I would like to create some alarm, views, report. Problem is that not all system behaviors I can simulate.
Is there existing any list of all parsed by McAfee Messages? Specially Internal Messages generated by McAfee SIEM?
Do you mean list from Policy Editor? Problem is those signatures are not normalize most important operations done on system.
Account creation/ change is there but account deletion not.
Would you be so kind and share this list or link to it, please?
Yup I know how to do it, problem is that I cannot see events which I need. An example is User has been deleted from any McAfee SIEM appliance. Such normalized event does not exist. ( or I cannot find it). Or a log source has been added to McAfee REC, deleted or modyfied etc... Those logs exist on Appliance log but not are parsed or I cannot find it. That's why I am asking for a List of all parsed messages from McAfee SIEM BOX.
Firstly; your question on parsing.. the message parsed is dependent on the Device and the ASP applied to it.
Second; the link below is the KnowledgeBase for native SIEM "Health" rules..
These are "306" rules ie. SID: 306-500XX