cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Access Logs collection

Good day, need assistance or clarity around Access logs as to where will these be collected from? i tried looking on the Authentication pack and i couldnt find any Access logs be it remote access logs or application access logs. could this be collected through Domain controller? or will it have to be collected on each datasource?
3 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Access Logs collection

Can you please specify exactly what you mean by "Access Logs"?

If I guess I assume you mean logins / access to resources - in which case you would be best off using a normalisation filter and ensuring the rules that you want to bring together are using the same normalisation value or category.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
pbpillai
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Access Logs collection

It can be collected from the Domain Controller as well as from each datasource.

You will need to install the UBA content pack.

This content pack will further install & enable polices,alarms, reports,watchlists and correlation rules  that will give information about the access logs.

Please refer the below links:

https://www.mcafee.com/enterprise/en-in/products/mcafee-connect/user-behavior-analytics.html

https://kc.mcafee.com/corporate/index?page=content&id=KB83783

Alarms

  • UBA - New User Logon Detected

Reports

  • UBA - Source User One Week

Views

  • Source User Risk
  • Suspicious Geo Events
  • User Behavior Events

Watchlists

  • Domain Policy - Security Groups
  • UBA - Accounts Not Requiring a Password
  • UBA - Accounts with Expired Password
  • UBA - Computer Accounts
  • UBA - Default Usernames
  • UBA - Password Never Expires
  • UBA - Privileged Users
  • UBA - Rules
  • UBA - Servers (FQDN)
  • UBA - Servers (Name)
  • UBA - User Accounts Disabled
  • UBA - User Accounts Locked Out
  • UBA - User Logon Observed

Correlation Rules

  • Domain Policy - Domain Policy Changed
  • Domain Policy - Group Policy Object Deleted
  • Domain Policy - Group Policy Object Created
  • Domain Policy - Group Policy Object Modified
  • Domain Policy - Suspicious Domain Privilege Changes
  • Domain Policy - Suspicious Local Privilege Changes
  • Domain Policy - User Added to Domain Security Group
  • Domain Policy - User Added to Local Security Group
  • Domain Policy - User Removed from Domain Security Group
  • Domain Policy - User Removed from Local Security Group
  • GTI - Successful Login from Suspicious Host
  • GTI - Successful Login to Suspicious Host
  • UBA - Default Username Logon
  • UBA - Increase in Authentication Events seven days
  • UBA - Login Attempt from Locked or Disabled Account
  • UBA - Login Attempt from User with Expired Password
  • UBA - Login from Account that Does Not Require Password
  • UBA - Login from User with Non-Expiring Password
  • UBA - New User Observed
  • UBA - Remote Login to Server
  • UBA - Suspicious Privileged Logon
  • UBA - Username ending with Dollar Sign
  • UBA - User Logon from Multiple Geolocations
  • UBA - User Logon from Multiple Hosts
  • UBA - User Logon from Multiple IP Addresses
  • Windows Authentication - Admin Logon from Non-Company Geolocation on Vista-2008 or Later
  • Windows Authentication - Admin Logon from Non-Company Geolocation on 2000-2003XP
  • Windows Authentication - Admin Logon from Suspicious Geolocation on Vista-2008 or Later
  • Windows Authentication - Admin Logon from Suspicious Geolocation on 2000-2003 XP
  • Windows Authentication - Domain User Failed Logon Due to Invalid Password
  • Windows Authentication - Domain User Logon After Multiple Failed Attempts
  • Windows Authentication - Failed Domain Logon on Restricted Host
  • Windows Authentication - Restricted Domain Account Failed Logon

Regards,

Prashanth B Pillai

McAfee Technical Support

Customer Success Group

Re: Access Logs collection

Thank you @pbpillai, having to configure SIEM collector on IIS, SQL, ERP or each datasource will probably give me grey hair (+- 350 data sources) i was thinking that collecting from Domain controller will be helpful especially those that we can configure on the ESM than manually on each server/application.

I have installed the UBA content pack but for some reason i am not getting any info for the below especially from the Correllation Engine (will check why). Just to note as well we are using hybrid Azure AD and On Prem AD (for Admin accounts). 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community