Is there a easier way to turn off aggregation for a whole receiver or even a whole McAfee SIEM system. I knew that turn off aggregation impact ESM performance. Since number of EPS arrived at ESM will be higher.
However, for most of events we got, we need more than 3 fields to be exactly matched before aggregation.
yes - it is possible. You should go to the Policy Editor, then select Advanced Syslog Parser, and then - click on the "Aggregation" word. See below:
Next you can repeat this steps for Data Source section in the left tree.
Well... actually, we can disable a bunch of rules each time by holding "Shift" key and "Up" or "Down" arrow key to select multiple rules. However, highlight too many rule will result in an error message.
It took me awhile before I can turn off aggregation for every rules!!!
What I just wonder and that's also my question here is can we turn off aggregation for every rules in just a flash?
In case of flow aggregation we got a menu to turn it off. But I didn't see something like that in case of event.
Is there any other easier method to turn them off for every rules?
Not only will it impact your performance, but analysis at that point becomes very difficult. The point of aggregation is to match common fields:
CLASSIC USE CASE
EVENT ID/NAME (hard-coded) + SOURCE IP + DEST IP
Non-Classic Use Case
Lets say you have email logs that parse out event id/name, sender email address, Source IP, Subject Line, and recipients.
Depending on the event, a good aggregation would be
EVENT ID/NAME (hard-coded) + sender email address + subject line
You have the ability to modify your 2nd and 3rd fields to suit your needs, but you need to know what you want out of the data to effectively complete this.
If you need more than 3 fields for aggregation, you really need to look into implementing some correlations. Also, with aggregation turned off some of your correlations will be extrememly hard to work with since every event will only trigger 1 time.
I aware of performace degration. As far as I know, turn off aggregation will result in 90% EPS decay. For example ETM-5600 with 50,000 EPS, according to data sheet ,can handle only 5,000 EPS without aggregation. One more thing, I want to point out that even content provided in McAfee Partner Learning Center also gave us incorrect calculation regarding how to calculate EPS required on ESM. From what I thought, there should be no impact for Receiver or if some effect exist, receiver performance should be improved a little bit because they don't have to perform events check for aggregation.
Since I cannot set aggregation fields to some custom type even though those custom type are present by default.
Allow such aggregation will cause us to lost of information for some cases.
About using correlation instead for more than 3 fields aggregation, I still don't understand. Could you give me an example and how to do it that way?
Let's say you are looking for common outside hackers scanning and need to correlate the activity. To analyze what activity the hacker is passed or denied, using SIGID (which would equate to the actual firewall rule log itself - i.e. - ACL #1 or #2) + Source IP + Dest IP + Dest Port would get more in depth firewall details than what comes canned (SIGID + Source IP + Dest IP).
So, not aggregating in this example would reveal the first reported Dest Port aggregated for the signature on the Source IP / Dest IP connection thus giving you an inaccurate account of activity. In other words, if they were doing a port scan for a destination and it was dropped on the same rule (SIGID), you would only see one port reported, not the potential thousands.
If you want to use this for firewall analysis that is in depth, you have to factor this in.
So, change aggregation for stuff that adds security value or whatever information you require that adds value. Don't just change for all because we obviously know that each instance of turning off goes against the EPS.
Hope that helps.