0 Replies Latest reply on Nov 27, 2014 10:42 PM by rhinomike

    Grouping variables in multitenanted environments

    rhinomike

      All,

       

      We run the McAfee SIEM as one of the security management platforms of a multitenanted environment and as we continue to push the boundaries of our knowledge over the tool we noticed an small issue:

       

      In our environment we have multiple sets of IP ranges, one for example refers to our own environment, other IP ranges belong to one of our clients and may be routed through our environment and/or frequently accessing privileged services in our environment.

       

      As result we tend to multiple lists of "known IPs". (e.g. we know the public IP address clients use to access their environment via ssh or the public IP addresses used by their email gateways to send email to external hosts).

       

      We know this contextual information may be easily provided into the SIEM via Variables but:

       

      1. With time managing these "known IP lists" becomes a burden
      2. Grouping variables does not work as one would expect:
        1. while you can have a category "Blah", when tuning your correlation rules you cannot use that category as a filter, instead the  system lists each variable individually.
        2. This also means you can't have two variables with the same name;
        3. The solution would be having something like:

                               Known_IPs_Lists\Client_1_Proxy_Server1_External_IP

                               Known_IPs_Lists\Client_1_Proxy_Server2_External_IP

                               Known_IPs_Lists\Client_2_Proxy_Server1_External_IP

                               ...

                     However this is sort of painful to manage in the long run as well.

       

      May I ask you any alternative approach to group variables applicable to a given client?

       

       

      I thank you in advance.