2 Replies Latest reply on Jul 19, 2017 9:06 AM by dsmevolution1

    Alarms - Breaking down alarms by system type.

    dsmevolution1

      I thought this would be simple, but apparently, it's not.  We're attempting to track Malware infections within our environment and have alarms be automatically triggered off of correlation rule Sig ID 47-8000042.  We need to break this down in to Servers and Workstations.  Workstations will have an email sent to Desktop Support for them to investigate why the system in question became infected and Servers will go to my group for a similar investigation.

       

      The packets from EPO do not contain the OS type or any other information like that.  So I need to fill in the blanks somehow.  We do have Asset sources setup within the SIEM, but for all my best intentions I have not seen how that can be utilized to fill in that information for the alarm.  My next thought is to utilize a watchlist which I can populate by pulling the info in to a csv from Powershell and then just dump raw system names in to a watchlist and call one Servers and the other Desktop.  This obviously has the hideous disadvantage of needing constant updating, especially where Desktops are concerned.

       

      Has anyone else done this before and if so, is there a much simpler way to achieve this and i'm just not seeing it?

       

      Thanks in advance!

       

      Tim