May I get an opinion on how to do these in Mcafee ESM?
Btw I have made a watchlist using source user and if i use this watchlist alarm gets triggered (but watchlist is not that powerful so i need to use corr. rules for complex alarm criteria) but if i create an Correlation Rule using that watchlist and create an alarm using this correlation rules signature id alarm is not triggered (See below).
Message was edited by: omerfsen on 4/2/13 7:07:20 AM CDT
watchlist.png 38.9 K
First let me say, for your use case, the DEM product in McAfee SIEM product line does this out-of-the-box. This is the recommended best practice for monitoring an Oracle database, or any other database using only the McAfee SIEM product.
If you wish to proceed with the method you've stated in this post:
1) For a great step-by-step in implementing a custom type, try this.
2) If you want to match on strings, one way is to use variables. You can do this in the correlation editor. You would create a variable for each string you want to monitor, like this:
3) Then you add them to the correlation rule you've started, as filters (here I used a different field):
Alternatively, you could also use a watchlist for this (might be a better idea for maintenance).
The important thing is, you build a list of strings (variables or watchlist), then you add them as a filter to your correlation rule.
For Filters do we have to use COMMAND in our case? (For detecting certain type of queries) since you have used it in your screenshot. I have done that like
and then I have used this correlation ID as my signature criteria
but I get no alarm am I missing something here?
Here is my screenshots
I just used a random field to illustrate my point. You would use whatever custom type you created as the filter field.
Actually my another point there is there are certain (PRE-Defined) Filter Names (like COMMAND, SOURCE USER, APPLICATION , etc...) but what I want to use is STATEMENT_TYPE in log. But there is no STATEMENT TYPE in Filter Name. There is Database Name and Query Response but not STATEMENT_TYPE
Here is the normalized oracle audit log:
HOSTIPDBSID=~10.0.0.72~ ALARMID=~LOGON~ AUDIT_TYPE=~Standard Audit~ SESSION_ID=~113382~ OS_USER=~oracle~ STATEMENTID=~1~ ENTRYID=~1~ TIMESTAMP=~2013-03-28 18:12:31.438300~ DB_USER=~SYSTEM~ USERHOST=~oracle.endersys.com.tr~ OS_PROCESS=~32176~ TERMINAL=~pts/0~ INSTANCE_NUMBER=~0~ ACTION=~100~ STATEMENT_TYPE=~LOGON~ TRANSACTIONID=~0000000000000000~ RETURNCODE=~0~ COMMENT_TEXT=~Authenticated by: DATABASE~ OS_PRIVILEGE=~NONE~ PRIV_USED=~CREATE SESSION~
I do get that you have shown to use match on different strings but I think I must match on STATEMENT_TYPE using Variables that you define
You are correct, I am expecting that you follow step 1 in my post first, setting up a custom data type and mapping it to STATEMENT_TYPE in the data source.