We have mcafee siem (9.5.2) running and EPO has been added as source data
NOw we have an issue with the HIPS events,
Most events (70%) are being categorized as:
EVents like "TCP Port Scan" are all within the categorie “Host Intrusion Detected and Handled” .
Seems SIem is missing datasource rules to properly process the events.
I checked with a different Siem and there I could see the datasource rule for "TCP Port Scan":
Rule Name: TCP Port Scan
Signature ID: 363-3700
Normalization Name: Application Status
On my current Siem device I don't see this rule.
SO I am missing this rule for HIPS and many more.
How can I add these datasource rules or where can I find them?
Or is this an issue from the epo? can i configure how the epo sends events to siem?
1. chose your Data Source ePo
2. Click on Properties
3. Click on Device Management
4. Click on Refresh
This will refresh the datasource an refresh the list of applications from your ePO device and build a client data source for each application. Maybe this will help to fix your problem.
The ePo doesn't send any events to your SIEM. SIEM is connecting to the database from the ePO to get all events from the database.
If this don't work try this.:
1. Click on your ePO
2. Click on the Policy Editor in the right of the Properties
3. Check all ASP rules
After this you should open a case by Intel Security / McAfee
I did clicked on refresh and it said : successful
but I still don't see any new data source rules for HIPS
even though , I got a successful message, could it be that I need a proxy to connect to the internet ? (need to check this, because i dont have any proxy settings)
DOn't see any ASP rules either
we will probably send a case to mcafee
If you expand your ePO Datasource there isn't a Client with the name like ePO_Host Intrusion Prevention (ePO)?
No you didn't need any proxy connection for this Datasource only for rule Updates (like parser, Contenpacks, Correlation rules etc.) from McAfee.
Do you delete the Datasource and add this Datasource complete new to the SIEM?
OKe, thx for clearing up the proxy issue.
WHen I expand the Epo datasource, I can see HIPS, VSE etc:
This is a production server and Epo was already added sometime ago by someone else.
What I can see is that Epo has been added as a device in Siem.
All the other endpoint technologies work fine.
For example all the logging for VSE is parsed correctly.
Unfortunately I can't just remove and add the epo within Siem, I would need to get permissions and all the credentials to set this up.
Is there a way to get the datasource rules and add them manually?
can you please cheach something.
copy the Signature ID 363-3700 an go in you Policy Editor. Expand your Receiver than go on Data Source. Click in the Filter on Signature ID an copy your ID in it. click on refresh
After this you should see the Datasource Rule "TCP Port Scan"
If you can generate this TCP Port scan you can look if this events will be generated by your SIEM. Click on the Client-DataSource Host intrusion Prevention (ePO) than on third symbole in the top called "View Streaming Event" in the next step click on the filter symbole and in the next menu add the signature ID 363-3700. Click ok and Start. if generate this event now you can look if this Event will be generated by your SIEM.
You can't export or import this rule because the Datasource Rules are all Autolearned.
YEs, I already did that when comparing the data sources of the two different SIEM's.
The ID 363-3700 is doesn't exist within the data source rules.
The TCP Port scan events are coming in, becasue I can see them from the EPo.
Epo registers the "TCP Port Scan", but within SIEM these events come under the category “Host Intrusion Detected and Handled”
WHen looking into the raw log file , I do see this in the log:
So ID 3700 is in the raw log file, but it isn't parsed on the Siem.
The ThreatName field isn't being parsed.
In the filter pane of the siem there is also something similiar called "Threat_Name", but that is not the same , as it seems.
Ah okay now i understand the Problem.
Try this one please . Go in you policy Editor and search for “Host Intrusion Detected and Handled” by name on the right side and choose your Data Source. After you find the Datasource rule click on it an go to Edit and click on Delete Auto Learned Rules. In the new Window you should click on "Delete selected auto learned rules."
After this and the Event TCP-Portscan comes from the ePO this rule will be autolearnd and all Events should named as TCP-Portscan.
I tried to delete the rule but I got this message:
No auto learned rules were selected. Delete operation halted.
I am pretty sure, I selected the rule.
Could it be , this is not an autolearned rule?
here are some screenshots to make it clear:
I did found this in the "Advanced Syslog Parser":
COuld this be the issue?
I searched on forums for the same error (No auto learned rules were selected. Delete operation halted.)
and one of the things was to change the Default Normalized ID, but I dont know the impact of this and even to change it to what?