6 Replies Latest reply on Aug 28, 2017 10:32 PM by itgfcsys

    Fundamentals key for McAfee SIEM..

    davidp64

      Hello Team,

      Kindly make me understand for below queries.

      1)If we select physical display:----What type of events are reflecting.Please explain difference too from below two points

      2)If we select local ESM:----What type of events are reflecting.Please explain difference too from above point

      3)If we select local Receiver-ELM:---Correlation Engine.Please explain difference too from above point.

      4)What is the difference between correlation rule and normalization rule.

      5)What is the difference between signature ID and normalization ID.

      6)In data source properties,what is the use of Upload option.On which condition we need to use.

       

      ....David

        • 1. Re: Fundamentals key for McAfee SIEM..
          btkarp

          All of these questions can be answered by reading the McAfee SIEM Foundations guide. This is a FANTASTIC resource for just starting out.

           

           

          SIEM Foundations - Index

          • 2. Re: Fundamentals key for McAfee SIEM..
            3no

            Hi David,

             

            1) The physical display will show you "ALL" the events of you infrastructure (ACE, Receiver, ELM, McAfee EPO, and some other McAfee product if you have them)

            2) Local ESM will show only the events related to the ESM (if you have only one ESM, it will give the same informations as above).

            3) Receiver-ELM will show only the events collected by this receiver (if you don't have any other McAfee product, it will give you the same informations as above) 

            4) Correlation Rule are used to "correlate" events from different sources, a simple exemple will be the detection of brute-force : if the same user make three unsuccessful authentication and then at the fourth succeed, generate an alarm.

            Normalization is different, it's the way you call your field. Let's say you want to know the "TOP 10 user" on your network, the problem is that in Windows logs it's called "username" and for cisco it's "user".

            What you need is all of your equipment to have the same terminology so when you ask McAfee to show you the TOP 10 users it will take in consideration Windows and Cisco logs.

            5) Signature IDs are the rules used for the parsing, and normalization ID are for normalizations rules.

            6) You can upload a flat file for testing purpose, mostly to be sure that your parser is correct.


            You should definitively take a look at the documentation as btkaro said you'll find a lot of useful informations.


            Hope this helped and sorry for my English.


            Eno

            • 3. Re: Fundamentals key for McAfee SIEM..
              davidp64

              Hello Eno,

               

              Thanks for your update its great feel to know..

               

              >>>David

              • 4. Re: Fundamentals key for McAfee SIEM..
                davidp64

                Hello Eno,

                 

                I need your help to know difference between three keywords in SIEM editor:

                SIEM.PNG

                 

                Thanks in advance

                • 5. Re: Fundamentals key for McAfee SIEM..
                  davidp64

                  Anyone have an idea on this.what is the difference between in rule and policy here

                  • 6. Re: Fundamentals key for McAfee SIEM..
                    itgfcsys

                    A Policy can be thought of as a collection of Rules. You can edit a policy to a set of rules, for example if you have rules enabled for devices or data sources you do not operate, you may be wasting resources updating these rules and the policy for non-existent data sources.

                     

                    Rules are either built in, custom built, or correlation rules that dictate actions/activities/events based upon logs and the parsing of same. For example I've created a custom rule, for our endpoint product calling out Ransomware detections by editing the parser for *crypt and other threat names. Rules can also be enabled or disabled.

                     

                    Variables can be thought of as "programmatic watch lists. Variables include $HOMENET, $EXTERNAL_NET and such. you can create variables for networks, hosts/machines for example you can enter all of your DNS Servers into a DNS_Servers variable and build rules based upon actions involving those hosts. This will tune your detections and allow you to disable non DNS/Server rules, and lighten your policy.