2 Replies Latest reply on Aug 9, 2016 3:43 AM by steave

    How to do AD integration with the McAfee SIEM and IDS

    steave

      Hi Team,

       

      Can anyone tell me how to do new AD integration with the McAfee SIEM and IDS?   What are the basic configuration and network requirements in the AD for the SIEM?

      Appreciate all your help on this.

       

      Kind Regards,

      Jay

        • 1. Re: How to do AD integration with the McAfee SIEM and IDS
          rth67

          AD integration for what purpose?

          You can do AD integration for the ability to login to the ESM, mapping users through Group Membership, and assigning privileges to those Groups.

          You can also setup AD in the Asset Manager to allow you to use AD in Filters, Watchlists, etc...

          Then there is setting up Data Enrichment from AD for things like Display Name, email address, phone number, etc...

          And of course setting up an AD Profile to use when pulling WMI events from Windows Servers.

          --------------------------------------------------

          For Login to the ESM - go to the ESM Properties - then to the 'Login Security' link on the left navigation - go to the 'Active Directory' tab - click 'Add' then give it a Friendly Name, click 'Add' again to define which AD Server to query, providing an IP Address and Port information. Once you enable AD authentication, the only 'Local user' that is allowed is the NGCP account.

           

          Once AD is setup, go back to the ESM Properties, then go to 'Users and Groups' and 'Add' Group names that you want to map privileges to.

          ---------------------------------------------------

          For Asset Management - click on the 'Asset Manager' icon in the upper right corner of your ESM screen - click on the 'Asset Sources' tab - select a location to pull your domain information from (max of 1 domain per location - ESM, Receiver, etc...) - click 'Add' and provide the necessary information to query AD including an AD account (preferably a service account with a password that will not change often).

          ---------------------------------------------------

          For Profile Management - go to the ESM Properties page and select 'Profile Management' from the left navigation area - click 'Add' - profile type > 'Data Source' - Profile Agent > Windows - the provide a Profile name, username and password, and define which logs to pull > 'APPLICATION,SECURITY,SYSTEM'

           

          We also had our Domain Admins enable Print Logging so for our Print servers we have a different profile which also pulls the print logs > APPLICATION,SECURITY,SYSTEM,Microsoft-Windows-PrintService/Operational

          If you are also enabling Power Shell logging, or other things like SCOM logs, you can pull those as well.

          --------------------------------------------------

          There are community articles out there for Data Enrichment already.

          1 of 1 people found this helpful
          • 2. Re: How to do AD integration with the McAfee SIEM and IDS
            steave

            Thank Rth for this guidance. Really sorry for give you the late reply.

             

            Kind Regards,

            Jay Bhatt