Showing results for 
Search instead for 
Did you mean: 

SIEM Foundations: Threat Feeds in ESM 10x


When using a SIEM to identify compromised systems and emerging threats, it's important to have visibility into where threats are located in the greater world.  McAfee's Global Threat Intelligence (GTI) provides one constantly updated, rich feed for ESM that enhances situational awareness by highlighting events involving communications with suspicious or malicious IPs.  In today's rapidly moving threat landscape, many customers find it advantageous to leverage multiple threat feeds to provide additional insights. 

In this module, we'll show one way to bring 3rd party threat feeds into the SIEM, and leverage them for improved awareness of potential threats to your enterprise.  We will focus on simple, manual techniques initially, to help provide quick value in your deployment.

Importing Threat Feeds

The most common way to integrate threat feeds into the McAfee SIEM is as a watchlist.  Watchlists allow the SIEM to maintain state of the world around it, and are easily incorporated into a wide range of SIEM workflows.  Watchlists are easy to create and maintain manually, and also have a wide range of tools available to automate updates over time.  To view, create, and edit watchlists, select Watchlists, under the drop-down menu located in the top-left corner.

By default, if you have licensed the McAfee GTI threat feed, you should see the following 2 watchlists:

These watchlists are automatically maintained by the ESM, and are updated daily.  They are incorporated into a range of pre-defined correlation rules, as well as various dashboards and reports.  In our example, we will augment McAfee GTI with a list of known bad IP addresses obtained from open public sources.  Below you'll find several examples of lists you might leverage.

To manually create a watchlist from 3rd party threat intelligence:

1. Identify the threat feed source of your choice.  To simplify the creation of the watchlist, we will need a simple list of items, one per line.  Many of the selections above provide such a format by default.  Some would require a minor amount of text manipulation in order to get the watchlist in the required format.

2. Open your desired list in your browser or a text editor, select the list, and Copy it into your paste buffer. 

3. Open up the Watchlist interface, and select Add.

4. Provide a name for your watchlist and click Next.

5. On the Values tab, paste in the values you copied earlier.  If you have a local text file for your threat data, you might also find it more convenient to leverage the Import function here.

6. Click Finish to save your watchlist.

Using Threat Feeds as Filters

Once your threat feed is imported as a watchlist, you might start by using it as a filter on a dashboard of your choice.  If this example we'll use it to see what events we have in our environment that have Source IPs or Dest IPs associated with hosts on the Malc0de list.

1. We will start by opening the Normalized Dashboard (Dashboard Views/Normalized Dashboard).

2. In the Filter Sets on the right side, click Manage Field Sets and it will launch the Configuration tab.

3. Let’s create a new Filter Set selecting Add Filter Set

4. Click the funnel icon for Source IP, and select the Watchlist tab.

5. Select your previously created watchlist and click OK.

6. You will see all your IP address watchlists displayed.  Select the one you created above and click OK.

7. Do the same for Destination IP, and also click the "or" icon for each field, if needed.


8. Enter a new name for your filter

9. Go back to the Normalized Dashboard and under the Field Sets click on your new filter.

10. Your new filter will highlight all events where the Source IP OR Destination IP is on our threat feed watchlist.  Hit Magnifier Lens to apply the filter to your view.

11. Your view will update to show the filtered events.

This shows just a simple example of using watchlists as a filter.  You might like to create a custom view that incorporates a filter like this directly, making it easy to examine events from bad systems with a single click, or incorporate the watchlist as a filter in a regular report.

Using Threat Feeds in Alarms and Correlation Rules

Using a threat feed watchlist as a filter is useful in situations where you have analysts monitoring dashboards, or reviewing reports.  However, watchlists are also very useful in alarms and correlation rules.  Certain threat feeds are critical enough that any hit might warrant immediate notifications and action.  Incorporating threat feed watchlists into correlation rules allow us to identify conditions that will trigger events in a more automated fashion, and make your SIEM more proactive and intelligent.

We will cover Alarming and Correlation Rule Tuning elsewhere.  Below you'll find examples displaying methods you might use your new threat feeds to automate notifications and analysis.

Example: Alarm on any event to or from a known Malc0de IP

Example: Correlation rule that triggers based on regular, repeated events or flows to or from a known Malc0de IPs

Version history
Revision #:
1 of 1
Last update:
‎03-16-2017 04:59 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community