4 Replies Latest reply on May 9, 2017 7:17 PM by sconlon

    Vulnerability info sent to SIEM - What is the real source??

    sconlon

      Hi. Hoping someone can understand/assist.

       

      Working in an environment with McAfee tools we have the Vulnerability Scanner information being sent to ESM (SIEM). Each night the scanner/vulnerability findings/events are sent to ESM, and many of the events, we would like to investigate further.

       

      Unfortunately in SIEM the information isn't helpful. The signature Id's and rule name such as 'IIS Cross Site Scripting Attempt' suggest there is certainly things we need to look at.

       

      However our issue is:

      - The source IP and destination IP are not the source of the issue, the source IP is the Vulnerability Scanner IP

      - Also the packet details don't give any information about the real/actual source of the issue.

       

      Is there a way I can find out where the potential issue actually is???

       

      Thanks!