Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Define Zones

ESM zones and Sub-zones provide the ability to organize your data sources and IP ranges into related groupings.  Zones are most often applied to physical groupings of systems, such as geographic regions, data centers, or office campuses.

When Zones are properly defined, events that come into the ESM are enriched with zone information.  Spend some time considering how best to define zones in your environment.  This additional data can be very useful in creating customized views, reports, correlations, as well as role-based access control.  Zones also allow you to define geographic locations for events coming from internal RFC 1918-based IP addresses.


Zones are configured under the Asset Manager, under the Zone Management tab.  A zone consists of a name, a set of devices and data sources that exist in the defined zone, and, optionally, a geolocation.  Any internal RFC 1918 addresses that are not specifically mapped to a sub-zone (see below) will be mapped to this top-level zone.


Underneath a zone you can define sub-zones.  Each sub-zone also has a name, along with a set of related IP ranges and associated geographic locations.  


« previousoutlinenext »


Hi Scott,

Thank you so much for the awesome documentations you put in here. 

I'm not sure if I missed something, but I'm wondering how do I configure SIEM to show me the internal IP address instead of the Nated one?  I have some communications where I can see the internal firewall IP address and I can't dig in further to the user IP address. Also, I know SIEM gives you a geo location map for external IPs, however, I'm looking for an internal map if that exists?

Thank you so much


Tracking back across a NAT boundaries is a tricky problem.  In some cases, the firewall or router will supply both the NAT IP and internal IP in the event, and you simply need to look at a different field.  In other cases, you may have events from both internal and external sides of the network, and you can use a common field (such as Network Session ID or something similar) to connect the two. 

For internal geolocation, you can leverage ESM's Zones feature, as described in this article.


Thank you Scott!

Now, what does this symbol mean? siem.JPG 

I really appreciate the time and efforts you give us here.


Thought I'd share how we have used zones and sub-zones.  I took it to a fairly granular configuration.  I have one zone... "the company".   We have many sites around the world that I've set up sub-zones for.  But not just that.  Each site has multiple VLANs for business, process control, dmz, quarantine, telephony, etc.  So each subzone identifies the site and the vlan at a glance.  This helps with views and alerts for things like successful traffic between the process control and business vlans.  Something we definitely don't want to happen.  We force that type of traffic through a dmz. 

It takes some time to set all that up, but if you have good network documentation and create a good import file, it can go fairly quick.


I need to write a blog post on that little's probably the most common question we get 🙂

That tinybowtie symbol represents the average value (baseline) of whatever you're looking at.  Typically you'll see it as in bar charts, where blue bars represent values below the baseline, and any red component represents values that are above the baseline. It helps you understand at a glance if the data you're looking at are normal, or far above/below normal.


Thank you Scott! I have read the documentation and couldn't find it. This make a whole lot of sense now. I really appreciate your quick response and efforts. Can't wait to see more blog posts from you.



Zones is a really cool option and saves our company a lot of investigation time.

However, one thing we find little annoying is that non corp IP addresses, including public IP addresses are always labeled with the root zone.

Is there away to exclude certain ranges?

Thank You,


would you have an example or documentation on the zone definition file import format ?

I have tried multiple things to import the zone definition, but I always get an error message.

Even for a simple line like:


Invalid line format. Line #1



Damnit. UTF8. The file need to be ANSI-encoded.


Is there a way to remove Top Level Zone's with the Remove Line in the Import File ? Does'nt Seem to work here


# CommandZone NameParent NameGeo LocationASNDefaultIP StartIP StopGeo ID

??? Thanks...

Version history
Revision #:
1 of 1
Last update:
‎08-10-2014 09:03 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community