cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 
xded
Level 12
Report Inappropriate Content
Message 1 of 9

Increas Event Severity from Network

Jump to solution

Hi i want that each Event that came from a network address like 192.168.0.0/24 become a higher Severity + 20% than before. Is this possible with the SIEM or not? I'm happy for any help. πŸ˜ƒ

1 Solution

Accepted Solutions

Re: Increas Event Severity from Network

Jump to solution

Hi ​

Why not? this is what I would do:

1. Go to Zone Management, create a new Zone (ex..Hi-Severity Zone), give it a Geo location, Start and End IP(192.168.10.x) and apply to data sources where you expect this traffic to come from. Now this will populate "Source Zone" field on all events coming from 192.168.10.x with "Hi-Severity"

2. Create a correlation rule with high severity and capture events that have Source Zone = Hi-Severity.

The asset based solution that​ suggested will also work give you adjust the severity weight. However, it assumes that all devices that would be coming from 192.168.10.x are already present in assets.

View solution in original post

8 Replies
Highlighted

Re: Increas Event Severity from Network

Jump to solution

You can assign asset criticality scores in the Asset Manager on a per asset basis. This can be used in selective risk reporting. This may help you....depends where you want to go with it.

xded
Level 12
Report Inappropriate Content
Message 3 of 9

Re: Increas Event Severity from Network

Jump to solution

No Sorry this is not what i want.

I want change the Severity for each Event on the Network address. If one have this network address this event should have a higher Severity as the same Event without the network address.

Re: Increas Event Severity from Network

Jump to solution

You can also adjust severity in the parser (ASP rules at least) based on a Severity value in the parsed data. This may be worth exploring if you only have a few specific events of interest but if you just want a blanket uplift regardless of the device or the event this will not be viable.

Re: Increas Event Severity from Network

Jump to solution

​ You can accomplish this in two steps.

1. Create a Zone that contains 192.168.x.x network.

2. Create a Correlation rule that matches the Source zone and increase the severity to your desire number.

Hope this helps.

Thanks,

Syed Rizvi

xded
Level 12
Report Inappropriate Content
Message 6 of 9

Re: Increas Event Severity from Network

Jump to solution

Hi Syed Rizvi,

this isn't possible. Because you cant setup a Zone for a network address. You can setup a Zone that contains Assets but this isn't what i want.

Hi Acommons,

this is possible but not applicable because we should change all parser for this. And this is a work of pain because we have more that 100 network subnets.

Re: Increas Event Severity from Network

Jump to solution

Are you sure that using Assets or Tags in conjunction with Severity Weights (click the Scales icon in the Policy Editor) won't solve this for you?

The devil is in the detail but this seems to offer a way forward.

Re: Increas Event Severity from Network

Jump to solution

Hi ​

Why not? this is what I would do:

1. Go to Zone Management, create a new Zone (ex..Hi-Severity Zone), give it a Geo location, Start and End IP(192.168.10.x) and apply to data sources where you expect this traffic to come from. Now this will populate "Source Zone" field on all events coming from 192.168.10.x with "Hi-Severity"

2. Create a correlation rule with high severity and capture events that have Source Zone = Hi-Severity.

The asset based solution that​ suggested will also work give you adjust the severity weight. However, it assumes that all devices that would be coming from 192.168.10.x are already present in assets.

View solution in original post

xded
Level 12
Report Inappropriate Content
Message 9 of 9

Re: Increas Event Severity from Network

Jump to solution

Thank your for your help i didn't know that i can setup an start and end IP on a Sub-Categroy. This will help a lot.

Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community