cancel
Showing results for 
Search instead for 
Did you mean: 
jp
Level 9
Report Inappropriate Content
Message 1 of 7

ESM API for Correlation Configuration

Hello All, 

We noticed a while ago that SIEM will sometimes randomly disable vital Correlation rules and Alarms. I have given up trying to figure out why (McAfee magic...), but audit caught this so now we are required to provide monthly evidence that all rules are enabled. 

I am trying to do this programatically but there doesn't seem to be an API enpoint for pulling Correlation rule/Alarm configs, specifically I need to check if these are enabled. 

Does anyone have any experience or suggestions here. Thanks!!!!

Tags (4)
6 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ESM API for Correlation Configuration

Hi,

Past in the URL This Path - https://Your SIEM IP/rs/esm/help

There you will see all the available commands for API,

Regarding Correlation, I found just 3 Commands

1- 

Get a list of all event correlations.

2- 

Get the source events and flows for a given correlated event ID

3- 

Return Esm Correlation Trigger Info

 

Best regards!

David.

jp
Level 9
Report Inappropriate Content
Message 3 of 7

Re: ESM API for Correlation Configuration

David, 

Thanks for the response, put I am sepecifically looking for Correlation configurations. I am familiar with and have been using the API, so I have already looked through that documentation. 

I am starting to get the sense that this functionality, like most other things I would like to do in ESM, does not exist. 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: ESM API for Correlation Configuration

Yes, 

I'm getting the same feeling...

theres' so much to change and add in the McAfee ESM 😞

 

Best regards.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: ESM API for Correlation Configuration

Hey JP,

I have seen this happen on SIEMs as well. I'm no so sure it's "McAfee Magic" or some policy change that ended up having unintended consequences. Much of the configuration items in the SIEM are very dependent on each other, often with larger groups working on SIEMs these dependencies become oversights.

My thinking is you are looking for a quick "sanity" check, which I have done in the past. The solution is to build a "zone" for sending spoofed data to, in this zone you would configure one of each of your data source types in your environment, create a list of packets that will trigger all of your correlation rules once. Then send these on a daily/weekly/hourly basis. A deviation rule on the number of triggered alarms in this zone would indicate there is a problem, which can then send an email.

Brent

Brent
jp
Level 9
Report Inappropriate Content
Message 6 of 7

Re: ESM API for Correlation Configuration

@brenta

That is very Interesting solution - It would theoretically work. However, the issue is that I have well over 100 custom correlation rules that need to be verified and creating a trigger for every rule seems incredibly tedious and time cosuming. Not sure that this would actually save any time. 

Highlighted
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: ESM API for Correlation Configuration

The solution is very similar to unit testing and the continuous integration testing that comes with software development. As with software development, it does take time to go back and write all of the test, however if the work is done upfront with each correlation rule, it is far easier. When building a correlation rule you often have the X packets you need to fire the rule in front of you while you are making it.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community