cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM - How to use the New Field Match Alarm in McAfee SIEM v9.4

Contents

 

Overview

 

There are times when you need to be alerted as soon as possible, if one type of event happens, without needing the event to go through the usual correlation process. Such events might include disabling auditing, privilege escalation on an account, or logs being cleared, which is the example we will use in this document. That ability is a new in version 9.4. This document explains how to create such an alarm, based on the fields of one single event matching one or more criteria. It will trigger when one or multiple fields of an event are matched, and it will trigger as soon as the receiving device, that can be the event receiver, advanced correlation engine, enterprise log manager or application data monitor, receives and parses the event. It does not need to go through the correlation process to trigger.

 

Video

 

You can also watch the steps described in this document by viewing the video below.

 

 

 

Procedure

 

Setting up the alarm

 

Let’s log on our McAfee SIEM to see if such events have occurred. Here, we see that our event logs were cleared.

 

image002.png

 

As we mentioned earlier, that could be a sign that someone is trying to cover their tracks and we want to be alerted immediately when such an event happens.

 

To be alerted right away let’s create an alarm for this event. In the console click on the event you want to create an alarm for. In our case, we’ll click on “Audit log cleared.” 

 

Then pull down the menu at the top left corner of the pane where the event is displayed. 

 

Select “Create New Alarm.”

 

image004.png

 

The Alarm settings window opens.

 

image006.png

 

Let’s give this new alarm a name, a description and assign it to a user.

 

image008.png

 

Now, let’s click on the Condition tab to define what fields need to match for the alarm to trigger.

 

image010.png

 

Here, we see the Signature ID that is associated with the event I want to be alerted on. Since the signature ID is a quick way and sure way to identify this event is to use its signature ID, I recommend that you copy the signature ID from this field, so we can use it in the next step.

 

Note: This signature ID applies to Windows Security logs being cleared. Windows Application and System logs being cleared use their own signature ID.

 

Note: Under type, you can see “Internal Event Match”. This is the new label for the alarm condition that used to be called Field Match, in version of the SIEM prior to 9.4.

 

image012.png

 

If you drop the list down, you’ll see that in 9.4, a new Field Match alarm condition has been added. As we explained earlier, that new condition can match on one or multiple fields of an event, and triggers as soon as the receiving device receives and parses the event.

 

image014.png

 

So, let’s select FieldMatch as our type. The Filter window opens.

 

image016.png

 

Now, we are going to drag and drop the filter icon into the view.

 

image018.png

 

The add filter field window opens.

 

Select Signature ID.

 

Then click on the green arrow on the right side of the window.

 

image020.png

 

The default value editor opens. Paste the signature ID that copied earlier on.

 

image022.png

 

Then I’m going to click Add. The copied signature ID appears in the default value pane.

 

image024.png

 

Click OK.

 

image026.png

 

Click OK one more time. We can see that our filter is added. It will trigger the alarm when the signature ID of an event matches the one we just copied, which is when the Windows security event log is cleared.

 

image028.png

 

But now, let’s say we only want to be alerted if this happens on our mission critical servers.

 

So, let’s drag and drop then AND logical operator.

 

image030.png

 

image032.png

 

To filter on the server name, we need to drag and drop another filter. Let’s do that.

 

image034.png

 

A new Add Filter Window opens.

 

This time, we are going to select Host. Click on the little green arrow on the right to define the host value to match.

 

image036.png

 

image038.png

 

In this case, we know that Host is a custom type, so we’ll click on the custom type tab.

 

image040.png

 

Click in the value column next to Host, and enter the name of your server. In our case, our server name is “Winserver,” so, that’s what we will enter here.

 

image042.png

 

Click Add and click OK. Click OK again.

 

Our two conditions have been added. The event’s signature ID will have to match a window log cleared event and the host will have to be name “Winserver.”

 

In the Maximum Condition Trigger Frequency field, you can select the amount of time to allow between each condition to prevent a flood of notifications. Each trigger will contain the first event that matches the trigger condition within the trigger frequency period. If you set it to zero, all matching events will generate an alarm.

 

image044.png

 

Click Next. We are going to check the alarm for our Receiver. That means the alarm will be enabled only for events coming through this receiver. You can check the other devices of your choice if you want to enable this alarm on them too. This also means that the alarm will trigger as soon our receiver sees it, without even being sent to the ESM.

 

image046.png

 

Click Next. Now we are going to select what happens when the alarm triggers. We are going to choose to log the event and have a visual display on our console.

 

image048.png

 

Click next. Here we can setup an escalation process. We are going to keep the defaults.

 

image050.png

 

Triggering the Alarm

 

Now let’s clear the security log on our windows server.

 

image052.png

 

And we can see the visual alarm pops-up at the bottom right corner of the console and the alarm shows up in our alarm pane at the bottom left corner of the console.

 

image054.png

 

You’ve seen how to create an immediate alarm based on the fields of one single event matching one or more criteria. And you’ve seen how quickly this alarm shows up. You can now set up alarm on events you want to be alerted on right away.

 

Conclusion

 

We’ve looked at the new Field Match Alarm feature available in the McAfee SIEM 9.4. This is a great feature to use to be alerted faster when one type of event occurs. It is different from the traditional alarms that already exist in the product because it will trigger as soon as the device receiving events sees a matching event.

 

Useful Links

 

For more information about the McAfee SIEM, visit:

 

McAfee SIEM Product page: http://www.mcafee.com/us/products/siem/index.aspx

 

McAfee SIEM Community: https://community.mcafee.com/community/business/siem

 

McAfee Sales page http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales

Labels (1)
Comments

It work without ACE or Correlation Engine ???

ACE and/or Correlation Engine is not necessary for this feature.  All the logic occurs on the device that queues the events for the ESM.  Normally this is a Receiver, although ADM, DEM, and ACE also have the functionality.

Contributors
Version history
Revision #:
2 of 2
Last update:
‎03-15-2018 01:00 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community