McAfee SIEM€¦ · The McAfee SIEM solution is comprised of several appliance-based platforms working in conjunction to deliver unmatched value and performance to enterprise security

Proof of Concept Setup Guide

McAfee SIEM

Security Information & Event Management Platform

Proof of Concept Setup Guide

V2.0 Jul 2014

Introduction

This document is intended to provide a walkthrough of the steps necessary to complete a McAfee

SIEM installation as part of an evaluation/proof of concept. It outlines the best practices to ensure a

successful demonstration of the ease-of-use and rapid value delivered from the platform.

Setting the Stage

There are multiple products and configuration options that may need to be supported during a POC.

An initial planning session was used to determine the scope and expectations for this project. This

information was used to select the appropriate hardware delivered to satisfy the evaluation request.

Appliance-Based

When a POC is intended to demonstrate functionality as well as performance, it is typical that the

request will be satisfied using one or more physical appliances. Each hardware appliance will

require dedicated power, rack space and host network connectivity.

Additionally, some of the SIEM platforms (ADM/DEM) require additional network connectivity to

perform promiscuous traffic collection from a switch SPAN/Tap port. If these platforms are to be

included in the evaluation, proper switch configuration must be provisioned in advance of the POC.

VMware/ESX-Based

Some POC engagements may be satisfied using a virtual server configuration. A standard ESX

virtualized environment can be used to demonstrate one or more of the SIEM solutions, each being

provisioned as a VM guest. This reduces the operational requirements of the customer

considerably; rack space (2u), power and network connectivity are dramatically reduced while still

being able to demonstrate the entire value proposition and superior performance of the McAfee

SIEM platform.

This guide will discuss the requirements for both an Appliance-based POC as well as a VMware-

based configuration.

Proof of Concept Setup Guide McAfee SIEM

3

Table of Contents

Proof of Concept Setup Guide ...................................................................................................................................................................................................... 1

McAfee SIEM ....................................................................................................................................................................................................................................... 1

A McAfee SIEM Architecture Primer ........................................................................................................................................................................................ 4 ESM - Enterprise Security Manager .................................................................................................................................................................................... 4 REC - Event Receiver ................................................................................................................................................................................................................. 4 ELM - Enterprise Log Manager ............................................................................................................................................................................................. 4 ESM/REC/ELM ............................................................................................................................................................................................................................. 5 ACE - Advanced Correlation Engine ................................................................................................................................................................................... 5 ADM - Application Data Monitor .......................................................................................................................................................................................... 5 DEM - Database Event Monitor ............................................................................................................................................................................................. 5

Getting to Know the Intel Hardware ........................................................................................................................................................................................ 6 Standard 2u Appliance – Rear ............................................................................................................................................................................................... 6 Front Bezel ..................................................................................................................................................................................................................................... 6

Installation and Configuration of VM Images ....................................................................................................................................................................... 7

Step 1: Initial Power-Up and Configuration ....................................................................................................................................................................... 13

Step 2: Connecting to the ESM via Web GUI ....................................................................................................................................................................... 14

Step 3: Completing the Initial ESM Configuration Wizard .......................................................................................................................................... 15

Step 4: Performing a Manual Rules Update ........................................................................................................................................................................ 18

Step 5: Configuring Event, Flow and Log Retrieval Polling Interval ....................................................................................................................... 19

Step 6: Configuring ESM Data Allocation Policy ............................................................................................................................................................... 20

Step 7: Configuring ESM SMTP Mail Settings .................................................................................................................................................................... 21

Step 8: Configuring ESM Backup Settings [Optional] ..................................................................................................................................................... 22

Step 9: Adding (Keying) Additional SIEM Appliances ................................................................................................................................................... 23

Step 10: Configuring Event Inactivity Settings ................................................................................................................................................................. 25

Step 11: Adjusting Default Port Index Settings ................................................................................................................................................................. 26

Configuring Common Data Sources for Event Collection ............................................................................................................................................. 27

Configuring a SYSLOG Data Source ........................................................................................................................................................................................ 27

Creating a Windows Data Source Profile............................................................................................................................................................................. 30

Configuring a Windows Data Source ..................................................................................................................................................................................... 31

Creating a McAfee ePolicy Orchestrator Data Source .................................................................................................................................................... 34

Configuring Advanced ePO Integration ............................................................................................................................................................................... 40

Preparing for a SIEM Software Update ................................................................................................................................................................................ 44

Performing a SIEM Software Update – ESM ....................................................................................................................................................................... 45

Performing a SIEM Software Update – REC, ELM, ACE, ADM, DEM ......................................................................................................................... 48

Configuring Event-Specific Aggregation .............................................................................................................................................................................. 50

Configuring Rule-Based Correlation on an Event Receiver ........................................................................................................................................ 57

Connecting the SIEM to a Windows Domain Controller ............................................................................................................................................... 58


4

A McAfee SIEM Architecture Primer

The McAfee SIEM solution is comprised of several appliance-based platforms working in conjunction to deliver

unmatched value and performance to enterprise security professionals within an enterprise. A multitude of

deployment configurations allow for the most scalable and feature-rich SIEM architecture available, delivering real-

time forensics, comprehensive application and database traffic/content monitoring, advanced rule- and risk-based

correlation for real-time as well as historical incident detection and the most complete set of compliance features of

any SIEM on the market.

The following list details the entire suite of available SIEM components.

ESM - Enterprise Security Manager

The McAfee ESM is the ‘brains’ of the McAfee SIEM solution. It hosts the web interface through which all SIEM

interaction is performed as well as the master database of parsed events used for forensics and compliance

reporting. It is powered by the industry-leading McAfeeEDB proprietary embedded database which boasts speeds

more than 400% faster than any leading commercial or open source database.

All McAfee SIEM deployments must start with [at least one] ESM (or ESM/REC/ELM).

REC - Event Receiver

The McAfee REC is used for the collection of all third-party event and flow data.

Event collection is supported via several methodologies:

1. Push – devices forward events or flows using SYSLOG, NetFlow, etc.

2. Pull – event/log data is collected from the data source using SQL, WMI, etc.

3. Agent – data sources are configured to send event/log/flow data using a small-footprint agent such as

SNARE, Lasso, OPSEC, etc.

The Event Receiver can also be configured to collect scan results from existing vulnerability assessment platforms

such as McAfee MVM, Nessus, Qualys, eEye, Rapid7, etc. In addition, the REC supports the configuration of rule-

based event correlation as an application running on the Receiver.

McAfee Event Receivers come in physical appliances with EPS ratings ranging from 5k to 22k events per second as

well as VM-based models with event collection rates ranging from 250 to 1k EPS.

Multiple REC appliances (or VM platforms) can be deployed centrally to provide a consolidated collection

environment or can be geographically distributed throughout the enterprise. Typical deployment scenarios will

locate an Event Receiver in each of several data centers, all of which will feed their collected events back to a

centralized ESM (or to multiple ESM appliances for redundancy and disaster recovery purposes).

ELM - Enterprise Log Manager

The McAfee ELM stores the raw, litigation-quality event/log data collected from data sources configured on Event

Receivers. In SIEM environments where compliance is a success factor, the ELM is used to maintain event chain of

custody and ensure full non-repudiation.

In addition to providing compliant-quality raw event archival, the ELM also supports the full-text index (FTI) for all

event details. The McAfee SIEM supports the ability to perform ad-hoc searches against the unstructured data

maintained in the archive.


5

ESM/REC/ELM

The ESMRECELM - also called an All-in-One (AIO) or a ‘combo box’ - provides the combined functions of the

McAfee Enterprise Security Manager (ESM), Event Receiver (REC) and Enterprise Log Manager (ELM) in a single

appliance.

As most SIEM POC deployments are intended to showcase functionality rather than performance, the

ESMRECELM is commonly used to demonstrate the features and ease of use delivered by the McAfee SIEM. It

can be deployed with minimal disruption (single appliance, minimal rack space and power, single network

connection and IP address).

In larger POC or production SIEM environments, a combo box may be inadequate to handle the sizable EPS

performance requirements of an enterprise. The largest ESMRECELM peaks at 5k EPS and provides no local

storage for ELM archive but instead requires supplemental storage by means of a SAN connection, NFS or CIFS

share.

ACE - Advanced Correlation Engine

The ACE provides the SIEM with unmatched advanced correlation capabilities that include both rule- and risk-based

options. In addition to performing real-time analysis, the ACE can be configured to process historical event/log data

against the current set of rule and risk profiles. The ACE provides native risk scoring for GTI (for SIEM) and MRA-

enabled customer environments. It also allows custom risk scoring to be configured to highlight threats performed

against high-value assets, sensitive data and/or by privileged users.

Typical production SIEM deployments will include two ACE appliances – one performing real-time rule and risk

correlation and another configured for historical rule and risk correlation of events.

ADM - Application Data Monitor

The ADM provides layer 7 application decode of enterprise traffic via four promiscuous network interfaces. It is used

to track transmission of sensitive data and application usage as well as detect malicious, covert traffic, theft or

misuse of credentials and application-layer threats.

Not to be confused with a true DLP, the integration with the SIEM provides advanced forensics value by preserving

full transactional detail for sessions violating the user-defined policy managed from within the McAfee ESM common

user interface. Complex rule correlation can leverage policy violation or suspicious application usage events to

identify potential security incidents in real-time.

DEM - Database Event Monitor

The DEM provides a network-based solution for real-time discovery and transactional monitoring of database activity

via two or four promiscuous network interfaces. It works in lieu of OR in parallel with the McAfee (Sentrigo) agent-

based database activity solution to provide comprehensive, transaction-level database monitoring of user or

application DB usage.


6

Getting to Know the Intel Hardware

McAfee SIEM 4th Generation appliances are built on the robust Intel server platform and bear a new dark grey

McAfee bezel. Intel SIEM appliance hardware has no front-panel LCD so all configuration must be performed using

an attached keyboard and monitor. (See Step 1)

Rear Appliance Configuration

1. Primary Power Supply 6. Management NIC 4 (eth3)

2. Secondary Power Supply 7. VGA Video

3. Management NIC 1 (eth0) 8. RAID NIC

4. Management NIC 2 (eth1) 9. USB Ports

5. Management NIC 3 (eth2) 10. IPMI Management NIC

Front Bezel

1. Power Button

2. Bezel Lock

1 2 3 4 5 6 7 8 9 10

1

1

1

3 4

9 7

8 5 6

2


7

Installation and Configuration of VM Images

The McAfee SIEM VM guest images are provided for use in ESX (5.0+) environments. Each virtual appliance must

be installed as an OVF template using a licensed copy of VSphere connected to an appropriate installation of

VCenter.

Each guest image contains three files – a VM Virtual Disk file (.vmdk), an Open Virtualization Format Package file

(.ovf) and a Manifest file (.mf). All three VM files should be located in the same directory on the VSphere client

machine.

1. Launch the VSphere client and connect to the VCenter

management server hosting the ESX infrastructure.

2. From the File menu, select Deploy OVF Template.

3. Browse to the location of the VM SIEM appliance and select the .ovf file.

4. Click Next >.


8

5. The OVF Template Details window displays the Product, Download size and Size on disk (both thin and thick

provisioned) for the selected virtual SIEM image.

Click Next >.

6. The Name and Location window allows the unique naming of the virtual SIEM image as well as the location in the

ESX inventory.

7. Click Next >.


9

8. From the Resource Pool window, select the appropriate ESX resource pool within which you wish to deploy the

virtual SIEM template.

9. Click Next >.

10. From the Storage window, select an appropriate destination for the virtual SIEM image. Make certain you select a

location that has sufficient free disk space to host the entire guest image.

11. Click Next >.


10

12. From the Disk Format window, choose Thick Provision Eager Zeroed.

13. Click Next >.

14. From the Network Mapping window select an appropriate Destination Network for the guest virtual SIEM appliance

NIC0. (Additional NICs can be configured at a later time).

15. Click Next >.


11

16. From the Deploy OVT Template Summary window, confirm the virtual SIEM appliance configuration options.

17. Click Next >.

18. As the virtual SIEM appliance is deployed, a progress bar will show the

percent complete.

19. Once the OVF template has been fully deployed, a Success dialog box

will indicate completion.

20. Click Close.


12

21. To make additional changes to the virtual SIEM appliance guest configuration, click

Edit virtual machine settings.

22. Adjust the Memory, CPUs and/or Network Adapters as appropriate.

NOTE: Each guest virtual SIEM image has a maximum Memory and CPU core limit that cannot be exceeded. It is

possible to configure values from the minimum of 8 Gb memory and 8 CPU cores to the maximum allowed for the

OVF image.


13

Step 1: Initial Power-Up and Configuration

The first appliance to bring online is the Enterprise Security Manager (ESM). This includes any ESM combo boxes

such as ESM/REC/ELM.

1. Connect the power supplies to a properly grounded outlet (preferably on a sufficient Uninterruptable Power

Supply).

2. Connect a network cable to the Management 1 NIC.

3. Press the power button on the front of the bezel. For VM-based SIEM appliances, power on the guest image.

Wait for the appliance to boot completely.

4. Configure the basic ESM network settings.

Using a keyboard and monitor

i. Connect a VGA monitor and keyboard.

For VM-based SIEM appliances, enter Console mode.

The LCD display is mimicked on the monitor/console.

ii. Press ESC on the keyboard to open the configuration menu.

NOTE: The keyboard may appear unresponsive and may require multiple keystrokes to recognize each

key press.

iii. Using the arrow keys on the keyboard, scroll down to MGMT IP Config.

Press Enter.

iv. Configure the MGT 1 IP address using the keyboard (accepts numeric entry).

v. Configure the NETMASK.

vi. Configure the GATEWAY IP.

vii. Save the network configuration.

NOTE: The remaining network configuration (DNS, etc.) can be entered through the GUI.

Repeat the initial configuration process for all remaining appliances.


14

Step 2: Connecting to the ESM via Web GUI

The McAfee SIEM is managed and maintained entirely through a web/Flash interface.

Following are the minimum requirements for a host connecting to the ESM:

Processor – P4-class Intel (not Celeron) or higher (Mobile/Xeon/Core2/Core i3/5/7) or AMD/AMD2

class or higher (Turion64/Athlon64/Opteron64/A4/6/8)

RAM – 1.5GB

Browser – IE7.x or later, Firefox 3.0.0.0+, Chrome 12.0.742.91+, Safari 5.1.7+

NOTE: Since some features of the web application utilize pop-up windows, it is recommended that you

allow pop-ups for the IP address/hostname of the ESM.

Adobe Flash Player – Version 11.2.x.x or later

To log into the ESM, follow the steps below.

1. Open a web browser on your client computer.

2. Connect to the IP address specified in previous section.

3. Accept the security certificate error.

NOTE: All McAfee SIEM appliances ship with a self-signed certificate. The customer can provide a valid security

certificate through the GUI to avoid this certificate error.

4. Click the Login link on the page that opens. The McAfee ESM application

will load and prompt you for a username and password.

5. Choose a default Language.

6. Enter the default username NGCP.

7. Enter the default password security.4u.

8. Accept the EULA.

9. You will be then be prompted to change your password.

10. Enter security.4u in the current password field.

11. Enter and confirm a new password of your choice in the new password

field

12. Click OK. The Enable FIPS dialog will appear.

It is highly recommended that you NEVER enable FIPS mode unless absolutely necessary.

FIPS mode must be selected the first time you log on to the system and cannot subsequently be changed after the

initial installation.

13. Answer No to the FIPS dialog, then confirm by answering Yes to the Disable FIPS dialog.


15

14. Next, a dialog box will open with the following message:

15. Click OK. The McAfee ESM Startup screen will open.

Step 3: Completing the Initial ESM Configuration Wizard

The initial configuration of network settings (IP address, Netmask, Gateway) was sufficient to allow the basic log on

via the web GUI. Additional configuration will be performed by the ESM setup wizard in the following dialogs.

1. Select the system logging language and the time zone setting for the NGCP user.

2. Click Next >.

3. Enter the appropriate DNS values for the ESM to perform name resolution.

4. Click Next >.


16

5. If a proxy server is required for the ESM to communicate to the Internet, enter the appropriate proxy server

settings.

6. Click Next >.

7. If additional static routes are required for the ESM to communicate, add them from the current screen.

8. Click Next >.


17

9. If a local Time Server is available, replace the default NTP server IP addresses with a valid network time server

address.

10. Click Next >.

11. Enter the Customer ID and Password provided during POC registration to allow automatic rule updates, place a

check in the Auto Check box and select the update interval.

12. Click Finish.

13. You may see a dialog box indicating that IP address changes were

made that will require redirection. Click OK.

14. A dialog box will appear indicating that the settings will be

saved and services on the ESM will be restarted. When

asked to continue, click Yes.

15. Once the ESM services have restarted, re-enter your

password to complete the ESM setup wizard.


18

Step 4: Performing a Manual Rules Update

For SIEM deployments that do not have access to the public Internet from which to download new rules, a manual

rule update can be performed using the following steps.

1. Download the appropriate rule update file from the McAfee products website.

McAfee [Customer/Partner/SE] Resources – SIEM – MFE Nitro Rules Downloads

NOTE: Rule updates are version-specific.

Make certain to download the rules update file for your version of McAfee SIEM.

GTI subscription updates can only be downloaded via the automated rules update process and cannot be manually

updated.

2. From the Rules and Software window, click the Manual Update button.

A file upload window will open.

3. Next, browse to the location of the rule update file from Step 1 and click Upload.

When the rule update has completed you may see the following pop-up dialog window:

NOTE: This dialog may also appear upon future logins to the SIEM after rule updates have been recently applied.

To confirm the last successful update of new rules, check the status on the ESM System Properties window.


19

Step 5: Configuring Event, Flow and Log Retrieval Polling Interval

Events and flows collected by an Event Receiver are stored locally until requested by the ESM. The frequency with

which this happens is user definable. By default, this polling interval is it is 10 minutes. When the interval is

reached, all new data is synchronized from the Event Receiver to the master database residing in the ESM.

The best practice in a POC is to reduce this time value to between 1 and 5 minutes to provide a more real-time

analysis of collected event and flow data.

The following steps describe the process.

1. Click the ESM System Properties button in the upper right of the interface.

2. Click Events, Flows and Logs. The Events, Flows and Logs window will open.

3. Adjust the Auto check interval to 5 minutes.

4. Click OK.


20

Step 6: Configuring ESM Data Allocation Policy

Each McAfee SIEM ESM allocates storage for both Event and Flow data. By default, the ratio of events to flows is

50:50 by volume. Most SIEM deployments require a higher percentage of event allocation than flow.

In order to adjust the database allocation ratio to favor larger event volume, follow these steps.

1. Click the ESM System Properties button in the upper right of the interface.

2. Select the Database menu from the list of options on the left.

Then Click the Data Allocation button.

3. In the Data Allocation window that opens, configure the appropriate event:flow ratio by sliding the arrow right or

left. Right indicates a higher ratio of event data – Left indicates a higher ratio of flow data.

4. Click OK.


21

Step 7: Configuring ESM SMTP Mail Settings

The McAfee SIEM provides the ability to send email notifications based on alarm conditions as well as deliver

scheduled forensics and analysis reports to named recipients. This requires that the ESM be configured with an

operational SMTP server through which email messages will be delivered.

To configure the SMTP server settings, follow these steps.

1. From the ESM System Properties window, select the Email Settings menu option.

2. Enter the necessary configuration settings including the email host, SMTP port, TLS (if required by the SMTP

server), username/password, title (to be used in the email message subject line) and the from address.

3. Confirm the SMTP settings are correct by pressing the Send Test Email button and providing a destination

email account to which the test email will be sent.

4. Click OK to save the SMTP settings.


22

Step 8: Configuring ESM Backup Settings [Optional]

By default, the McAfee SIEM performs automatic backups of the ESM configuration every 7 days. The default

backup location resides on the ESM appliance. It is generally best practice to schedule data and log backups in

addition to configuration backups to a secondary host storage platform. This ensures that a reliable restoration can

be performed in the unfortunate event of a catastrophic failure of the ESM and that the backup files do not consume

precious storage on the ESM.

To configure the ESM backup settings, follow these steps.

1. From the ESM System Properties window, select the System Information menu option.

2. Click Backup & Restore. The Backup & Restore window will open.

3. Update the backup frequency (default every 7 days).

4. Select Backup Data for Events and Event Logs.

5. Select the radio button for Remote Location and provide the necessary CIFS/NFS location details including the

remote IP address, share name, path, and credentials (CIFS only).

6. Confirm the ESM can communicate to the remote location using the Test Connection button.


23

Step 9: Adding (Keying) Additional SIEM Appliances

NOTE: This step may be skipped if the POC platform being evaluated is limited to an All-in-One (AIO) platform such

as the ESM/REC/ELM since that appliance has the combined functionality of the ESM, Event Receiver and Log

Manager. If and AIO appliance is being installed AND additional appliances are to be evaluated (ACE, DEM, ADM,

dedicated ELM) then this step must be performed.

The McAfee SIEM solution is comprised of several platforms, each performing a specialized function. The

combined value of all of the discreet components makes the McAfee SIEM solution stand apart from any competitive

solution.

The process of connecting additional appliances to the McAfee SIEM platform is known as ‘keying’ since the

provisioning activity creates/exchanges a unique SSH key for each attached device. This ensures a secure,

encrypted path of communication between the ESM and all subordinate SIEM appliances.

The following steps must be completed for each subordinate appliance added to the SIEM environment.

1. Click the Add Device button from the Actions Toolbar in the upper right of

the user interface.

NOTE: The Actions Toolbar is context-sensitive and will change based on the

object selected in the system tree. Be certain to have either the Physical

Display or the Local ESM selected for this step.

2. From the Add Device Wizard window, select the subordinate

device to be added (ie. McAfee Event Receiver).

3. Click Next >.

4. Provide a unique name for the device being added. This will be

the name used in the System Tree.

5. Click Next >.

6. Provide the IP address and communication port assigned to

the appliance.

NOTE: The default communication port assigned to all McAfee

SIEM appliances is 22. This can be modified to a TCP port of the

customer’s choosing, though all communication between the ESM

and a subordinate SIEM appliance will still utilize the SSH/SCP

application protocol. Make certain any firewall or network

device placed between the two devices have the appropriate

rules and/or ACL filters required to permit communication on

this port.

7. Click Next >.


24

8. Click the Key Device button.

9. Provide a customer-assigned password for the device. The root

user account on the subordinate appliance will be assigned this

password.

NOTE: It is helpful for administrative purposes to assign the

same password to the NGCP account as well as all

subordinate device keys.

10. Click Next >.

11. When the device has been successfully keyed, a confirmation

window will open offering to Export Key or view the device

Properties.

12. Click Finish.

13. Repeat this process for all subordinate devices to be

added as part of the POC.

NOTE: If during the keying process an error dialog is displayed claiming the SSH

connection failed or a similar error message, follow these steps to troubleshoot.

1. Confirm that network link connectivity exists between the new device (MGMT

NIC 1) and a working switch port.

2. Confirm that the network switch port connecting the ESM and the switch port connecting the new device are

either on the same VLAN or, if separated by a layer 3 device that the appropriate routing is configured to

support communication between the two devices.

3. If the ESM and the device being added are separated by a firewall or IPS, make certain there are no traffic rules

that would prevent communication over the designated port (default:22).

4. If the POC deployment is taking place in an ESX-based virtualized environment, it may be necessary to simply

repeat the keying process a second time. In many cases, the first attempt creates the ARP entry in the vswitch

but not until the second attempt will traffic be passed between the ESM and new SIEM device permitting the

proper key exchange.


25

Step 10: Configuring Event Inactivity Settings

The McAfee SIEM can generate a health status alert when a device stops communicating or when a configured data

source stops collecting events for a specified period of time – by default 30 minutes. It is helpful in POC

deployments to disable the inactivity timer as the event volumes typically observed in evaluations may be lower than

a production SIEM.

The following steps should be performed to disable the Event Inactivity settings.

1. Click the System Properties button in the upper right of the interface.

2. Click Events, Flows & Logs. The Events, Flows & Logs window will open.

3. Click the Inactivity Settings button.

The Inactivity Threshold window will open.

4. Place a check in the Inherit option box for the ESM object. This will

force all devices and subsequent data sources added to the SIEM

to inherit the System Inactivity Threshold which is set to Days: 0,

Hours: 0, Minutes: 0.

This effectively disables the SIEM Inactivity health status warnings.


26

Step 11: Adjusting Default Port Index Settings

The McAfee SIEM is configured, by default, to index only ports 1-1024. This will sometimes be exhibited in the user

interface as a value described as ‘others’. Best practice in a POC is to enable indexing for all ports.

The following steps must be followed to enable indexing on all ports.


2. Click Database.

3. Click Settings. The Database Indexing window will open.

4. Click the word Custom under the Events/Port heading. An option box will open.

5. Click All from the option box.

6. Repeat the process for Flows/Port, modifying the setting from Custom to All.

7. Click OK.


27

Configuring Common Data Sources for Event Collection

Multi-vendor event collection is performed by the McAfee Event Receiver. Each device from which event, flow or log

data is to be collected must be defined as a Data Source on a specific Receiver.

There are several methods that can be used to add a Data Source to an Event Receiver for collection – One at a

time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties

window, Bulk creation via CSV file import and Auto Learn.

The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log

collection – one at a time from the Action Toolbar – as well as any additional configuration steps required to perform

event/log/flow collection by the SIEM.

Configuring a SYSLOG Data Source

Most POC deployments will require at least one Data Source of type SYSLOG. Most event sources such as

firewalls, intrusion detection/prevention systems and Linux hosts will support forwarding logs and events to a

collection platform – in this case the McAfee Event Receiver will be the destination of all forwarded events.

NOTE: As an example, the following steps would be necessary to add event collection for a Linux host via

SYSLOG.

1. Configure the Linux Data Source to forward all necessary events and logs to the IP address assigned to the

Event Receiver. Refer to the vendor-supplied instructions for each Data Source to determine the appropriate

steps necessary to perform this event forwarding.

2. From the System Tree, select the Event Receiver on

which you will be configuring the SYSLOG Data Source.

3. Click the Add Data Source button from the Action

Toolbar located in the upper left of the interface. The Add

Data Source window will open.


28

4. From the Data Source Vendor dropdown menu,

select UNIX.

5. From the Data Source Model dropdown menu, select

Linux (ASP).

6. Enter a Name to be used for this Data Source.

7. Enter the IP Address from which this Data Source will

be sending SYSLOG data.

8. Set the appropriate Time Zone in which this Data

Source resides.

NOTE: Most Data Sources do NOT require any

modification to the Data Format, Data Retrieval method,

SYSLOG Relay, Mask or any additional fields presented

in the Add Data Source dialog.

9. A dialog box will open warning that for a Policy Rollout will be

required for this Data Source to properly function. Click Yes.


29

10. A dialog box will open indicating that the new Data Source

configuration must be written to the Receiver.

Click Yes.

11. A dialog box will open offering to roll out

policy to the newly created Data Source.

Click OK.

12. Once complete, a dialog box will open indicating the

successful rollout of the new policy. Click Close.

13. To confirm event collection from the newly created Linux

Data Source, select the

Linux Host from the Device Tree.


30

Creating a Windows Data Source Profile

The McAfee SIEM provides a facility to store commonly used profiles for such attributes as Windows Account

Credentials and data storage mount parameters (CIFS, NFS, etc.). This allows the SIEM administrator to enter the

required profile information in a central location which is later referenced by the SIEM when necessary.

One of the most useful profiles to configure is that of a Windows Data Source. The Windows profile stores the

credentials and log collection details that can later be used when defining a Windows (WMI) data source in the

Event Receiver. By using a profile during the creation of a Windows data source, the SIEM operator need not enter

the credentials but instead, assigns the attributes of the profile to the data source. This also allows for the

credentials to be maintained in a central location and any modifications to the username/password can be made

once within the profile and all data sources making reference to the profile will automatically utilize the modified

values.

The following steps must be taken to create a Windows Data Source Profile.

1. Click the System Properties icon from the Quick Launch menu in the

upper right of the interface.

2. Click Profile Management.

3. Click the Add button. The Add System Profile window will open.

4. From the Profile Type dropdown menu, select Data Source.

5. From the Profile Agent dropdown menu select Windows.

6. Enter a Profile Name.

7. Enter a Username. This can be a local account or domain account credentials.

8. Enter a Password.

9. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.

10. Click OK. Close the System Properties window.


31

Configuring a Windows Data Source

There are several methods that can be used to add a Data Source to an Event Receiver for collection – One at a

time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties

window, Bulk creation via CSV file import and Auto Learn.

The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log

collection – One at a time from the Action Toolbar.

1. From the System Tree, select the Event Receiver on

which you will be configuring the Windows Data Source.

2. Click the Add Data Source button from the Action

Toolbar located in the upper left of the interface.

The Add Data Source window will open.

3. To use the Windows Data Source Profile created in the

previous step:

a. Place a check mark in the Use System Profiles option box.

The Add Data Source window will populate the Data Source Vendor (Microsoft),

Data Source Model (WMI Event Log), Username, Password and Event Log details defined in the Profile.

4. To define a Windows Data Source without using a profile:

a. From the Data Source Vendor dropdown menu, select Microsoft.

b. From the Data Source Model dropdown menu, select WMI Event Log.

c. Enter a Username with sufficient privileges to connect to the Windows host and retrieve the WMI logs.

d. Enter the Password.

e. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.

5. Enter a Name to be used for this Data Source.

6. Enter the IP Address for the Windows host.

NOTE: For Windows hosts that acquire an IP address from DHCP, this field can be left blank. The SIEM will

perform a DNS lookup using the hostname to obtain the current IP address at each polling interval.

7. Enter the NETBIOS Name assigned to the Windows host.

Example: If the DNS name is hostname.domain.com, the NETBIOS name will likely be just hostname.


32

8. Click the Connect button to test the connection to the Windows Data Source.

9. If the connection attempt is successful, a dialog box will open

indicating that the Windows Data Source configuration is correctly

configured to support event collection from the Windows host AND

that the credentials provided are sufficient to retrieve the defined

WMI logs.

10. If the connection attempt fails, a dialog box will open to provide

details that can be used to troubleshoot the connection. Common

connection problems include incorrect IP Address or NETBIOS

name, improper user credentials or insufficient user privilege

necessary to retrieve the defined WMI log source. Correct any

errors and re-test the WMI connection until the response is

successful.


33

11. Once the WMI Connection Test is successful, click OK. The Apply Data Source Settings dialog box will open.

12. Click Yes to apply the Windows Data Source configuration to the

Event Receiver.

13. Once the Windows Data Source has been written to the

Event Receiver, a dialog box will open to confirm.

Click Close.

14. Since a new event collection source has been configured on the Event Receiver, the policy must be rolled out to

support the event formats associated with the Windows Data Source. The Rollout Policy window will open

listing the Data Sources defined on the Event Receiver that must be applied for event collection to begin.

NOTE: Some Data Sources in the list may read ‘Skip – This policy is up to date’ while others, like the Windows

Data Source recently added, will read ‘Roll this policy out now.’ The SIEM is intelligent enough to know which

Data Source policies are new or recently modified and must be rolled out and will skip those policies that are

current.

Click OK to rollout policy to the Event Receiver Data Sources.


34

Creating a McAfee ePolicy Orchestrator Data Source

The McAfee SIEM supports event collection from ePolicy Orchestrator via a connection to the ePO SQL database.

To define an ePO Data Source connection, you will require a SQL account on the ePO database server with

sufficient privilege to read from the ePOEvents table.

The following outlines the configuration steps required on the ePO Database server.

1. Ensure that a SQL Login account is available with appropriate privilege to the McAfee ePO database. For this

example, an account named ‘epo’ has been created using SQL authentication and a Default Database set to

that of the ePO database.

2. Configure the appropriate User Mapping,

granting Public and db_datareader roles to this

user.


35

The following outlines the configuration steps required to add the ePO Data Source to the McAfee SIEM running

version 9.2.0 or higher.

1. With the Physical Display selected on the

System Tree, click the Add Device button from the Action Toolbar

located in the upper left of the interface.

The Add Device Wizard window will open.

2. From the Add Device Wizard window, select McAfee ePolicy Orchestrator (v4.6 or newer)

and click Next.

NOTE: Depending upon the appliance deployed in the POC, some of the device options may not be available

as indicated by the device type being greyed out. This is expected in POC installations deployed using an All-

in-One combo appliance.


36

3. Enter a Name for this ePO Data Source.

NOTE: Each application installed in ePO (VSE, HIPS, etc.) will be added to the ePO data source as children using

this name as a prefix.

Example: McAfee ePO_VirusScan, McAfee ePO_Application and Change Control, etc.

To prevent these child data source names from becoming truncated, use a short descriptive name for the parent

ePO data source.

4. Click Next.


37

The ePO data source requires information relating to both the ePO Application Server and the ePO Database

Server. In some ePO deployments this may be the same host however appropriate credentials must be supplied

individually for each. Application credentials are used for the purposes of connecting to the ePO server to apply

policy tags while database credentials are used by the SIEM to retrieve events for analysis, correlation and

reporting.

The Wizard will prompt you for both the Application details as well as the Database details on separate windows

starting with the ePO Application information.

5. Select the Receiver on which this ePO data source will

reside.

6. Enter the IP Address of the ePO Application Server.

7. Enter the appropriate Application Port (default is 8443).

8. Enter the Application Username.

NOTE: The ePO user provided must have Group Admin

privileges assigned within ePO.

9. Enter the Password assigned to this ePO user.

10. Click the Connect button to test the connection to the ePO

application. If the connection is completed successfully, a

confirmation dialog box will open. Click Close.

If the connection test is unsuccessful, verify the ePO user credentials

and privileges.

11. Click Next.


38

The Wizard now prompts you for the ePO Database details.

12. Enter the IP Address of the ePO Database Server.

13. Enter the User ID of the SQL Login Account created

earlier.

14. Enter the Password assigned to the SQL Login Account.

15. Enter the appropriate SQL Communication Port

(default is 1433).

16. Enter the ePO Database Name.

NOTE: If the ePO Database Name contains a hyphen, the

value entered MUST be surrounded by square brackets.

Example: [ePO4_MCAFEE-123]

17. If multiple SQL instances are present on this database

server, enter the unique Database Instance associated

with ePO.

18. Click the Connect button to test the connection to the ePO database.

If the connection is completed successfully, a confirmation dialog box

will open. Click Close.

If the connection test is unsuccessful, verify the SQL credentials and

privileges.

19. Click Next.


39

20. A dialog box will open regarding the use of McAfee Risk Advisor

data within the SIEM.

The McAfee SIEM can utilize Risk Advisor asset reputation

scoring as a component of a Risk Correlation policy. If Risk

Advisor is present in the ePO installation AND if the Advanced

Correlation Engine is being deployed with the SIEM, click Yes.

21. Once complete, the Add Device Wizard will present a status window indicating that the ePO data source was

successfully added and configured.

22. Click Finish.

23. Expand the new ePO Data Source in the Device Tree to

confirm the connection to the ePolicy Orchestrator host and

to identify the McAfee products that were found to be

installed.


40

Configuring Advanced ePO Integration

The McAfee SIEM supports the ability to launch ePO directly from the SIEM interface to view endpoint details as

defined within ePolicy Orchestrator. The following outlines the steps necessary to complete this configuration.

NOTE: This configuration example assumes a single ePO server with a local SQL database. In configurations

where the ePO server is connected to a secondary SQL DB server, please contact McAfee support for assistance.

1. Click the Asset Manager icon from the Quick Launch menu in the upper

right of the interface.

2. Select the Network Discovery tab.

3. Next click the Homenet button.

4. In the Homenet dialog box that appears, enter the subnet(s) that

represent the ePO ‘managed endpoints’.

NOTE: CIDR notation can be used to identify subnet ranges and

multiple address ranges can be identified using a comma-

separated array.

5. Click OK to accept the Homenet settings.

6. Click OK to close the Asset Manager.


41

Testing Advanced ePO Integration

Once the McAfee SIEM has been configured with at least one ePO data source and the Homenet value has been

defined within the Network Discovery section of the Asset Manager, the SIEM will allow the operator to launch the

ePO interface from within the Security Management platform to view asset details specific to a given endpoint.

1. From the SIEM user interface, select an IP

address representing a managed asset

within ePO.

2. Click the Menu button in the upper left of the Source IP Address

component.

3. From the menu that appears, select Actions, then View in ePO.

4. If multiple ePO servers are defined in the McAfee SIEM, an

additional dialog box will open requiring the ePO server to launch.

Make the appropriate selection and press OK.


42

5. The ePO interface will open in a new browser window requiring

authentication. Enter the appropriate ePO credentials to log

into the ePolicy Orchestrator interface.

6. Once authenticated, the ePO asset information window will open displaying the information related to the

endpoint selected in the McAfee SIEM.


43

In addition to viewing the managed endpoint within ePO, McAfee SIEM also supports the assignment of ePO policy

tags directly to assets from within the SIEM console.

1. From the SIEM user interface, select an IP address representing a managed asset within ePO.

2. Click the Menu button in the upper left of the Source IP Address

component.

3. From the menu that appears, select Actions,

then ePO Tagging.

4. Select an appropriate policy tag from the list and

click the Assign button.

Optionally, the client wakeup can be performed

by the SIEM once the ePO policy tag has been

assigned to the endpoint.


44

Advanced SIEM Configuration

The following section details some of the more common advanced configuration or maintenance tasks of the

McAfee SIEM.

