4 Replies Latest reply on May 26, 2015 1:42 AM by rhinomike

    Reporting feature of ESM

    ravismallah

      Hi, i am trying to generate a report with TOP 10 co-relation rules fired in a given frame of time, there are basically two issues in the following report

       

      1. There is no way to generate any top 10 or similar reports.

      2. When i create the event query report it does not allow me to modify the fields ad the report query don't give me co-relation rules name.

       

      It would be really nice if any one can help me with this.

        • 1. Re: Reporting feature of ESM
          mariajohn14

          Hi,

           

          1. There is no way to generate any top 10 or similar reports.

               Ans : Select the particular Report --> Edit--> 5.(select the layout)-->Edit-->select the chat/table --> Edit Query --> change the value. 

           

          • 2. Re: Reporting feature of ESM
            ravismallah

            Hi,

             

            I have already tried this but somehow it still does not solve the purpose, As one signature was fired like 100 times and this returned only that signature an no other as the source IP address were distinct.


            What i m looking forward to is top 10 co-relation rules fired in a given frame of time, with source IP address and Destination IP address also the Time stamp.

            • 3. Re: Reporting feature of ESM
              streamer

              I aggree to you. ESM reporting capabilities seems to me very insufficient.

              • 4. Re: Reporting feature of ESM
                rhinomike

                ravismallah

                 

                If you accept a suggestion of someone who is processing massive amounts of data with McAfee SIEM:

                 

                Forget the system reporting for it is not worth the pain you will go through.

                 

                I went through the pains of building a separate reporting engine using the Receiver's Data Archival platform and a number of other technologies in order to deliver a decent level of reporting. It took us a few weeks of development but my whole team agrees we will are unlikely to ever look back to the McAfee SIEM reporting capabilities.