8 Replies Latest reply on Feb 17, 2015 1:48 PM by dtmc

    SIEM enhancement requests

    aszotek

      Anybody has more luck with Product Enhancement Requests for McAfee SIEM?

      It seems their website for PER Accept Requirements Home is more like a blackhole...

      No visibility to progress for submitted PERs, no way to see PERs from others, no scoring.

       

      Please share your experiences/thoughts.

        • 1. Re: SIEM enhancement requests
          rcavey

          Yes.... black hole describes the experience pretty well. You'll have to try and irritate your sales folk and product managers regularly.   Although, my most recent PER submission was denied almost immediately but at least that was obvious. 

          • 2. Re: SIEM enhancement requests
            aszotek

            yes, I do keep reminding about PERs to our Account Director and Support Account Manager. It helps very little since we paid for the whole platform/service...

            Anyway, perhaps we should start sharing our PERs here and get more leverage on the ones that are important to majority?

            Our pending PERs (excluding custom parsers) below:

            - Allow to log user alias in case's views/edits (our AD logins are mostly digits)

            - Select All events (double-click selects events only from current page)

            - watchlist changes - to be logged

            • 3. Re: SIEM enhancement requests
              nitron00b

              I submitted about 20 back in November. Late December and beginning of January I received:

              ------------------------------------------------------------------

              A status change has been made to the following Product Enhancement Request for which you are a stakeholder.
              Status Change Notification: Product Enhancement Request status updated from Not Yet Reviewed to Under Review

              This request has been received by McAfee and is under consideration for inclusion in a future release.

              ----------------------------------------------------------------    

              I also created view in the ESM using Note Areas, so when I'm in the middle of something I can just write down what I want quick:

               

              Would be really awesome if they would let you submit a PER from the tool itself!!! Think of that magic!

              • 4. Re: SIEM enhancement requests
                dtmc

                I never seem to get any response to any PER I submit. One sat in there for a year. They never get looked at or reviewed so I have stopped submitting them. Is there a secret the other posters used that they might share? Did they use the same PER request site that is posted? Not trying to be snarky, here, I just would really like to know. I asked support once and they said that the PER site was the only way to submit them.

                • 5. Re: SIEM enhancement requests
                  aszotek

                  the only way to get the attention to youe PERs is to tell everyone you know about it.

                  do you want to share with us what's on your list?

                   

                  I'm currently preparing another one(s) around permissions/access affecting various areas (e.g. watchlists, events).

                  • 6. Re: SIEM enhancement requests
                    xded

                    The Support tolds me that the next update has the function to set a PER

                    • 7. Re: SIEM enhancement requests
                      nitron00b

                      No special tricks, my guess is they probably get a lot of duplicates. I also know they are in the middle of a UI re-write with HTML5. Maybe even get some right click functionality .  These may contribute to the slowness of PER responses. I know it seems like a black hole at times but better to throw them over the fence. Some day you might see something in an upgrade and get really excited.

                      • 8. Re: SIEM enhancement requests
                        dtmc

                        I had to log in to the site to see what we had submitted, it's been a while since I've bothered. The ones we have left in there are for F5 log parsing. One issue was that our ASM logs weren't being parsed correctly. If it had the term "request blocked", those entries weren't parsed. If the term "request violations" was in the entry, then it was parsed. This was from September of 2014, it was never looked at. Honestly, I think we found another way to get the data we needed.

                        The other item was that our audit logs (system logs from the devices themselves) from the F5 devices aren't being parsed correctly. To my knowledge, this is still an issue. We verified the logs were hitting the siem via tcpdump but they didn't get parsed. that was in November of 2014. We supplied log samples for each and still haven't heard anything back. That one also has not been looked at.

                        I have one from February 2014 that I tried to close but apparently we can't close our requests? So I just left it, the issue has gone away.