cancel
Showing results for 
Search instead for 
Did you mean: 

how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Hi,

I have 3 questions.

1) How to add a custom field to watchlist/alarms? For example I have a DB system and I have logged in via system and event is like:

HOSTIPDBSID=~10.0.0.72~ ALARMID=~LOGON~ AUDIT_TYPE=~Standard Audit~ SESSION_ID=~113382~ OS_USER=~oracle~ STATEMENTID=~1~ ENTRYID=~1~ TIMESTAMP=~2013-03-28 18:12:31.438300~ DB_USER=~SYSTEM~ USERHOST=~oracle.endersys.com.tr~ OS_PROCESS=~32176~ TERMINAL=~pts/0~ INSTANCE_NUMBER=~0~ ACTION=~100~ STATEMENT_TYPE=~LOGON~ TRANSACTIONID=~0000000000000000~ RETURNCODE=~0~ COMMENT_TEXT=~Authenticated by: DATABASE~ OS_PRIVILEGE=~NONE~ PRIV_USED=~CREATE SESSION~

I have created a watchlist using Field Match and as for the field I have used Username_Nickname and created an alarm using this watchlist but I did not get an alarm? So I think I must use DB_USER as a field but there is no Field like that as a default. So I need to create a field to match and how do I do that?

2) I want to create an alarm for a Db user named DAVID and I want to only create alarms if David makes a DDL (change table format) as depicted  at http://www.orafaq.com/faq/what_are_the_difference_between_ddl_dml_and_dcl_commands. So for DDL there are more than one STATEMENT_TYPE (those are CREATE, ALTER,DROP,TRUNCATE..) so

        a) I have to create a custome field names STATEMENT_TYPE so I can match against it. How can I create custom fields (This is my question number 1)

        b) There is more than one statement_type that I must match (those are CREATE, ALTER,DROP,TRUNCATE) so how can I add more than one VALUES for that Field to match (those are CREATE, ALTER,DROP,TRUNCATE)

3) I want to create an alarm based on Correlation rules? How can I do that. Lets say that i have created a custom correlation rule that finds out a user failed to login 8 times in a day and after that he sucessfully logged in so if that happens

   a) I want to create an alarm so how can I do that (an alarm criteria should be one correlation rule)

   b) How can I create a report based on that alarm.

Regards

1 Solution

Accepted Solutions

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Hi,

First let me say, for your use case, the DEM product in McAfee SIEM product line does this out-of-the-box.  This is the recommended best practice for monitoring an Oracle database, or any other database using only the McAfee SIEM product.

If you wish to proceed with the method you've stated in this post:

1) For a great step-by-step in implementing a custom type, try this.

2) If you want to match on strings, one way is to use variables.  You can do this in the correlation editor.  You would create a variable for each string you want to monitor, like this:

variable.png

3) Then you add them to the correlation rule you've started, as filters (here I used a different field):

filter.png

Alternatively, you could also use a watchlist for this (might be a better idea for maintenance).

The important thing is, you build a list of strings (variables or watchlist), then you add them as a filter to your correlation rule.

Cheers,

Grant

View solution in original post

7 Replies

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

May I get an opinion on how to do these in Mcafee ESM?

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Btw I have made a watchlist using source user and if i use this watchlist alarm gets triggered (but watchlist is not that powerful so i need to use corr. rules for complex alarm criteria) but if i create an Correlation Rule using that watchlist and create an alarm using this correlation rules signature id alarm is not triggered (See below).

Message was edited by: omerfsen on 4/2/13 7:07:20 AM CDT

Message was edited by: omerfsen on 4/2/13 7:08:15 AM CDT

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Hi,

First let me say, for your use case, the DEM product in McAfee SIEM product line does this out-of-the-box.  This is the recommended best practice for monitoring an Oracle database, or any other database using only the McAfee SIEM product.

If you wish to proceed with the method you've stated in this post:

1) For a great step-by-step in implementing a custom type, try this.

2) If you want to match on strings, one way is to use variables.  You can do this in the correlation editor.  You would create a variable for each string you want to monitor, like this:

variable.png

3) Then you add them to the correlation rule you've started, as filters (here I used a different field):

filter.png

Alternatively, you could also use a watchlist for this (might be a better idea for maintenance).

The important thing is, you build a list of strings (variables or watchlist), then you add them as a filter to your correlation rule.

Cheers,

Grant

View solution in original post

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

For Filters do we have to use COMMAND in our case? (For detecting certain type of queries)  since you have used it in your screenshot. I have done that like

and then I have  used this correlation ID as my signature criteria

but I get no alarm am I missing something here?

Here is my screenshots

Message was edited by: omerfsen on 4/3/13 12:37:26 PM CDT

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

I just used a random field to illustrate my point.  You would use whatever custom type you created as the filter field.

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

Actually my another point there is there are certain (PRE-Defined) Filter Names (like COMMAND, SOURCE  USER, APPLICATION , etc...) but what I want to use is STATEMENT_TYPE in log. But there is no STATEMENT TYPE in Filter Name. There is Database Name and Query Response but not STATEMENT_TYPE

Here is the normalized oracle audit log:

HOSTIPDBSID=~10.0.0.72~ ALARMID=~LOGON~ AUDIT_TYPE=~Standard Audit~ SESSION_ID=~113382~ OS_USER=~oracle~ STATEMENTID=~1~ ENTRYID=~1~ TIMESTAMP=~2013-03-28 18:12:31.438300~ DB_USER=~SYSTEM~ USERHOST=~oracle.endersys.com.tr~ OS_PROCESS=~32176~ TERMINAL=~pts/0~ INSTANCE_NUMBER=~0~ ACTION=~100~ STATEMENT_TYPE=~LOGON~ TRANSACTIONID=~0000000000000000~ RETURNCODE=~0~ COMMENT_TEXT=~Authenticated by: DATABASE~ OS_PRIVILEGE=~NONE~ PRIV_USED=~CREATE SESSION~

I do get that you have shown to use match on different strings but I think I must  match on STATEMENT_TYPE using Variables that you define

Highlighted

Re: how to add a custom field to watchlist/alarms and how to create an alarm/report from a correlation rule

Jump to solution

You are correct, I am expecting that you follow step 1 in my post first, setting up a custom data type and mapping it to STATEMENT_TYPE in the data source.

Grant

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community