I am requesting assistance with the community to see if you can help me with the following scenario:
I am attempting to automate the McAfee SIEM and ePO using tagging.
To summarize -
I would like to have the McAfee SIEM tag a client that generates more than 4 malware alert notifications within 60 minutes.
At the moment the McAfee SIEM malware alert notifications are based on a watchlist (defined by malware signature id's) tied to an alarm which notifies the security operations center. (This pieces works nicely.)
To further enhance this piece and the portion I am missing is where the McAfee SIEM identifies that it is the same computer generating more than 4 malware hits and in turn reaching out to McAfee ePO to tag the computer which kills all connections and shuts it down.
So my question would be: Is the McAfee SIEM able to get granular enough to identify that the malware originated from the same computer and enable the automation piece with the McAfee ePO?
Please note that I dont want to enable the automation by tagging more than 1 computer that equals 4 events with in the hour.
Any assistance is very much appreciated!!!