Hi all,
I am kind of new to McAfee SIEM and working on getting used to this tool. I have created a windows rule that looks for any account changes on specific group of devices. Eventually i have also created an alarm based on this SIGNATURE ID
However, i do not know if the alarm is working fine or not. May i request any assistance on creating some test event or how can i import/export and sample event that i can replay for testing.
Regards,
Raghu
I see some errors in your correlation rule. You use multiple filters which will result in a correlation on one or more multiple events that match the destiantion IP. These could be coming from completly different source IPS and be totally unrelated to each other.
Best thing that you place all filters in one component to match data in one event.
Futhermore, make sure that the fields you select are the fields for the event that contain data. best thing is to use a view and find the events you want to match on in acorrelation rule. Check what fields are parsed and the values they contain.
Your alarm seems okay from what I can see in the screenshot.
Also make sure that your correlation rule is enabled on the correlation engine in the policy editor. A good document to learn all about correlation and best practices is this one:
Hi Robert,
Thank you for providing very useful document on correlation. May i request you to share if any other documents that i leverage to gain expertise on Mcafee SIEM. (finding it bit difficult in understanding as i was working on Arcsight earlier )
Raghu
Is there any document which illustrates the testing of rule in McAfee ( Like in Arcsight we install a test connector and create .event replay files )
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA