cancel
Showing results for 
Search instead for 
Did you mean: 

Geolocation data for internal assets

Jump to solution

Hi all,

When my ESM deals with events involving assets in a different location, it does not always tag the remote private IP with a a geolocation. 

For instance, a workstation in our NYC office connects to a server in our New Jersey datacenter, which the SIEM resides, a creates an event because of a login failure.  In some cases the workstation IP shows the geolocation, and in some cases it doesn't.  This can cause geolocation-based correlation rules to act incorrectly. 

I've used Asset Manager to set up zones for all of our subnets, with geolocations assigned, and set up Asset Sources.  When the ESM sees a new IP, shouldn't it use the Asset Manager to set the zone and therefore the geolocation?

Am I doing this right?

Any help is appreciated.

Thanks,

- Steve

 

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 9 of 11

Re: Geolocation data for internal assets

Jump to solution

Enter the Asset Manager -> Zone Managment Tab

Pick a zone to edit, you will see where this zone is applied. You may want to consider making a "Root Zone" then sub-zones zone rather than a bunch of root level zones.

I often see zones used in a managed service capacity to segregate client data. Seems like you do not need/desire this segregation, so I would suggest restructuring your zones to one primary zone with children.

Brent
10 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 11

Re: Geolocation data for internal assets

Jump to solution

Hi

Besides the Zone management

Try to set in Policy editor > Reputation > CORP_GEOS - to the geo location of your network

 

Best regards 👍👍👍

David.

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 11

Re: Geolocation data for internal assets

Jump to solution

Sorry, in the path i forgat to mention the - "Variable"

Policy editor > Variable > Reputation > CORP_GEOS

Re: Geolocation data for internal assets

Jump to solution

Hi David,

Thanks very much.  I have already set that variable, and it works fine with matching against geolocations.  This problem is specifically related to events where there is NO geolocation tagged onto an internal asset.

Best regards,

- Steve

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 5 of 11

Re: Geolocation data for internal assets

Jump to solution

Can you give us an idea of your zone layout? 

There are a lot of ways to construct different strategies when dealing with the zone hierarchy, some context to your layout might help identify your specific issue.

Brent

Re: Geolocation data for internal assets

Jump to solution

Sure, thanks. 

We have an ESM in our New Jersey datacenter, and one in our Pennsylvania datacenter. 

In each ESM I've defined three zones; one for each datacenter and one for our NYC office. 

Under each zone there are a number of subzones for specific VLANs.  Each subzone is geotagged.

A typical situation I see is:  the NJ ESM will have an event involving a PA server talking to a NJ server.  The NJ server, which is also a data source, will be geotagged in the event, but the PA server won't.

Thanks,

- Steve

 

 

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 7 of 11

Re: Geolocation data for internal assets

Jump to solution

Ok, so I assume you have some number of receivers at these data centers, do you have these receivers assigned to zones?

When a receiver is assigned a zone for the purpose of tagging incoming packets, that zone becomes it root zone. This will not allow the receiver to move up the tree in order to see other top level zones. This could be the reason why your NJ servers are properly tagged (I assume they are sending to a NJ receiver) but the PA side the the event is not.

You can try removing the zone selection on your receivers, so they can evaluate from the true root.

Brent

Re: Geolocation data for internal assets

Jump to solution

Hi Brent,

Yes, there is one receiver for each ESM (these are combo ESM/ERC/ELM appliances.) 

Checking the NJ receiver, I see on the Receiver Information screen that the zone is the NJ zone.  However, I don't see a way to clear that. 

Also, just to be clear, I'm not saying that geolocation tagging isn't working in PA.  What I mean is that within a single event, sometimes one of the source and destination is tagged and the other isn't.

Thank you,

- Steve

Highlighted
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 9 of 11

Re: Geolocation data for internal assets

Jump to solution

Enter the Asset Manager -> Zone Managment Tab

Pick a zone to edit, you will see where this zone is applied. You may want to consider making a "Root Zone" then sub-zones zone rather than a bunch of root level zones.

I often see zones used in a managed service capacity to segregate client data. Seems like you do not need/desire this segregation, so I would suggest restructuring your zones to one primary zone with children.

Brent

Re: Geolocation data for internal assets

Jump to solution

Got it.  I will give that a try and let you know the results. 

Thanks again!

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator