cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Other Configuration Steps

Step 1: Create Admin Users

During the initial installation of McAfee ESM, you logged in and performed initial configuration with the "NGCP" user.  It's best to create additional administrative accounts to use for daily operations.  This provides better accountability for individual users, and also ensures access to the ESM console is available, even if the NGCP password is lost or forgotten.

 

To create admin users, create administrative user accounts:

  • Log into ESM as NGCP open the ESM System Properties, and select  the Users and Groups tab
  • Enter the NGCP password when prompted
  • Define a new user (if necessary) and select the "Administrator Rights" checkbox.

 

Note: If you will use Active Directory for user authentication, your user accounts will be created automatically when new users first log into the ESM console.  Assigning administrative rights still requires manual action.

 

Step 2: Configuring Event, Flow and Log Retrieval Polling Interval

Events and flows collected by an Event Receiver are stored locally until requested by the ESM. The frequency with which this happens is user definable. By default, this polling interval is it is 10 minutes. When the interval is reached, all new data is synchronized from the Event Receiver to the master database residing in the ESM.

 

The best practice during initial deployment stage is to reduce this time value to 5 minutes to provide a more real-time analysis of collected event and flow data.  Depending on your environment, you may be able to reduce the polling interval further, but 5 minutes is a good start.

The following steps describe the process.

 

  1. Click the System Properties button avaialble under the drop-down menu in the upper left of the interface.ESM 1.jpg
  2.  Click Events, Flows and Logs. The Events, Flows and Logs window will open.
  3. Adjust the Auto check interval to 5 minutes.
    Event-Flow-and-Logcircle.png
  4. Click OK.

 

Step 3: Configuring ESM Data Allocation Policy

Each McAfee SIEM ESM allocates storage for both Event and Flow data. By default, the ratio of events to flows is 50:50 by volume. Most SIEM deployments require a higher percentage of event allocation than flow.  Doing so optimizes your SIEM to work best with the type of data you expect it to consume.

 

In order to adjust the database allocation ratio to favor larger event volume, follow these steps.

  1. Click the System Properties button avaialble under the drop-down menu in the upper left of the interface.
  2. Select the Database menu from the list of options on the left.  Then click the Data Allocation button.
    ESM_Propertiescircle.png
  3. In the Data Allocation window that opens, configure the appropriate event:flow ratio by sliding the arrow right or left. Right indicates a higher ratio of event data – Left indicates a higher ratio of flow data.
    Data_Allocation.png
  4. Click OK.

 

Step 4: Configuring ESM SMTP Mail Settings

The McAfee SIEM provides the ability to send email notifications based on alarm conditions as well as deliver scheduled forensics and analysis reports to named recipients. This requires that the ESM be configured with an operational SMTP server through which email messages will be delivered.

 

To configure the SMTP server settings, follow these steps.

  1. From the ESM System Properties window, select the Email Settings menu option.
  2. Enter the necessary configuration settings including the email host, SMTP port, TLS (if required by the SMTP server), username/password, title (to be used in the email message subject line) and the From: address.
    ESM_SMTPcircle.png
  3. Confirm the SMTP settings are correct by pressing the Send Test Email button and providing a destination email account to which the test email will be sent.
  4. Click OK to save the SMTP settings.

 

Step 5: Configuring Event Inactivity Settings

The McAfee SIEM can generate a health status alert when a device stops communicating or when a configured data source stops collecting events for a specified period of time – by default 30 minutes. In a pilot or POC, it may be helpful to disable or adjust the inactivity timer as the event volumes typically observed in evaluations may be lower than a production SIEM.  Default settings may generate unnecessary alerts.

 

To disable the Event Inactivity settings:

  1. Click the System Properties button avaialble under the drop-down menu in the upper left of the interface.
  2. Click Events, Flows & Logs. The Events, Flows & Logs window will open.
  3. Click the Inactivity Settings button. The Inactivity Threshold window will open.
    Events-Flows-&-Logs---Inactivity.png
  4. Place a check in the Inherit option box for the ESM object. This will force all devices and subsequent data sources added to the SIEM to inherit the System Inactivity Threshold which is set to Days: 0, Hours: 0, Minutes: 0. This effectively disables the SIEM Inactivity health status warnings.  You may instead choose to use a longer inactivity timer than the default 30 minutes.
    Inactivity-Thresholdcircle.png

 

 

Step 6: Configuring Event-Specific Aggregation

Even with the Event Receiver event aggregation set to dynamic, there are certain events that should never be allowed to aggregate during a pilot/POC (and potentially in a production SIEM deployment). In particular, the following types of events should be set to NOT aggregate in order to guarantee the highest visibility for each event.

   
a. Authentication Events Events describing user login/logoff activities.
b. Exploit Events Events describing potential Exploit behaviors.
c. Malware Events Events describing potential Malware activities.
d. Correlated Events Events generated from the Correlation Engine.

 

The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit, Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then broken down further into sub-groups and even further as necessary, each lower tier representing more specific event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications in that branch are included in the selection. This allows the operator to select a more general event group, such as Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login, Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.

 

Additionally, it is recommended that event aggregation be disabled for all correlated events. Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine.  You might also consider adjusting aggregation for events from web proxies, mail gateways, and similar data sources.

