cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

How to find Computers that are not managed by the AV / End Point server

Jump to solution

Hi dear community.

I need your help!

in order to find Computers that are not being managed by the AV / End Point server

i'm trying to create a correlation that will trigger with the next components:

first  - Signature ID for computers authenticating with the DC.

and after that - in the Specified time window - 1 hour DO NAT find the next event - AV event that happens all of the time from all of the endpoints.

Group by - Source User.

Correlation rule  -SEP.png

 The result:

the rule is triggering a lot, it's defiantly false. it's triggering right away without waiting a hour to see if the second event wasn't found during the entire hour...

the reason i think it's not working is because after finding the first event the ACE waits a second and doesn't find the second event, and immediately triggers. without waiting the entire hour.

 

My Questions:

1- if that's true, do you know how to force the ACE to wait the specified time window ?

2- do you think there's a different issue going on ?!

3- maybe you have a different idea how to find the computers in the domain that are not managed by the main AV / End Point manager ?!

 

I appreciate your help!!!

Best Regards👍👍👍

David.

 

1 Solution

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: How to find Computers that are not managed by the AV / End Point server

Jump to solution

Hi Brenta.

your idea seem's like a good idea. but in the meantime in my SIEM i'm going to leave the Current rule as is, i will explain why:

i tried to create the watchlist method but i got after 24 hours half of the amount i expected... in the list.

from the over side in my current rule parameters i expanded the time to 4 hours. and now it works 80% good.

with just 20 % of false, and that's because computers that are shutdown etc.

 

Thank's again on your help.

i like your creative thinking.

 

Best Regards👍👍👍

David.

5 Replies
itzikn
Level 7
Report Inappropriate Content
Message 2 of 6

Re: How to find Computers that are not managed by the AV / End Point server

Jump to solution

I am dealing with a similar problem with the "DO NOT occur" option..

let me know if you managed to find a solution.

thanks

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: How to find Computers that are not managed by the AV / End Point server

Jump to solution

The reason this is not working is the combination of the AND filter, and the NOT in the second match. This is basically the same thing as making the rule without the not match. Also you said it was grouped by Source User, it looks like this is grouped by Source IP.

I would approach such a use case this way.

  1. Define what you don't want the rule to trigger on (currently monitored devices) and make a Watchlist for that, containing all known endpoints, and populate it. Maybe somehow automate the population of this from ePO, or whatever tool you are using. (WL:known endpoints)
  2. Define how often you want this rule to fire. I am going to guess once every hour per endpoint is way too often. Then make a watchlist that expires values after that time. (WL:new detected endpoints)
  3. Create your correlation rule; Looking something like
    1. Some event that all computers emit (maybe a kerberos event). Match for this SigID.
    2. In the same Match, Not in watchlist of known endpoints
    3. in the same Match, Not in watchlist new detected endpoints
  4. Create Alarm, on the new ACE Rule SigID, add host or whatever unique field to the known (WL:new detected endpoints).
  5. Do a Policy Rollout.

This won't require leaving large open windows of correlation rules, which adversely affect correlation engine performance.

Brent
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: How to find Computers that are not managed by the AV / End Point server

Jump to solution

Hi brenta.

Thank's for the answer.

I will check tomorrow with the costumer on your solution.

and update here on the results.

regarding the group by - sorry my mistake... i ment source IP.

 

Thanks' again

Best Regards👍👍👍

David.

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: How to find Computers that are not managed by the AV / End Point server

Jump to solution

Hi Brenta.

your idea seem's like a good idea. but in the meantime in my SIEM i'm going to leave the Current rule as is, i will explain why:

i tried to create the watchlist method but i got after 24 hours half of the amount i expected... in the list.

from the over side in my current rule parameters i expanded the time to 4 hours. and now it works 80% good.

with just 20 % of false, and that's because computers that are shutdown etc.

 

Thank's again on your help.

i like your creative thinking.

 

Best Regards👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: How to find Computers that are not managed by the AV / End Point server

Jump to solution

This is likely because the event that you are using to detect new computers is not firing on those endpoints. As you mentioned they could be offline, this rule would catch them as soon as they are on the network and triggering events.

This is basically a "rogue device" detection use case. 

Be aware keeping large correction windows open with large cardinality group by, such as source IP will consume a large amount of ACE resources.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator