We have feeded McAfee ePO logs, AD logs and Check Point Firewall logs to McAfee ESM.
Now I would like to create a rule which will trigger when below points are satisfied within 15mins time frame.
1) suspicious outbound/inbound connections happened ( Firewall Logs )
2) Virus got dropped to a machine ( ePO Logs )
3) Abnormal logs fro AD ( If any )
Can anybody help me with this to create a rule for above ? Let me know if any other details are required. Thanks in advance.
2) You need this list https://kc.mcafee.com/corporate/index?page=content&id=KB52417 alls Signatur ID from ePo into siem. With this ID you can set up a Alarm or a correlation rule and than a alarm.
3) Maybe AD Zone Transfer