cancel
Showing results for 
Search instead for 
Did you mean: 
penoffd
Level 10

SIEM Variable - Domain

I'm looking for some clarification as to the domain variable, as I have not been able to find anything in the documentation that clearly defines its use.

Should the domain variable be the FQDN of the environment, that is, if our business was xyz.com it would be "xyz.com"?

Or/and, should our Active Directory domain be in this variable as well, say if it was xyz.ad?

I'm trying to do some rule tuning/cleanup, and I am trying to understand how this variable works with different rules.

0 Kudos
8 Replies
McAfee Employee

Re: SIEM Variable - Domain

Where do you see the domain variable? I looked in the Policy Manager under variables. Are there any rules that reference it? Thanks.

0 Kudos
penoffd
Level 10

Re: SIEM Variable - Domain

Right here in the Policy Editor:

And yes, there are rules that we use that reference it.  A custom correlation rule based on "Windows Authentication - Administrator Account Logon on Vista-2008 or Later

Signature ID: 47-8000034" is one of them, for example.

Nice avatar!

0 Kudos
proxima
Level 10

Re: SIEM Variable - Domain

Hi,

The easiet way to achieve that is do a drill down to a domain field in the current logs - check that and then use the same structure.

Im sure that you have already some entries...

Regards

MK

0 Kudos
rth67
Level 12

Re: SIEM Variable - Domain

What version are you on?

We have two different SIEM's (X6 and X4) both are on 9.5.2 - I do not show a "Domains" list in the Variables...

0 Kudos
penoffd
Level 10

Re: SIEM Variable - Domain

We are currently on 9.6 MR1.

That being said the Domains variable has been in the system for several years at least.  It's quite possible we added it during initial configuration when the original Nitro system was installed.

0 Kudos
rth67
Level 12

Re: SIEM Variable - Domain

Interesting, as we have 2 different SIEM instances, one was stood up in mid-2012, the other in early 2014, neither of which have a folder for "Domains" listed in the Variables.

We have a Pro-Services engagement (Health Check) later this month, I will inquire while they are here.

0 Kudos
penoffd
Level 10

Re: SIEM Variable - Domain

We determined that the original configuration, which was performed on the original Nitro device that we installed in 2009, was incorrect.  As a result of this configuration the only domain variable used was for our outward facing traffic.  While there may have been a reason for this at the time, no one involved with the deployment is still around and there is nothing documenting the configuration to determine the reasoning for doing this.

In order to properly configure the system, we have added our internal Active Directory domain to the variable in order to reflect internal traffic.  We'll monitor rules and alarms to see if there is a noticeable difference or if correlation rules or alarms begin to fire as a result of the change.

0 Kudos
proxima
Level 10

Re: SIEM Variable - Domain

Hi,

Just to answer to your questions:

I'm looking for some clarification as to the domain variable, as I have not been able to find anything in the documentation that clearly defines its use.

You will not find anything in the documentation because this is only custom variable (unless you mean a documentation from the installation )

Should the domain variable be the FQDN of the environment, that is, if our business was xyz.com it would be "xyz.com"?

Or/and, should our Active Directory domain be in this variable as well, say if it was xyz.ad?

It depends.... if you want to monitor - for example a web traffic to/from a specific web domain you can use value from the screenshot (hillsboroughcounty.org), if you want to monitor traffic to/from some specific directory service you can use fqdn - but in my opinion you should try to use dynamic watchlist with all entries connected with the domain short name.

In order to properly configure the system, we have added our internal Active Directory domain to the variable in order to reflect internal traffic.  We'll monitor rules and alarms to see if there is a noticeable difference or if correlation rules or alarms begin to fire as a result of the change.

To monitor internal or external traffic you should use a HOME_NET variable in network category.

Regards

MK

0 Kudos