Preparing for a SIEM Software Update

Once all subordinate SIEM devices have been keyed to the ESM, consider the requirement to perform any updates

to the platform codebase. McAfee SE resources as well as customers can refer to the Product Download pages on

the McAfee website to determine the latest code version available for the SIEM.

NOTE: Important information relating to the SIEM update process can always be found in the version release notes.

Make certain to carefully read the published documentation prior to initiating the update process.

Code updates are made available as a single tarball file, along with a corresponding hash file that can be used to

confirm the validity and consistency of the file downloaded and each discreet platform in the McAfee SIEM suite has

a unique code update path. Since ALL appliances connecting to the SIEM solution must be running the same

version of code, it is important to obtain any/all tarball files necessary to perform an update to each of the appliances

used in a POC.

The following table describes the SIEM appliance and corresponding upgrade file requirements.

Platform Update Tarball Recommended Order

ESM ESS_Update_X.x.x.signed.tgz 1

ESM/REC/ELM ESSREC_Update_X.x.x.signed.tgz 1

REC RECEIVER_Update_X.x.x.signed.tgz 2

ELM RECEIVER_Update_X.x.x.signed.tgz 2

ACE RECEIVER_Update_X.x.x.signed.tgz 2

ADM APM_Update_X.x.x.signed.tgz 3

DEM DBM_Update_X.x.x.signed.tgz 3

The McAfee ESM maintains a file repository into which all code update tarball files can be uploaded. Once

uploaded, each tarball update can be applied to the appropriate device from within the SIEM user interface either

individually or, in the case of multiple devices of the same type, en masse.

The order in which SIEM appliances are updated must be determined by reviewing the release notes published with

each update. In most circumstances, when multiple appliances in a SIEM hierarchy are to be updated, it will be

necessary to start with the ESM (or ESM/REC/ELM). Once complete, any Event Receiver appliances should be

updated to the new version including any ELM or ACE appliances since they share the same Receiver codebase.

Lastly, any additional subordinate appliances such as ADM or BEM should be updated.

During most major (and some minor) updates, it will be necessary for the master ESM database to be rebuilt as part

of the automated code update process. Depending upon the amount of data residing in the ESM database, this

process can take anywhere from 30 minutes to several hours. In POC environments where the event volume will

likely be minimal, the database rebuild process should complete in under an hour.


45

The following steps must be completed to perform a code update on one or more SIEM appliance.

1. Determine which update tarball files will be required and download

from the McAfee product download site.

Example: This SIEM environment consists of a standalone ESM and a

standalone REC. Both the ESS_Update and the RECEIVER_Update

tarball files would be required.


3. Click File Maintenance.

4. From the File Type dropdown menu, select Software Update Files.

5. Click the Upload button. The File Upload window will open.

6. Browse to the location of the tarball update. Select a single tarball file and click Upload.

7. Repeat for each update file until all required tarball images have been uploaded to the repository.


46

Performing a SIEM Software Update – ESM

1. Click on ESM Management.

2. Click the Update ESM button.

3. Select the ESS_Update_X.x.x signed tarball file.

NOTE: If the POC is being performed on an ESM/REC/ELM ‘combo’, select the ESSREC_Update_X.x.x signed

tarball.

4. Click OK.

5. A dialog box will open warning that the ESM will reboot during the update

process and all active connections will be dropped. Click Yes to proceed.

6. A dialog box will open indicating that the update process has been initiated

and instructing you to close the browser window

7. Click OK.

8. Close the browser window.

9. The ESM will reboot multiple times to perform the update process.

Once the update is complete, open a web browser on your client

computer.


47

10. Connect to the IP address of the ESM.

11. Click the Login link on the page that opens.

12. You will likely be prompted with a dialog box indicating that you

must clear your browser cache. Press CTRL-SHIFT-DEL and

clear the most recent browser cache.

13. Click the Login link once again. The McAfee ESM application will

load and prompt you for a username and password.

14. If the ESM is still performing any portion of the code update, you

may be presented with an error indicating that the system is ‘not

ready’. Simply wait another minute and attempt once again to log

into the SIEM.

15. Once the server is ready and your credentials are accepted, you will

likely see a dialog box indicating that you have recently performed an

upgrade and instructing you to read the necessary release notes to

determine if additional actions are required.

16. Continue with the update process on each of the remaining SIEM

appliances, starting with any Event Receiver devices (REC, ACE, ELM),

then continuing with any remaining device (ADM, DEM).

NOTE: If the POC is being performed on an ESM/REC/ELM ‘combo’ you can proceed to

Step 12 as the ESSREC_Update tarball provides both the ESM as well as REC feature update.


48

Performing a SIEM Software Update – REC, ELM, ACE, ADM, DEM

The following steps must be performed to update any subordinate SIEM appliances.

1. From the System Tree, select the appliance to be updated.

NOTE: A yellow flag icon shown beside an appliance is an

indication that the device is ‘out of sync’ until it has been updated.

2. Click the Device Properties button from the Actions Toolbar.

The device properties window will open.

3. Click Receiver Management.

4. Click the Update Device button. The Select Software Update

File window will open.

5. Select the appropriate tarball update file.

6. Click OK.


49

7. A dialog box will open indicating that the device will reboot when the

update process begins.

8. Click YES.

9. The device will restart. A dialog box will open, counting down

from 3 minutes while the device update is applied.

NOTE: If the device has not completely updated after 3

minutes, the counter will restart. You must wait until the

device has fully updated and communication has been

restored to continue.

10. A dialog box will indicate the successful restart of the device

once connectivity has been restored.

11. Click OK.

12. After the successful update of an Event Receiver appliance, it is necessary to perform additional configuration

updates.

13. Click on Data Sources.

14. Click the Write button.


50

15. After successfully writing the Data Source configuration, a

dialog box will open indicating the Command Executed

Completely.

16. Click the Close button.

17. Click OK.

Repeat these steps to apply all necessary update tarball files to remaining subordinate devices.

Configuring Event-Specific Aggregation

Even with the Event Receiver event aggregation set to dynamic, there are certain events that should never be

allowed to aggregate during a POC (and potentially in a production SIEM deployment). In particular, the following

types of events should be set to NOT aggregate in order to guarantee the highest visibility for each event.

a. Authentication Events Events describing user login/logoff activities.

b. Exploit Events Events describing potential Exploit behaviors.

c. Malware Events Events describing potential Malware activities.

d. Correlated Events Events generated from the Correlation Engine.

The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The

taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit,

Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then

broken down further into sub-groups and even further as necessary, each lower tier representing more specific

event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications

in that branch are included in the selection. This allows the operator to select a more general event group, such as

Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login,

Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.

