cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Across the board alarms

Jump to solution

I am trying to implement across the board correlation rules and alarms on a SIEM with multiple customers each under his own receiver and I am having a certain problem with the alarms.
To show my problem lets say for example we have an alarm that should be effecting two costumers
I want it so the alarm will send out an email with the details of the effected customer for example his receiver name. How can I tell on the alarm level from which receiver did the source event come from and send the information to the appropriate customer in responds.

Labels (2)
1 Solution

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Across the board alarms

Jump to solution

Hi GideonTriple.

you are mentioning a very good point, it's called 

"Multi Tenanting - SIEM.

McAfee doesn't support it out of the box but it's possible with a workaround.

(Qradar of IBM gives a full support for that.)

 

the solution for your question is:

1- In the ACE tree copy the Rule Correlation device multiple the number of customers \ Receivers.

2 - filter each rule correlation device to correlate only on a specific Receiver.

3 - The Correlation Rules will Automatically copy to each Rule Correlation Device.

4- in the Alarm Wizard go to the "Devices" tab and check only the Rule Correlation that the you want for that alarm.

 

Best Regards.👍👍👍

David.

8 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Across the board alarms

Jump to solution

Hi GideonTriple.

you are mentioning a very good point, it's called 

"Multi Tenanting - SIEM.

McAfee doesn't support it out of the box but it's possible with a workaround.

(Qradar of IBM gives a full support for that.)

 

the solution for your question is:

1- In the ACE tree copy the Rule Correlation device multiple the number of customers \ Receivers.

2 - filter each rule correlation device to correlate only on a specific Receiver.

3 - The Correlation Rules will Automatically copy to each Rule Correlation Device.

4- in the Alarm Wizard go to the "Devices" tab and check only the Rule Correlation that the you want for that alarm.

 

Best Regards.👍👍👍

David.

Re: Across the board alarms

Jump to solution
Hey there David,
This workaround seems like a good idea besides one fact.
When I am sending out an email from the alarm I am equipping it with a list of contacts.
How do I tell the alarm, if this alarm has come from a certain correlation engine then send to this specific costumer without the need to create a new alarm for each costumer?
McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Across the board alarms

Jump to solution

That will be one of the limitations. You cannot have logic in alarm to correlate which event source it came from and have it do different items from one device to the other.

You would need to duplicate the alarms as well and have each alarm target a different correlation engine, and do an email template based on client alarm/correlation engine trigger unfortunately.

Re: Across the board alarms

Jump to solution
Since alarms can use "Execute remote command" and I know the event source it came from can I just write a script with a built in dictionary to match the event source to the email address necessary and send out the information that way?
McAfee Employee TaskManager
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Across the board alarms

Jump to solution

Potentially, I have not played around with all of the details the Alarm setting can send, it is highly probable that you can address the logic externally. Either through launch remote command, or a custom formatted URL (Launch background URL), either method would be viable to apply custom logic off box as long as the alarm can provide the details required to make the associative difference.

You may also benefit from a custom query through the API to grab all the fields associated with the event on the correlation engines and through that specific method I know it can be done.

Re: Across the board alarms

Jump to solution

I will try exactly that and be back here to post the results.
Thank you for your help on the matter.

Re: Across the board alarms

Jump to solution

I think I found an easier solution.
Instead of executing a remote command I will simply send everything to an organized mailbox in outlook where I will use an outlook rule to forward the email to the relevant costumer according with the $Device_Name that will be sent. Much easier then writing scripts I'd say 😉

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: Across the board alarms

Jump to solution

I typically implement this by use of Zones for MSPs.

Zones are a great way to isolate customers. You can build correlation rules that don't have a concept of zones, then in your correlation engines, only send events from one zone to each engine. This will ensure that customers are isolated from each other.

Most SIEM users don't value variables, but since they can be overridden at different layers inside the device tree stack, you can use this to 'mutate' HOME_NET or any variable, based on each customers requirements making them often more valuable than watchlists in multi-tenanted environments. This lets you have one correlation rule set that will work on all customers. Making correlation management MUCH easier, with the net effect of less correlation rules, because you don't need to make rules for each customer..

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community