We run the McAfee SIEM as one of the security management platforms of a multitenanted environment and as we continue to push the boundaries of our knowledge over the tool we noticed an small issue:
In our environment we have multiple sets of IP ranges, one for example refers to our own environment, other IP ranges belong to one of our clients and may be routed through our environment and/or frequently accessing privileged services in our environment.
As result we tend to multiple lists of "known IPs". (e.g. we know the public IP address clients use to access their environment via ssh or the public IP addresses used by their email gateways to send email to external hosts).
We know this contextual information may be easily provided into the SIEM via Variables but:
However this is sort of painful to manage in the long run as well.
May I ask you any alternative approach to group variables applicable to a given client?
I thank you in advance.