 

Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields. Please refer to the ESM help documentation for more information regarding setting custom aggregation values.

 

The following steps must be followed to disable event-specific aggregation for these normalized event categories.

  1. Click the Policy Editor button from the Navigation Bar located in the upper left of the user interface. The Policy Manager window will open.
    NOTE: The policy manager groups events into various Rule Types including Advanced Syslog Parser, Data Source and Windows Events. The following steps will need to be performed against each of these event type branches.ESM 2.jpg
  2.  Expand the Receiver object from the Rule Types panel and select Data Source.Policy-Editor---DataSource-Unfilteredcircle.png
  3. Click the Advanced bar at the bottom right of the Policy Editor window beneath the Filters/Tags panel. This will hide the Tags and display the Advanced filters panel.
    Policy-Editor---Tagscircle.png  Policy-Editor---Advancedcircle.png
  4. Click the Filter button to the right of the Normalized ID form field. The Filter Variables window will open to display the top-tier Normalized event categories.Filter-Icon.png
  5. While holding the CTRL key, select each of the Normalized categories – Authentication, Exploit and Malware.
    Filter-Variables---Normalization.png
  6. Click OK.
  7. This will populate the Normalized ID form field with the IDs associated with the selected event categories.
    Normalized-ID-Filters.png
  8. Click the Run Query icon to refresh the list of Advanced Syslog Parser rules which will now be filtered to display ONLY those event rules matching the categories selected from the Normalized Taxonomy filter.
    Filters-&-Tagging---Refreshcircle.png
  9. To disable Event Aggregation for the refined list of Data Source rules, click the Aggregation column heading. The action window will open to present three options – Inherit parent value, On (enable) or Off (disable).
  10. Click the Off menu option.
    Policy-Editor---Data-Source-Aggregation.png
  11. A dialog box will open, prompting for confirmation to modify the settings for the entire list of filtered rules.
    Alert---Confirm-Disable-Aggregation.png
  12. Click Yes to confirm the modification.
  13. All Data Source rules in the filtered list will now have the Aggregation attribute set to Off (disabled).
    Policy-Editor---Data-Source-Aggregation-Disabledcircle.png
  14. From the Rule Types panel, select Windows Events.
    NOTE: The filter panel will preserve the current selection of Normalized categories. The resulting list of Windows Event rules will inherit the previous filters of Authentication, Exploit and Malware.
  15. Once again, click the Aggregation column heading. The action window will open to present three options – Inherit parent value, On (enable) or Off (disable).
  16. Click the Off menu option.
    Policy-Editor---Windows-Event-Aggregation.png
  17. A dialog box will open, prompting for confirmation to modify the settings for the entire list of filtered rules.
    Alert---Confirm-Disable-Aggregation.png
  18. Click Yes to confirm the modification.
  19. All Windows Event rules in the filtered list will now have the Aggregation attribute set to Off (disabled).
    Policy-Editor---Windows-Event-Aggregation-Disabledcircle.png
  20. From the Rule Types panel select Correlation.
  21. Next, clear the filters by clicking the orange funnel icon in the upper right of the Correlation Rules panel.
    Policy-Editor---Correlationcircle.png
  22. Once again, click the Aggregation column heading. The action window will open to present three options – Inherit parent value, On (enable) or Off (disable).
  23. Click the Off menu option.
    Policy-Editor---Correlation---Aggregation.png
  24. A dialog box will open, prompting for confirmation to modify the settings for the entire list of filtered rules.
    Alert---Confirm-Disable-Aggregation.png
  25. Click Yes to confirm the modification.
  26. All Correlation Rules in the filtered list will now have the Aggregation attribute set to Off (disabled).
    Policy-Editor---Correlation---Aggregation-Disabledcircle.png

 

NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.

  1. Click the Rollout icon on the Action Bar in the upper right of the Policy Editor window. The Rollout window will open.
    rollout.png
  2. Click OK.
  3. The new Aggregation settings will be rolled out to all Event Receiver data sources.
  4. Close the Policy Editor.

 

« previousoutlinenext »

Labels (1)
Comments

Hi,

Thanks for the recos.

What about the 'DoS' and 'Suspicious Activity' Aggregation to pass to 'OFF' ?

Bye

Be VERY careful with disabling aggregation rules.

Aggregation is a very important part of the McAfee SIEM.  Disabling a large number of aggregation rules will result in a few things that people should be aware of.  First, increased disk usage on the ESM.  If your ESM is busy, you may find it gets tight on disk space which results in logs rolling over more often.  The result of this is that the ESM has a much shorter window of events in the past.  This will affect things like dashboards and reports you may run for previous weeks/months.  It will also increase disk I/O and CPU as more events are written to the database.

If you have an ELM in your setup, I'd highly suggest leaving the aggregation settings alone, at least on this type of scale.  Certain events you may want to adjust the aggregation settings, but I'd very hesitant to disable them entirely.  An ELM will allow you to look up the actual logs/events that were received with all the details still available in the case you need to investigate to that level of detail.

Contributors
Version history
Revision #:
5 of 5
Last update:
‎12-04-2018 04:07 PM
Updated by: