cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 2

Need Few guidance for SIEM

Hi ,

Need few guidance regarding SIEM

1] we have agent running on each windows server and we are managing it using ePO ... is it right way ? .. what is the best practice for collecting windows logs...

Like in Arcsight , where one collector for multiple machines...

2] Most of the time we face issue of collector getting down ... we need to check these manually... how to proceed with this...

3] how to handle the malicious activity ... there are thousands of logs , how to find the malicious activity and combat it.

4] List of windows event to monitor from the security perspective.

5] Any other tips for managing SIEM.

Thanks in advance

1 Reply
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 2

Re: Need Few guidance for SIEM

Unless you are required to use a local agent, I would suggest setting up a Profile in Profile Management, then defining the Data Sources on your Receiver(s) and doing a WMI pull.  Local Agents can be useful in some places like DMZ / Workgroup Servers where Local Account credentials are managed by another group.

You may need to have your AD Administrators modify your Group Policy to allow you to see all of the needed Failed Authentication events, this varies between 2000/2003 DC's and 2008/2012 DC's using Advanced Logging.

You may want to monitor for excessive failed login's, account lockouts, event logs being cleared, dirty reboots, various other events. I suggest working with your Windows Admins to find out what events of interest they might have.

Do you have an ACE? What other devices are you feeding in to your SIEM? FW's, IDS/IPS, AV (ePO), APT, RADIUS/TACACS+, DLP, NAC, etc...

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community