2 Replies Latest reply on Nov 12, 2014 12:09 PM by ois_sec

    McAfee SIEM and ePO - Tagging Threshold

    ois_sec

      Good Morning,

       

      I am requesting assistance with the community to see if you can help me with the following scenario:

       

      I am attempting to automate the McAfee SIEM and ePO using tagging.

       

      To summarize -

       

      • McAfee ePO is operational and custom alerts and notifications are enabled.
      • McAfee SIEM is operational and watchlists and alerts work excellent.


      I would like to have the McAfee SIEM tag a client that generates more than 4 malware alert notifications within 60 minutes.


      At the moment the McAfee SIEM malware alert notifications are based on a watchlist (defined by malware signature id's) tied to an alarm which notifies the security operations center. (This pieces works nicely.)


      To further enhance this piece and the portion I am missing is where the McAfee SIEM identifies that it is the same computer generating more than 4 malware hits and in turn reaching out to McAfee ePO to tag the computer which kills all connections and shuts it down.

       

      So my question would be: Is the McAfee SIEM able to get granular enough to identify that the malware originated from the same computer and enable the automation piece with the McAfee ePO?

      Please note that I dont want to enable the automation by tagging more than 1 computer that equals 4 events with in the hour.

       

      Any assistance is very much appreciated!!!