cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
omerfsen
Level 7
Report Inappropriate Content
Message 1 of 8
‎03-28-2013 12:01 PM

how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Hi,

I have 3 questions.

1) How to add a custom field to watchlist/alarms? For example I have a DB system and I have logged in via system and event is like:

HOSTIPDBSID=~10.0.0.72~ ALARMID=~LOGON~ AUDIT_TYPE=~Standard Audit~ SESSION_ID=~113382~ OS_USER=~oracle~ STATEMENTID=~1~ ENTRYID=~1~ TIMESTAMP=~2013-03-28 18:12:31.438300~ DB_USER=~SYSTEM~ USERHOST=~oracle.endersys.com.tr~ OS_PROCESS=~32176~ TERMINAL=~pts/0~ INSTANCE_NUMBER=~0~ ACTION=~100~ STATEMENT_TYPE=~LOGON~ TRANSACTIONID=~0000000000000000~ RETURNCODE=~0~ COMMENT_TEXT=~Authenticated by: DATABASE~ OS_PRIVILEGE=~NONE~ PRIV_USED=~CREATE SESSION~

I have created a watchlist using Field Match and as for the field I have used Username_Nickname and created an alarm using this watchlist but I did not get an alarm? So I think I must use DB_USER as a field but there is no Field like that as a default. So I need to create a field to match and how do I do that?

2) I want to create an alarm for a Db user named DAVID and I want to only create alarms if David makes a DDL (change table format) as depicted  at http://www.orafaq.com/faq/what_are_the_difference_between_ddl_dml_and_dcl_commands. So for DDL there are more than one STATEMENT_TYPE (those are CREATE, ALTER,DROP,TRUNCATE..) so

        a) I have to create a custome field names STATEMENT_TYPE so I can match against it. How can I create custom fields (This is my question number 1)

        b) There is more than one statement_type that I must match (those are CREATE, ALTER,DROP,TRUNCATE) so how can I add more than one VALUES for that Field to match (those are CREATE, ALTER,DROP,TRUNCATE)

3) I want to create an alarm based on Correlation rules? How can I do that. Lets say that i have created a custom correlation rule that finds out a user failed to login 8 times in a day and after that he sucessfully logged in so if that happens

   a) I want to create an alarm so how can I do that (an alarm criteria should be one correlation rule)

   b) How can I create a report based on that alarm.

Regards

0 Kudos
Reply
1 Solution

Accepted Solutions
grant_babb
Level 9
Report Inappropriate Content
Message 4 of 8
‎04-03-2013 10:13 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Hi,

First let me say, for your use case, the DEM product in McAfee SIEM product line does this out-of-the-box.  This is the recommended best practice for monitoring an Oracle database, or any other database using only the McAfee SIEM product.

If you wish to proceed with the method you've stated in this post:

1) For a great step-by-step in implementing a custom type, try this.

2) If you want to match on strings, one way is to use variables.  You can do this in the correlation editor.  You would create a variable for each string you want to monitor, like this:

variable.png

3) Then you add them to the correlation rule you've started, as filters (here I used a different field):

filter.png

Alternatively, you could also use a watchlist for this (might be a better idea for maintenance).

The important thing is, you build a list of strings (variables or watchlist), then you add them as a filter to your correlation rule.

Cheers,

Grant

View solution in original post

0 Kudos
Reply
7 Replies
omerfsen
Level 7
Report Inappropriate Content
Message 2 of 8
‎04-02-2013 04:47 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

May I get an opinion on how to do these in Mcafee ESM?

0 Kudos
Reply
omerfsen
Level 7
Report Inappropriate Content
Message 3 of 8
‎04-02-2013 05:06 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Btw I have made a watchlist using source user and if i use this watchlist alarm gets triggered (but watchlist is not that powerful so i need to use corr. rules for complex alarm criteria) but if i create an Correlation Rule using that watchlist and create an alarm using this correlation rules signature id alarm is not triggered (See below).

Message was edited by: omerfsen on 4/2/13 7:07:20 AM CDT

Message was edited by: omerfsen on 4/2/13 7:08:15 AM CDT
0 Kudos
Reply
grant_babb
Level 9
Report Inappropriate Content
Message 4 of 8
‎04-03-2013 10:13 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Hi,

First let me say, for your use case, the DEM product in McAfee SIEM product line does this out-of-the-box.  This is the recommended best practice for monitoring an Oracle database, or any other database using only the McAfee SIEM product.

If you wish to proceed with the method you've stated in this post:

1) For a great step-by-step in implementing a custom type, try this.

2) If you want to match on strings, one way is to use variables.  You can do this in the correlation editor.  You would create a variable for each string you want to monitor, like this:

variable.png

3) Then you add them to the correlation rule you've started, as filters (here I used a different field):

filter.png

Alternatively, you could also use a watchlist for this (might be a better idea for maintenance).

The important thing is, you build a list of strings (variables or watchlist), then you add them as a filter to your correlation rule.

Cheers,

Grant

View solution in original post

0 Kudos
Reply
omerfsen
Level 7
Report Inappropriate Content
Message 5 of 8
‎04-03-2013 10:33 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

For Filters do we have to use COMMAND in our case? (For detecting certain type of queries)  since you have used it in your screenshot. I have done that like

and then I have  used this correlation ID as my signature criteria

but I get no alarm am I missing something here?

Here is my screenshots

Message was edited by: omerfsen on 4/3/13 12:37:26 PM CDT
0 Kudos
Reply
grant_babb
Level 9
Report Inappropriate Content
Message 6 of 8
‎04-03-2013 10:42 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

I just used a random field to illustrate my point.  You would use whatever custom type you created as the filter field.

0 Kudos
Reply
omerfsen
Level 7
Report Inappropriate Content
Message 7 of 8
‎04-03-2013 10:55 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Actually my another point there is there are certain (PRE-Defined) Filter Names (like COMMAND, SOURCE  USER, APPLICATION , etc...) but what I want to use is STATEMENT_TYPE in log. But there is no STATEMENT TYPE in Filter Name. There is Database Name and Query Response but not STATEMENT_TYPE

Here is the normalized oracle audit log:

HOSTIPDBSID=~10.0.0.72~ ALARMID=~LOGON~ AUDIT_TYPE=~Standard Audit~ SESSION_ID=~113382~ OS_USER=~oracle~ STATEMENTID=~1~ ENTRYID=~1~ TIMESTAMP=~2013-03-28 18:12:31.438300~ DB_USER=~SYSTEM~ USERHOST=~oracle.endersys.com.tr~ OS_PROCESS=~32176~ TERMINAL=~pts/0~ INSTANCE_NUMBER=~0~ ACTION=~100~ STATEMENT_TYPE=~LOGON~ TRANSACTIONID=~0000000000000000~ RETURNCODE=~0~ COMMENT_TEXT=~Authenticated by: DATABASE~ OS_PRIVILEGE=~NONE~ PRIV_USED=~CREATE SESSION~

I do get that you have shown to use match on different strings but I think I must  match on STATEMENT_TYPE using Variables that you define

0 Kudos
Reply
grant_babb
Level 9
Report Inappropriate Content
Message 8 of 8
‎04-03-2013 11:01 AM

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

You are correct, I am expecting that you follow step 1 in my post first, setting up a custom data type and mapping it to STATEMENT_TYPE in the data source.

Grant

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC