6 Replies Latest reply on Apr 22, 2014 3:59 AM by epository

    Tracking User Activity with HIPS 8.0 Custom Rule

    epository

      all,

       

      I have had a request to see if a specific elevated account is accessing files across the network and if HIPS can log those.

       

      I created a rule that I thought would capture this, and I can see the custom rule in the registry, but so far....zero hits in the Threat Event Log

       

      So why isnt this working???

       

      It has a specific user name in it and it is looking for all file access.

       

      john.smith.sa is my account and I am getting nothing.

       

       

        • 1. Re: Tracking User Activity with HIPS 8.0 Custom Rule
          Troja

          Hi,

          HIPS generates no Threat Event when blocking a connection with a firewall rule, i imagine.

          But, if you build an IPS Signature, then a Event is triggered, based on your HIPS signature.

           

          Perhaps you take a look at the McAfee Threat Activity Tracer. https://community.mcafee.com/docs/DOC-4231

           

          Cheers,

          Thorsten

          • 2. Re: Tracking User Activity with HIPS 8.0 Custom Rule
            epository

            I confirmed the custom sig is reaching my computer by checking the registry...so..either its not recognizing the username or the whole sig is bad...nothing is showing up either in the epo console nor the local hips interface....next week I will try something with abm and work on this sig...the documentation on hips custom sigs leaves quite a bit to be desired.  Some serious real world examples would be great

            • 3. Re: Tracking User Activity with HIPS 8.0 Custom Rule
              epository

              ok, i guess it was just a matter of time, but this signature seems to be working well....if I truly want to see what someone is doing, I may also have to make a registry rule to see if the user is changing registry keys.

               

              As an additional check, we could probably filter ABM for this user's activity too.

               

              As far as tracking where a user has logged in...when the guys dont want to run logs on domain controllers, I can use DLP to capture a lot this stuff.

               

              You could probably catch a lot of that in HIPS too if you are logging Informationals by including the IPS Parameter and IPS Paramenter and filtering on the IPS Paramater "username".

               

              Note, this is a very noisy signature, so, if you are going to do it, make sure its for a single user, and also you may want to restrict down to file types.

               

              Anyhow, it was kind of a neat intellectual exercise....just dont know why it took so long to start logging.

               

              Message was edited by: epository on 4/21/14 4:42:54 AM CDT
              • 4. Re: Tracking User Activity with HIPS 8.0 Custom Rule
                greatscott

                yeah, i mean i suppose you can do it, but i would suspect it would be loudddd, unless you threw in a bunch of exclude rules for stuff you didnt care to see. has to be another way to do this, other than an IPS sig. the only thing with ABM is that you need to have an accurate baseline for the system, and that makes the assumption that they arent already running maliciousprocess.exe, etc.

                • 5. Re: Tracking User Activity with HIPS 8.0 Custom Rule
                  Troja

                  Hi,

                  if you want to track any change of the system just try McAfee Application Control (Solidcore)

                  There you can track any change to the systems. You can also compare your system with an golen image and so on..

                  Cheers,

                  Thorsten

                  • 6. Re: Tracking User Activity with HIPS 8.0 Custom Rule
                    epository

                    Troja,

                     

                    Thanks for your input, but my customer is fairly restricted as to what products they supply.

                     

                    So, tracking user activity was just a one-off request, and I really do have my hands full with just managing EPO let alone stacking on another product.

                     

                    I am hoping that someday there will be a repository of custom sigs various admins have written that we can all access.

                     

                    I do know the the Mcafee Tool Exchange has some neat stuff which i really appreciate.

                     

                    We just upgraded to 4.6 and I think the bubble charts are really cool, though.