HIPS generates no Threat Event when blocking a connection with a firewall rule, i imagine.
But, if you build an IPS Signature, then a Event is triggered, based on your HIPS signature.
Perhaps you take a look at the McAfee Threat Activity Tracer. https://community.mcafee.com/docs/DOC-4231
I confirmed the custom sig is reaching my computer by checking the registry...so..either its not recognizing the username or the whole sig is bad...nothing is showing up either in the epo console nor the local hips interface....next week I will try something with abm and work on this sig...the documentation on hips custom sigs leaves quite a bit to be desired. Some serious real world examples would be great
ok, i guess it was just a matter of time, but this signature seems to be working well....if I truly want to see what someone is doing, I may also have to make a registry rule to see if the user is changing registry keys.
As an additional check, we could probably filter ABM for this user's activity too.
As far as tracking where a user has logged in...when the guys dont want to run logs on domain controllers, I can use DLP to capture a lot this stuff.
You could probably catch a lot of that in HIPS too if you are logging Informationals by including the IPS Parameter and IPS Paramenter and filtering on the IPS Paramater "username".
Note, this is a very noisy signature, so, if you are going to do it, make sure its for a single user, and also you may want to restrict down to file types.
Anyhow, it was kind of a neat intellectual exercise....just dont know why it took so long to start logging.
yeah, i mean i suppose you can do it, but i would suspect it would be loudddd, unless you threw in a bunch of exclude rules for stuff you didnt care to see. has to be another way to do this, other than an IPS sig. the only thing with ABM is that you need to have an accurate baseline for the system, and that makes the assumption that they arent already running maliciousprocess.exe, etc.
if you want to track any change of the system just try McAfee Application Control (Solidcore)
There you can track any change to the systems. You can also compare your system with an golen image and so on..
Thanks for your input, but my customer is fairly restricted as to what products they supply.
So, tracking user activity was just a one-off request, and I really do have my hands full with just managing EPO let alone stacking on another product.
I am hoping that someday there will be a repository of custom sigs various admins have written that we can all access.
I do know the the Mcafee Tool Exchange has some neat stuff which i really appreciate.
We just upgraded to 4.6 and I think the bubble charts are really cool, though.