Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM and ePO - Tagging Threshold

Good Morning,

I am requesting assistance with the community to see if you can help me with the following scenario:

I am attempting to automate the McAfee SIEM and ePO using tagging.

To summarize -

  • McAfee ePO is operational and custom alerts and notifications are enabled.
  • McAfee SIEM is operational and watchlists and alerts work excellent.

I would like to have the McAfee SIEM tag a client that generates more than 4 malware alert notifications within 60 minutes.

At the moment the McAfee SIEM malware alert notifications are based on a watchlist (defined by malware signature id's) tied to an alarm which notifies the security operations center. (This pieces works nicely.)

To further enhance this piece and the portion I am missing is where the McAfee SIEM identifies that it is the same computer generating more than 4 malware hits and in turn reaching out to McAfee ePO to tag the computer which kills all connections and shuts it down.

So my question would be: Is the McAfee SIEM able to get granular enough to identify that the malware originated from the same computer and enable the automation piece with the McAfee ePO?

Please note that I dont want to enable the automation by tagging more than 1 computer that equals 4 events with in the hour.

Any assistance is very much appreciated!!!

2 Replies

Re: McAfee SIEM and ePO - Tagging Threshold

You need to create use rule based correlation with a count component.

Re: McAfee SIEM and ePO - Tagging Threshold

Appreciate the feedback. I will explore that option and go from there.