

 

 

3. Automatic Update

 

Now we are going to do an automatic update. This will only work if your SIEM is connected to the Internet and if you have requested and obtained a customer ID and password from McAfee. You can do that by sending an email to licensing@mcafee.com with your grant number, company name, address, name and email address.

 

Click Rules Update.

 

The Rules Update window opens.

 

Click the Credential button.

 

Capture14.PNG

 

 

Enter our customer ID and password.

 

Click Validate.

 

Capture15.PNG

 

 

The way to know that it worked is that you don’t get any message at all and the credential window disappears. If it does not work, you will get an error message.

 

Now you can configure your SIEM to auto check for updates on a regular basis.

 

Check the Auto Check Interval box.

 

The default interval is every 12 hours.

 

Capture16.PNG

 

 

You can also choose to check for updates now

 

Click the Check Now button

 

Capture17.PNG

 

 

The Rules Update Progress window opens.

 

Just like for the manual process, a pop-up window will later inform us when the update has been successful. And if you are not logged into the console when the success occurs, you will get the pop-up the next time you log on to the SIEM.

 

Capture18.PNG

 

 

Click on Hide.

 

Capture19.PNG

 

 

Click OK.

 

Capture20.PNG

 

 

Notice that the information next to Rules Update has changed again. It now says “Auto Update”. Again, this is a good way to know how and when the last update occurred.

 

Also notice that the number of days before we could not access the product has disappeared.

That’s because we entered our permanent credentials as part of theautomated rules update process.

 

Our customer ID also appears at the top of the page.

 

Capture21.PNG

 

 

The SIEM will now automatically check for updates at the interval you specified.

 

Conclusion

 

Now you know how to update your McAfee SIEM.

 

In addition, if your SIEM does not have access to the Internet, you can subscribe to the McAfee Support Notification Services to be notified when a major update becomes available, so you can go and download it. To sign up for this service, go to https://SNS.SNSSECURE.MCAFEE.COM/CONTENT/SIGNUP_LOGIN

 

Finally, every week, new signature reports are created for the SIEM products. You can view these in the KnowledgeBase article KB75608 (to view this article, you have to log into the ServicePortal. For information on how to register via the ServicePortal, see KB54031).

 

Useful Links

 

For more information about the McAfee SIEM, visit:

 

McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

 

McAfee SIEMCommunity: https://community.mcafee.com/community/business/siem

 

McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales

 

https://kc.mcafee.com/corporate/index?page=content&id=KB75608

Labels (1)
Comments

It's necessary update this documentation. Because the website is totally different today. To download. Now is SIEM Rules Downloads...

Contributors
Version history
Revision #:
2 of 2
Last update:
‎03-15-2018 12:19 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community