I have been testing the HIPS integration with NSM (i.e., forwarding HIPS events to NSM), and found some disturbing results.
We have concluded that HIPS Network IPS Rules, like 'TCP Port Scan', are forwarded to the NSM DB without the Source IP of the attacker. However the source IP of the attacker can be obtained by looking into the HIPS alert on the ePO server.
Can anyone confirm this?
I have attached an example of the properties of a 'TCP Port Scan' alert.
It seems like all information does not transfer over correctly, but if you create an account on the ePO server, you should be able to connect to it to get additional information. We have come across that issue, and it seems to works like that by design. We are still working on getting these additional details working. Although it seems like a small piece of information to have transferred over, they figure if you want additional details then you would just go to the ePO for it. I believe as future code is released they will integrate better together, but you have to view them as two different products made to work together, even though they are both under the McAfee name.