During the initial installation of McAfee ESM, you logged in and performed initial configuration with the "NGCP" user. It's best to create additional administrative accounts to use for daily operations. This provides better accountability for individual users, and also ensures access to the ESM console is available, even if the NGCP password is lost or forgotten.
To create admin users, create administrative user accounts:
Note: If you will use Active Directory for user authentication, your user accounts will be created automatically when new users first log into the ESM console. Assigning administrative rights still requires manual action.
Events and flows collected by an Event Receiver are stored locally until requested by the ESM. The frequency with which this happens is user definable. By default, this polling interval is it is 10 minutes. When the interval is reached, all new data is synchronized from the Event Receiver to the master database residing in the ESM.
The best practice during initial deployment stage is to reduce this time value to 5 minutes to provide a more real-time analysis of collected event and flow data. Depending on your environment, you may be able to reduce the polling interval further, but 5 minutes is a good start.
The following steps describe the process.
Each McAfee SIEM ESM allocates storage for both Event and Flow data. By default, the ratio of events to flows is 50:50 by volume. Most SIEM deployments require a higher percentage of event allocation than flow. Doing so optimizes your SIEM to work best with the type of data you expect it to consume.
In order to adjust the database allocation ratio to favor larger event volume, follow these steps.
The McAfee SIEM provides the ability to send email notifications based on alarm conditions as well as deliver scheduled forensics and analysis reports to named recipients. This requires that the ESM be configured with an operational SMTP server through which email messages will be delivered.
To configure the SMTP server settings, follow these steps.
The McAfee SIEM can generate a health status alert when a device stops communicating or when a configured data source stops collecting events for a specified period of time – by default 30 minutes. In a pilot or POC, it may be helpful to disable or adjust the inactivity timer as the event volumes typically observed in evaluations may be lower than a production SIEM. Default settings may generate unnecessary alerts.
To disable the Event Inactivity settings:
The McAfee SIEM is configured, by default, to index only ports 1-1024. This will sometimes be exhibited in the user interface as a value described as ‘others’. Best practice is to enable indexing for all ports.
To enable indexing on all ports:
Even with the Event Receiver event aggregation set to dynamic, there are certain events that should never be allowed to aggregate during a pilot/POC (and potentially in a production SIEM deployment). In particular, the following types of events should be set to NOT aggregate in order to guarantee the highest visibility for each event.
|a. Authentication Events||Events describing user login/logoff activities.|
|b. Exploit Events||Events describing potential Exploit behaviors.|
|c. Malware Events||Events describing potential Malware activities.|
|d. Correlated Events||Events generated from the Correlation Engine.|
The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit, Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then broken down further into sub-groups and even further as necessary, each lower tier representing more specific event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications in that branch are included in the selection. This allows the operator to select a more general event group, such as Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login, Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.
Additionally, it is recommended that event aggregation be disabled for all correlated events. Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine. You might also consider adjusting aggregation for events from web proxies, mail gateways, and similar data sources.
Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields. Please refer to the ESM help documentation for more information regarding setting custom aggregation values.
The following steps must be followed to disable event-specific aggregation for these normalized event categories.
NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.