cancel
Showing results for 
Search instead for 
Did you mean: 
jfpamesa
Level 7

[McAfee ESM] Customized Queries for Reports?

Jump to solution

Good Day,

I would like to create a report on McAfee ESM, the report is a simple report that shows the Top Source IP ordered by the sum of Bytes, the event details were captured from a Squid data source.

The challenge is, I am only able to select the Source IP for the bar graph, and it shows the Top Source IP based on sum of events. I also tried using grid view but, it also generates report per event, hence, multiple entries for a similar IP is displayed.

I'd like to know if it's possible to create a custom query, or any other workaround I can do to create this kind of report?

Thank You!

Fritz

0 Kudos
1 Solution

Accepted Solutions
paul.k
Level 10

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

You're almost there.

Notice you can't do it by Field name but by it's Custom Field 1.

So pick out the custom field numbers that match the Field Name you with to bind to the accumulator field.

Also the basic ones like IP addresses and distribution will be at the bottom of the list.

You will be forced to do a service restart when you're done. (NOTE IF GIVE IT A DATE GOING BACK it can take a long time for it to rerun the accumulator #s.)

Once you bind them you will get new options when creating dashboards.

As an experiment start a new view, add a bar chart, hit the drop down and you will see new options

Based on what you chose to bind to the Acc fields you will get option to pivot around that data,

Enjoy your new analytics tool.

8 Replies
jfpamesa
Level 7

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

To give an update, I tried creating a correlation rule to group per Source IPs but the Bytes custom type field isn't passed or missing upon drilling down the correlated events.

Hope to receive response and assistance from ESM users.

Thanks!

0 Kudos
McAfee Employee

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

Are your 'squid bytes' being parsed into an 'accumulator field'? This won't be a function of correlation, just parsing.

0 Kudos
jfpamesa
Level 7

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

Hello Andy, yes it is parsed as an "accumulator field". If that's the case, do you have any idea how can I create this kind of report?

Thanks!

0 Kudos
paul.k
Level 10

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

JF,

You need to MAP this to a non accumulator field in the ESM-->Database-->Settings-Accumulator Indexing.

YOu can map up to 5 total.

Pick which fields you want to accumulate by basically.

Good luck. This can get both interesting and tricky.

jfpamesa
Level 7

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

Hi Paul,

I'm wondering why or how can I identify the 'Bytes_Received' field from the Accumulator Indexing.

Under the 'System Properties->Custom Types', the 'Bytes_Received' Event Field is set to 'Accumulator Field -2'. However, I can't see any 'Bytes_Received' index/field in the 'Database->Settings->Accumulator Indexing->Accumulator Field - 2', but there are a lot of 'Custom Field $N Index' in there.

See the attached screenshot for references:

Ss: 'System Properties->Custom Types'

Ss: 'Database->Settings->Accumulator Indexing->Accumulator Field - 2'

Thanks!

Fritz

0 Kudos
paul.k
Level 10

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

You're almost there.

Notice you can't do it by Field name but by it's Custom Field 1.

So pick out the custom field numbers that match the Field Name you with to bind to the accumulator field.

Also the basic ones like IP addresses and distribution will be at the bottom of the list.

You will be forced to do a service restart when you're done. (NOTE IF GIVE IT A DATE GOING BACK it can take a long time for it to rerun the accumulator #s.)

Once you bind them you will get new options when creating dashboards.

As an experiment start a new view, add a bar chart, hit the drop down and you will see new options

Based on what you chose to bind to the Acc fields you will get option to pivot around that data,

Enjoy your new analytics tool.

jfpamesa
Level 7

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

Hi Paul,

Thank you for your assistance, I was able to accomplish what I intend to do.

The only thing which I wonder right now is how did you know that it is "Custom Field 1"? Is there an option where I can see the mapping of the event fields to custom field?

Thanks!

0 Kudos
paul.k
Level 10

Re: [McAfee ESM] Customized Queries for Reports?

Jump to solution

Hi,

You answered your own question earlier

They are the same across all deployments

Enjoy

0 Kudos