5 Replies Latest reply on Dec 6, 2013 10:12 AM by feeeds

    Watchlists - adding functionality

    dcobes

      The watchlists feature within McAfee ESM is great, however, there is a flaw when using it in a correlation/alarm -- there is no expiration for entries that are dynamically added. It would be extremely beneficial to add an entry expiration after 'N' seconds/minutes/hours/days/etc feature. In addition, an option to keep a list of all entires that were removed for 'N' time would assist in determining when an entry was added and then removed via date & timestamps.

       

       

      Use-Case Scenerio #1

      1. Create alarm/correlation to add a source user id to watchlist for brute force attempts over a specific limit.

      2. Source user id is added to watchlist

      3. Expiration time is set for 24 hours from the last time this same activity is seen (ie if the same user does not attempt any brute force attempts within the 24 hour period, the user id is removed from the list).

      4. Daily Report would be generated to get a list of all "Abuse users"

      5. Reports are compared over time to identify repeat offenders for additional action(s)

       

       

      Use-Case Scenerio #2

      1. Create alarm/correlation to dynamically add SRC IP for any web attack (or specific web attack)

      2. Expiration time is set for 24 hours.

      3. Watchlist begins to generate attack IPs for any web attack (or specific web attack), those SRC IPs who do not continue attacks within the 24-hour period will be auto-expired from the list.

      4. Report would generate daily and compare to previous reports to identify repeat offenders and build metric data.

      5. Utilize "deleted or removed" items to determine if the same IPs are being added/removed over time which is greater than specified 24-hour time. This data can be added to metrics to determine if a specific ASN, cyber group, or botnet is potentially targeting your organization

       

       

      I have submitted this as a PER and if you see this would prove useful for your organization, I urge you to do the same. PER SN# 19862