I thought this would be simple, but apparently, it's not. We're attempting to track Malware infections within our environment and have alarms be automatically triggered off of correlation rule Sig ID 47-8000042. We need to break this down in to Servers and Workstations. Workstations will have an email sent to Desktop Support for them to investigate why the system in question became infected and Servers will go to my group for a similar investigation.
The packets from EPO do not contain the OS type or any other information like that. So I need to fill in the blanks somehow. We do have Asset sources setup within the SIEM, but for all my best intentions I have not seen how that can be utilized to fill in that information for the alarm. My next thought is to utilize a watchlist which I can populate by pulling the info in to a csv from Powershell and then just dump raw system names in to a watchlist and call one Servers and the other Desktop. This obviously has the hideous disadvantage of needing constant updating, especially where Desktops are concerned.
Has anyone else done this before and if so, is there a much simpler way to achieve this and i'm just not seeing it?
Thanks in advance!
pretty sure ePO events contain hostnames, which you can potentially use in a correlation rule. Or IP address range, if your servers and PCs are not on the same vlan.
Thanks for the reply. I had thought about IP ranges utilized in zones after posted this and left yesterday. I think i'm going to give that a try. That seems to be the simplest route as we're pretty strict on what kind of systems go on the Server and Workstation vlans.