cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

How to do AD integration with the McAfee SIEM and IDS

Hi Team,

Can anyone tell me how to do new AD integration with the McAfee SIEM and IDS?   What are the basic configuration and network requirements in the AD for the SIEM?

Appreciate all your help on this.

Kind Regards,

Jay

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: How to do AD integration with the McAfee SIEM and IDS

AD integration for what purpose?

You can do AD integration for the ability to login to the ESM, mapping users through Group Membership, and assigning privileges to those Groups.

You can also setup AD in the Asset Manager to allow you to use AD in Filters, Watchlists, etc...

Then there is setting up Data Enrichment from AD for things like Display Name, email address, phone number, etc...

And of course setting up an AD Profile to use when pulling WMI events from Windows Servers.

--------------------------------------------------

For Login to the ESM - go to the ESM Properties - then to the 'Login Security' link on the left navigation - go to the 'Active Directory' tab - click 'Add' then give it a Friendly Name, click 'Add' again to define which AD Server to query, providing an IP Address and Port information. Once you enable AD authentication, the only 'Local user' that is allowed is the NGCP account.

Once AD is setup, go back to the ESM Properties, then go to 'Users and Groups' and 'Add' Group names that you want to map privileges to.

---------------------------------------------------

For Asset Management - click on the 'Asset Manager' icon in the upper right corner of your ESM screen - click on the 'Asset Sources' tab - select a location to pull your domain information from (max of 1 domain per location - ESM, Receiver, etc...) - click 'Add' and provide the necessary information to query AD including an AD account (preferably a service account with a password that will not change often).

---------------------------------------------------

For Profile Management - go to the ESM Properties page and select 'Profile Management' from the left navigation area - click 'Add' - profile type > 'Data Source' - Profile Agent > Windows - the provide a Profile name, username and password, and define which logs to pull > 'APPLICATION,SECURITY,SYSTEM'

We also had our Domain Admins enable Print Logging so for our Print servers we have a different profile which also pulls the print logs > APPLICATION,SECURITY,SYSTEM,Microsoft-Windows-PrintService/Operational

If you are also enabling Power Shell logging, or other things like SCOM logs, you can pull those as well.

--------------------------------------------------

There are community articles out there for Data Enrichment already.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: How to do AD integration with the McAfee SIEM and IDS

Thank Rth for this guidance. Really sorry for give you the late reply.

Kind Regards,

Jay Bhatt

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community