Just curious if anyone has had success with making a query that detects new rogue detections, windows only, domain only and then pushes an agent automatically to them?
I've had success with the query but not the automation task. Thanks in advance for any ideas!
I have had mixed results with getting Automatic Responses to fire consistently. We wanted to setup alerts for certain events, and a few other things, but they generally on trigger about 80-90% of the time. But, because we send all of our event data into a different SIM tool, we haven't bothered opening a ticket, or doing any in-depth troubleshooting.
@Joeleisenlipz - thanks for the response and info about the automatic responses. Just sad that they don't work better. I've also tried running a query and then triggering a response but that doesn't seem to work out all the time either. On a different note...how did you get your SIEM setup to log McAfee events correctly? I'd be interested to chat more if you want to email me. Thanks!
The tool that we use leverages a JDBC connection and SQL user account to directly queries the database every few seconds. The tool then parses the data (fairly well), and stores the relevant tidbits in their normalized format to aid with classification and categorization. My only complaint there, is that whenever McAfee introduces something new, we have to bug the SIEM vendor to update their parser.