2 Replies Latest reply on Nov 12, 2014 12:09 PM by ois_sec

    McAfee SIEM and ePO - Tagging Threshold


      Good Morning,


      I am requesting assistance with the community to see if you can help me with the following scenario:


      I am attempting to automate the McAfee SIEM and ePO using tagging.


      To summarize -


      • McAfee ePO is operational and custom alerts and notifications are enabled.
      • McAfee SIEM is operational and watchlists and alerts work excellent.

      I would like to have the McAfee SIEM tag a client that generates more than 4 malware alert notifications within 60 minutes.

      At the moment the McAfee SIEM malware alert notifications are based on a watchlist (defined by malware signature id's) tied to an alarm which notifies the security operations center. (This pieces works nicely.)

      To further enhance this piece and the portion I am missing is where the McAfee SIEM identifies that it is the same computer generating more than 4 malware hits and in turn reaching out to McAfee ePO to tag the computer which kills all connections and shuts it down.


      So my question would be: Is the McAfee SIEM able to get granular enough to identify that the malware originated from the same computer and enable the automation piece with the McAfee ePO?

      Please note that I dont want to enable the automation by tagging more than 1 computer that equals 4 events with in the hour.


      Any assistance is very much appreciated!!!