In this use case we'll leverage the SIEM as a central hub for monitoring and responding to malware-infected systems. The use case will center around a view that is tailored to provide a high-level overview of the malware situation in your enterprise, as well as more focused information around the most critical issues. In addition to visibility, we will also build out necessary alarms and watchlists we can use to react to important events, such as the first occurrence of a new malware event, or a newly infected host.
In order to complete the Tracking Malware use case, the following items are required. Note that this tutorial will assume you are on ESM 9.4 or better. In particular, the alarm configuration will be very different for users with ESM v9.3 and earlier.
The views and other elements of this use case are keyed mostly to events that have been categorized by the SIEM as "Malware" events. These events may come from a wide variety of sources, including:
All events from these types of data sources that are categorized as malware events will be incorporated into this use case. If you have no data sources that create malware events, you will get very little value from this use case.
This use case will assume you have defined zones and sub-zones within your enterprise. For details on zones, see If you have not defined zones in your environment, then the provided view will not display properly. You may need to customize the view in order to get useful results.
With the prerequisites out of the way, we can start building the use case within the McAfee ESM. For each of the watchlists below, begin by opening opening the watchlist manager (System Properties/Watchlists) and clicking Add.
This use case will leverage several watchlists.
Watchlist: Malware - Noteworthy Sig IDs
This watchlist will be used as a filter in views and reports to allow administrators to focus on specific malware events that are important in your environment.
In addition, if you use McAfee VirusScan Enterprise as part of your endpoint security, consider adding these signature IDs as well. They represent malware detections that were not successfully cleaned, nor blocked.
Watchlist: Malware - Recent Sig IDs - 7 days
With this watchlist we will keep track of malware-related signatures that have been seen in the SIEM within the last 30 days. The list will be set up as a manual list, and will be updated with an alarm that we will configure in a later section of this document. When new sig IDs are added to this list, we will also trigger a notification to administrators. Signature IDs age off this list after 7 days, so you will get one notification per signature, per week, at maximum. Feel free to modify the expiration values to better meet your needs, if desired.
Watchlist: Malware - Recent Threats - 7 days
With this watchlist we will keep track of threat names that have been seen in the SIEM within the last 30 days. The list will be set up as a manual list, and will be updated with an alarm that we will configure in a later section of this document. When new threat names are added to this list, we will also trigger a notification to administrators. Threats age off this list after 7 days, so you will get one notification per threat, per week, at maximum. Feel free to modify the expiration values to better meet your needs, if desired.
Watchlist: Malware - Recent Infected IPs - 1 day
This watchlist will be used to keep track of IP addresses of systems that have been seen with malware infections within the last day. The list will be set up as a manual list, and will be updated with an alarm that we will configure in a later section of this document. When new systems are added to this list, we will also trigger a notification to administrators. Systems will age off the list after 24 hours, so you will get one notification per system per day, at maximum. Feel free to modify the expiration values to better meet your needs, if desired.
In this use case we won't create any unique correlation rules. However, it does likely make sense to ensure that all malware-related correlation rules are incorporated into the Malware - Noteworthy Sig IDs watchlist. The sample list above provides a good starting point; feel free to add or remove from it over time as you see fit.
In this example we have 2 watchlists that we'd like to maintain automatically, based on the flow of events into the McAfee SIEM. In order to accomplish this, we will set up a pair of alarms to maintain the watchlists.
Next we will import a predefined dashboard, which will serve as the basis for this use case. Once imported, we will customize and tune it to meet our needs
4.3.1 Import Tracking Malware dashboard
4.3.2 Customize Tracking Malware dashboard
The Tracking Malware dashboard has several elements that leverage the custom watchlist Malware - Noteworthy Sig IDs, defined above. You will need to incorporate your custom watchlist into the view in order for it to operate as intended.
As a final setup step, we will import a report template and schedule a weekly report that we'll use to capture a regular view of the malware situation.
Your Weekly Malware Report is now scheduled to run weekly. If you choose, you may run it immediately via the Run Now button in the Report Manager.
With the Tracking Malware use case fully built out, you can now begin to leverage your work to track infected systems in your environment, and respond in a prioritized manner.
Monitor Tracking Malware view.
The Tracking Malware view has been designed to provide a wide range of high-level summary information about malware in your environment. The various panels each provide information that's useful to establish a broader picture. It's recommended that you review this dashboard regularly, to help understand the baseline activity in your network.
Respond to Alarms.
We configured three alarms:
These alarms should fire fairly infrequently, and are intended to serve as good starting points for incident response and remediation. If you find that they are firing too frequently, consider modifying the expiration times configured in the associated watchlists.
As you become comfortable with how this use case works for you, consider adding additional actions to these alarms, such as automatically opening and assigning cases to track remediation, or leveraging email notifications for critical incidents.
Tune as necessary.
Also, remember that these alarms are designed to trigger only on events that are on the Malware - Noteworthy Sig IDs watchlist. This watchlist also drives values populated in the Tracking Malware dashboard. You can add or remove sig IDs from this list to easily modify the sensitivity level of the alarms. A simple way to add sig IDs to the watchlist is via the action menu available in any view element that displays event summary.
For example: in the screenshot below, we see high volumes of activity associated with the Hiloti trojan. We'd like to add this to the list of noteworthy sig IDs to better track it and support remediation.
To do so, we click on the bar representing the event type we'd like to add to the noteworthy sig IDs watchlist. Then open the Actions menu and select Append to Watchlist. You will be presented with a list of watchlists that are of the appropriate type. Select Malware - Noteworthy Sig IDs and click OK to save. From this point forward, your newly selected event will show up in the appropriate views and alarms.
Finally, as you become comfortable with the Tracking Malware use case, and the data that it brings to the surface, you have a regularly scheduled report that you may choose to distribute to interested parties to provide awareness of malware in your corporate environment.
This use case provides a starting point to help you track malware, and infected systems, in your environment. There are many different tactics and approaches you could add on to this use case to automate manual processes related to malware, or make the existing ones more effective.
One area that is a ripe target for experimentation is in the area of correlation rules. McAfee provides a wide range of pre-built rules designed to identify activity patterns that are closely linked to malware. However, as malware authors adjust their tactics, so must the defender. As you investigate incidents, look for patterns of behavior in your own environment that you can use to identify malicious behaviors early. Be sure to categorize any new malware-related correlation rules properly (under Normalization Category: Malware) in order to ensure they are picked up properly by the views, alarms, and reports. Please consider sharing your thoughts and customizations below.