2 Replies Latest reply on Nov 11, 2016 4:58 PM by moorej1

    How to control EPS threshold exceeding using another pair of ELMREC?

    mswip

      Hi all, after adding some more log sources to our combined box ELMREC, the threshold is exceeding 65% of max EPS ( Max - 8000). I have another ELMREC. How can we use ELMREC effectively so that the EPS count will never exceed threshold? Please help with a diagram showing all essential components of the solution design.

        • 1. Re: How to control EPS threshold exceeding using another pair of ELMREC?
          abanaru

          Here you should see a generic architecture of the SIEM - SIEM Foundations: Architecture Primer

           

          If you have a second box you should distribute data sources to the other combo box. Also you can use the Filter inside the Policy Editor | Receiver to discard events if you can't filter them out directly on the data sources.

          • 2. Re: How to control EPS threshold exceeding using another pair of ELMREC?
            moorej1

            Yep. what Abanaru pointed out is one thing to do.

            1. Go to Policy Editor and "Filter" events of data sources you already have. For instance if you have a firewall that logs drops from the Internet then you would want to "Filter" drops from that data source where the drops are from the Internet.

            2. Go to Correlation Rules and disable any that you don't need (lots are on by default) and unless you have all the components like EndPoint MOVE, McAfee Gateway, EPO, etc then they are wasting your processing.

            3. Ensure the logs (SYSLOG, WMI, etc) are the ones you want coming into the SIEM of critical devices and then "FILTER" those logs... for instance Windows may send the entire SYSTEM event log with a ton of eventIDs, however you may only need a few event logs that need to be alerted on from it, so filtering that down will help with reducing the EPS.

            4. Look at your overall SIEM performance and the data sources EPS and go through each one remove event rule messages by signature ID that do not provide value (Go back to Policy Editor and Filter)

            5. Once the above is done then start thinking about adding ERC's depending on your growth expectations (Strategy) and how many more "RULES (Correlations, Alarms), Parsers" you want to enable and other Integrations such as Web Gateway, MOVE, EPO, Vulnerability Management, ATD, etc, and then you may also need to add or upgrade your main ESM depending on how many EPS it will take.

            6. That's not everything but it will keep you busy for a looooong time.