cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Change default aggregation Settings in authentication events

The default aggregation Settings is: (Source IP, Destination IP, Signature ID)

In case of the authentication events the default aggregation settings looses the required details needed for compliance monitoring of a username or what a security analyst would need to investigate an incident.


In the new version 9.6, I hope that McAfee change the default aggregation settings exclusively for the authentication events to be (Username, Source IP, Signature ID).

4 Replies
rgarrett
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Change default aggregation Settings in authentication events

I cant speak for 9.6, however, you can change the aggregation settings for certain authentication events. Select the event, and click on modify aggregation settings.  You can then change the settings so it aggregates on whatever field you want- usually source user, destination ip

Re: Change default aggregation Settings in authentication events

Of course you can change the aggregation settings for certain authentication events but I hope that McAfee SIEM will be smart enough to do it automatically without any intervention.

rgarrett
Level 9
Report Inappropriate Content
Message 4 of 5

Re: Change default aggregation Settings in authentication events

I dont think it would be wise to turn off aggreagation for all authetication events.  I understand what you are saying, that it is easier to simply turn off an aggregation for a well know event.  However, the purpose of the aggregation exception screen (under event aggregation) allows you to modify aggregation for certain rules.  This way, aggregation is still serviing its basic functiion ( summarizing data and enhancing performance) and allowing each customer to modify acording to his/her needs.

Re: Change default aggregation Settings in authentication events

I did not say to turn off aggregation for all authentication events, what I said is that the aggregation for all authentication events must be suitable to be: (Username, Source IP, Signature ID) automatically without any intervention. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community