4 Replies Latest reply on Jun 24, 2016 5:36 AM by davidp64

    Fundamentals key for McAfee SIEM..

    davidp64

      Hello Team,

      Kindly make me understand for below queries.

      1)If we select physical display:----What type of events are reflecting.Please explain difference too from below two points

      2)If we select local ESM:----What type of events are reflecting.Please explain difference too from above point

      3)If we select local Receiver-ELM:---Correlation Engine.Please explain difference too from above point.

      4)What is the difference between correlation rule and normalization rule.

      5)What is the difference between signature ID and normalization ID.

      6)In data source properties,what is the use of Upload option.On which condition we need to use.

       

      ....David

        • 1. Re: Fundamentals key for McAfee SIEM..
          btkarp

          All of these questions can be answered by reading the McAfee SIEM Foundations guide. This is a FANTASTIC resource for just starting out.

           

           

          SIEM Foundations - Index

          • 2. Re: Fundamentals key for McAfee SIEM..
            3no

            Hi David,

             

            1) The physical display will show you "ALL" the events of you infrastructure (ACE, Receiver, ELM, McAfee EPO, and some other McAfee product if you have them)

            2) Local ESM will show only the events related to the ESM (if you have only one ESM, it will give the same informations as above).

            3) Receiver-ELM will show only the events collected by this receiver (if you don't have any other McAfee product, it will give you the same informations as above) 

            4) Correlation Rule are used to "correlate" events from different sources, a simple exemple will be the detection of brute-force : if the same user make three unsuccessful authentication and then at the fourth succeed, generate an alarm.

            Normalization is different, it's the way you call your field. Let's say you want to know the "TOP 10 user" on your network, the problem is that in Windows logs it's called "username" and for cisco it's "user".

            What you need is all of your equipment to have the same terminology so when you ask McAfee to show you the TOP 10 users it will take in consideration Windows and Cisco logs.

            5) Signature IDs are the rules used for the parsing, and normalization ID are for normalizations rules.

            6) You can upload a flat file for testing purpose, mostly to be sure that your parser is correct.


            You should definitively take a look at the documentation as btkaro said you'll find a lot of useful informations.


            Hope this helped and sorry for my English.


            Eno

            • 3. Re: Fundamentals key for McAfee SIEM..
              davidp64

              Hello Eno,

               

              Thanks for your update its great feel to know..

               

              >>>David

              • 4. Re: Fundamentals key for McAfee SIEM..
                davidp64

                Hello Eno,

                 

                I need your help to know difference between three keywords in SIEM editor:

                SIEM.PNG

                 

                Thanks in advance