cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Configure Variables in ESM 10

Variables are used by correlation rules in various ways to help identify suspicious and malicious behaviors in your environment.  In order to be most effective, variables need to be configured to properly reflect your enterprise.

Variable definitions are configured in the Policy Editor.  You can open the Policy Editor via the drop-down menu in the top-left corner of the UI.

Here is the Policy Editor where variables are configured:

The variables below provide a recommended list of variables that should be defined early in your McAfee SIEM deployment.  Over time you may choose to tune other variables, or add new ones in order to optimize your SIEM deployment.

  • Application/DAY_END
  • Application/DAY_START
  • Application/HOUR_END
  • Application/HOUR_START

These variables allow you to define your standard working days and working hours.  There are several correlation rules that leverage these variables to identify anomalous activities outside of standard working times.  Keep in mind that the HOUR variables are defined in GMT timezone; you will need to convert your working time to GMT in order for these variables to be effective.

  • Networks/HOME_NET

This legacy variable is used in place of the Local Networks/Homenet to identify internal IP addresses in some correlation rules.  It should include the same IP ranges as Local Networks.

  • Servers/DNS_SERVERS
  • Servers/HTTP_SERVERS
  • Servers/SMTP_SERVERS

These variables are used by correlation rules that identify anomalous activities related to specified protocols.

  • Reputation/CORP_GEOS
  • Reputation/SUSPICIOUS_GEOS

Corporate geographic location is typically defined as countries where your company has corporate offices.  Suspicious geographic locations are typically defined as those where you would not expect to receive communication from during normal business operations.

« previousoutlinenext »

Version history
Revision #:
1 of 1
Last update:
‎03-13-2017 03:05 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community