cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

difference between variables and watchlists

Jump to solution

what is the difference between the two?

in what case should I use inherit variables?

1 Solution

Accepted Solutions
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 12 of 13

Re: difference between variables and watchlists

Jump to solution

managing "Domain Admin" list - watchlist or variable?

Watchlist would be better as it can be set up as a dynamic AD query to be updated nightly/weekly as appropriate, reducing maintenance.

managing "AD security groups" list - watchlist or variable?

Watchlist would be better as it can be set up as a dynamic AD query to be updated nightly/weekly as appropriate, reducing maintenance.

managing "DNS / DHCP / DC Servers" list - watchlist or variable?

Variable would be better as with future growth and expansion there may be a need to use the features of variables and there is no need for the features of watchlists.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

12 Replies
SSSSYYYY
Level 10
Report Inappropriate Content
Message 2 of 13

Re: difference between variables and watchlists

Jump to solution

if i remember correctly, variable is more efficient when it comes to correlation vs watchlist. Variables are more static than watchlist, think of putting your domain controllers are variable, and malicious URLs as dynamic watchlist, because latter keeps changing.

Re: difference between variables and watchlists

Jump to solution

thanks for your response.

where would you keep sensitive groups list? domain admins list?

is there anything you can tell regarding variables inheritance?

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 13

Re: difference between variables and watchlists

Jump to solution

Variable inheritance allows you to have variables with different values in different situations e.g. the variable "DNS Servers" can be different for the correlation manager for your Hong Kong office vs the one for your Dubai office.

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: difference between variables and watchlists

Jump to solution

I see.

and what will differ my Hong Kong office from the other office?

how this differentiation takes place within a rule?

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 13

Re: difference between variables and watchlists

Jump to solution

Within a rule you use the variable.  In the policy editor with the appropriate policy group selected (e.g. HK Office) you can set your DNS Servers variable to not inherit the default and instead use the appropriate value for the datasources using that policy group.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: difference between variables and watchlists

Jump to solution

So this is what I see in my Policy Editor (attached a screenshot).

clicking on "Default Policy" allow me to see my ESM data sources.

where exactly I'm supposed to manage a "policy group" similar to what you have suggested?

up until now I have been creating ALL my rules via "correlation" group... is that a mistake?

 

another question, I have created a new variables list but when creating new correlation rule it is not visible... why is that?

 

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: difference between variables and watchlists

Jump to solution

The button to the left of "Default Policy" is the Policy Tree button - in here you can create policies and arrange policies and nest them - inheritance is on by default. 
Screenshot of the Policy Tree from my test environmentScreenshot of the Policy Tree from my test environment

As for your variable not showing up - what data type was it and which field were you trying to link it with?

In my testing (this may just be poor performance in my test environment) when I added a string variable it took about 5 minutes before it showed up in the Variables list for "Source User" or "Application" which are string fields.  If you want a cross-reference for the data types to the field names this can be found in the Custom Types tab of the ESM properties. 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: difference between variables and watchlists

Jump to solution

what would be my motivation for creating special policy?

in your environment as well as mine, default policies are organized by data sources.

not data sources types, not offices, etc. therefore I have created all my user-defined rules under correlation rules (and just specified the type). was it a mistake?

for example, rule made for WMI type (windows) was written under correlation rules, there I specified the "data type" condition to match WMI, then rolled it out to all devices. was it ok?

according to the variables comment I found the custom type list, but Im just trying to understand if the visibility thing I was talking about was a matter of time, or some sort of permission....?

lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 13

Re: difference between variables and watchlists

Jump to solution

It sounds like in your deployment you do not have a need for this feature of variables as you do not need to provide that level of differentiation (i.e. using inheritance or not).

It shouldn't be a permissions matter, it's more likely to be a data type mismatch - variables will only show in the list if the data type matches.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community