cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SIEM Foundations: Configuring a Windows Data Source in ESM 10x

Contents

Creating a Windows Data Source Profile

The McAfee SIEM provides a facility to store commonly used profiles for such attributes as Windows Account Credentials and data storage mount parameters (CIFS, NFS, etc.). This allows the SIEM administrator to enter the required profile information in a central location which is later referenced by the SIEM when necessary.

One of the most useful profiles to configure is that of a Windows Data Source. The Windows profile stores the credentials and log collection details that can later be used when defining a Windows (WMI) data source in the Event Receiver. By using a profile during the creation of a Windows data source, the SIEM operator need not enter the credentials but instead, assigns the attributes of the profile to the data source. This also allows for the credentials to be maintained in a central location and any modifications to the username/password can be made once within the profile and all data sources making reference to the profile will automatically utilize the modified values.

To create a Windows Data Source Profile:

  1. From the Pancake Menu, select System Properties
  2. Select Profile Management from the System Properties window
  3. Click on Add to add a new profile. the Add System Profile window will open.

scrap.png

To enter credentials:

  1. As Profile Type, select Data Source.
  2. As Profile Agent, select Windows.
  3. In Profile Name enter the name you want to use for this profile.
  4. Enter the Username and Password that you will want to use. This can be a local account or domain account credentials.
  5. In the Event Logs field, select the logs you want to collect (e.g. "SYSTEM" or "SYSTEM, SECURITY, APPLICATIONS")
  6. Click OK to confirm.

Configuring a Windows Data Source

There are several methods that can be used to add a Data Source to an Event Receiver for collection. Here are three possibilities:

  • One at a time - from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties window,
  • Bulk creation - via CSV file import, or
  • Auto Learn.

The simplest way to add a single Data Source to a Receiver to begin event and log collection is using the one-at-a-time option and this is what we will use From the Action Toolbar:

  1. From the Configuration tab, select the Event Receiver on which you will be configuring the Windows Data Source.
  2. From the Action Toolbar, click the Add Data Source button from the Action Toolbar. The Add Data Source window will open
  3. Check the box at the right of User System Profiles
  4. Select your Data Source profile created in the previous section (e.g. "Windows - Windows Data Source)
  5. In the Name field, enter the unique name for the new data source
  6. In the IP Address field, enter the IP address of the serverNOTE: For Windows hosts that acquire an IP address from DHCP, this field can be left blank. The SIEM will perform a DNS lookup using the hostname to obtain the current IP address at each polling interval.
  7. In the Host field, enter the NETBIOS Name assigned to the Windows host. Example: If the DNS name is hostname.domain.com, the NETBIOS name will likely be just hostname.
  8. Click the Connect button to test the connection to the Windows Data Source

If the connection attempt is successful, a dialog box will open indicating that the Windows Data Source configuration is correctly configured to support event collection from the Windows host and that the credentials provided are sufficient to retrieve the defined WMI logs:


If the connection attempt fails, a dialog box will open to provide details that can be used to troubleshoot the connection. Common connection problems include incorrect IP Address or NETBIOS name, improper user credentials or insufficient user privilege necessary to retrieve the defined WMI log source. Correct any errors and re-test the WMI connection until the response is successful.

Pushing Changes to the Event Receiver

Once the WMI Connection Test has been successful, by clicking OK on the configuration window, the Apply Data Source Settings dialog box will open:

Click Yes to apply the Windows Data Source configuration to the Event Receiver. Once the Windows Data Source has been written to the Event Receiver, a dialog box will open to confirm that the changes have been applied successfully:

« previousoutlinenext »

Version history
Revision #:
1 of 1
Last update:
‎12-18-2017 04:05 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community