Additionally, it is recommended that event aggregation be disabled for all correlated events.

Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known

patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the

SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine.

Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields.

Please refer to the ESM help documentation for more information regarding setting custom aggregation values.


51

The following steps must be followed to disable event-specific aggregation for these normalized event categories.

1. Click the Policy Editor button from the Navigation Bar located in the upper

right of the user interface. The Policy Manager window will open.

NOTE: The policy manager groups events into various Rule Types

including Advanced Syslog Parser, Data Source and Windows Events. The

following steps will need to be performed against each of these event type branches.

2. Expand the Receiver object from the Rule Types panel and select Data Source.


52

3. Click the Advanced bar at the bottom right of the Policy Editor window beneath the Filters/Tags panel. This will

hide the Tags and display the Advanced filters panel.

4. Click the Filter button to the right of the Normalized ID form field.

The Filter Variables window will open to display the top-tier Normalized event categories.

5. While holding the CTRL key, select each of the Normalized

categories – Authentication, Exploit and Malware.

6. Click OK.

7. This will populate the Normalized ID form field with the IDs

associated with the selected event categories.


53

8. Click the Run Query icon to refresh the list of Advanced Syslog

Parser rules which will now be filtered to display ONLY those event

rules matching the categories selected from the Normalized

Taxonomy filter.

9. To disable Event Aggregation for the refined list of Data Source rules, click the Aggregation column heading.

The action window will open to present three options –

Inherit parent value, On (enable) or Off (disable).

10. Click the Off menu option.

11. A dialog box will open, prompting for confirmation to modify the settings

for the entire list of filtered rules.

12. Click Yes to confirm the modification.

13. All Data Source rules in the filtered list will now have the Aggregation

attribute set to Off (disabled).


54

14. From the Rule Types panel, select Windows Events.

NOTE: The filter panel will preserve the current selection of Normalized categories. The resulting list of Windows

Event rules will inherit the previous filters of Authentication, DoS, Exploit and Malware.

15. Once again, click the Aggregation column heading. The action window will open to present three options –






19. All Windows Event rules in the filtered list will now have the

Aggregation attribute set to Off (disabled).


55

20. From the Rule Types panel select Correlation.

21. Next, clear the filters by clicking the orange funnel icon in the upper right of the Correlation Rules panel.

22. Once again, click the Aggregation column heading. The action window will open to present three options –




56




26. All Correlated rules in the list will now have the Aggregation attribute

set to Off (disabled).

NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy

Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.

a. Click the Rollout icon on the Action Bar in the upper right of the Policy

Editor window. The Rollout window will open.

b. Click OK.

c. The new Aggregation settings will be rolled out to all Event Receiver

data sources.

d. Close the Policy Editor.


57

Configuring Rule-Based Correlation on an Event Receiver

Rule-based Event Correlation can be performed on any available McAfee Event Receiver and/or on a dedicated

Advanced Correlation Engine appliance. In a POC where an ESM/REC/ELM combo is being deployed OR when a

dedicated ESM and REC is used without an ACE, the following steps must be followed to enable rule-based event

correlation on the Event Receiver as a data source.

1. Click on any available Event Receiver from the System Tree.

2. Click the Add Data Source button from the Actions Toolbar. The Add

Data Source window will open.

3. From the Data Source Vendor dropdown,

select McAfee.

4. From the Data Source Model dropdown,

select Correlation Engine.

5. Enter a Name for this Correlation Data Source.

6. Click OK.

7. A dialog box will open indicating that Data Source Settings have changed

and must be applied to the Event Receiver. Click Yes.

8. When the Data Source Settings have been written to the Event

Receiver, a dialog box will provide confirmation. Click Close.

9. Since each Data Source must have a policy applied, the Rollout

window will appear. It is a requirement that policy be properly rolled

out to the Event Receiver and all corresponding Data Sources after making any changes. Click OK.


58

Connecting the SIEM to a Windows Domain Controller

One of the most relevant forms of event context in a SIEM is that of user identity and the most common sources for

this context in an enterprise is typically the Active Directory database maintained by a Windows Domain Controller.

By connecting the DC to the SIEM, operators can issue filtered queries against specific domain users and/or groups

as well as include user and group context within a correlation rule. Examples of this will be provided in a later

section of this document.

To connect the SIEM to a Windows DC, the following steps must be taken.

1. Click on the Asset Manager icon from the Quick Launch menu. The Asset

manager window will open.

2. Select the Asset Sources tab.

3. Select the ESM object from the list of available devices. It is from this

device that the Active Directory connection will be made.

4. Click the Add button.

5. Enter a Name for the Domain Controller.

6. Enter the IP Address of the Domain Controller.

7. Enter an authorized Username in the format [email protected].

8. Enter the Password used by this user to authenticate.

9. Enter the appropriate Search Base that will be used to

enumerate the domain groups and users.

Example: dc=domain,dc=tld.

10. Configure the retrieval interval and time. The default settings

will query the Active Directory once daily at midnight.

11. Click the Connect button to test the connection to the Domain

Controller.

mailto:[email protected]


59

12. If the connection test is successful, a dialog box will open to confirm. Click

OK.

13. If the connection to the Domain Controller is unsuccessful, a dialog box will open

indicating that the connection test failed. If this happens, confirm the IP address of

the Domain controller, the port number across which the LDAP query will occur

(default 389), the username (in the correct [email protected] format), the

password and the Search Base. Determine from the customer if TLS is required to

connect to this Domain Controller and, if so, enable it using the check box provided

on the Asset Data Source form.

14. Once the connection test to the Domain Controller is successful, click OK.

15. Click the Write button in the bottom left of the Asset Sources window. The Writing changes to device window

will open.

16. After the changes have been successfully written to the

device, click Close.

17. Select the newly created Active Directory Domain Controller from the list of available asset sources.

18. Click the Retrieve button.

mailto:[email protected]


60

19. A Dialog box will open indicating that the Active Directory user and group data is being retrieved. Depending on

the size of the customer Active Directory, this process may take several minutes or longer to complete.

20. When the Active Directory data retrieval has successfully completed, a

dialog box will open.

Click OK.

21. Close the Asset Manager window.

To confirm the successful retrieval of Active Directory user and group information, follow these steps.

1. Scroll down the list of objects in the Filter Panel to the Source User form field.

2. Click the Filter icon beside the Source User field. The Filter

Variables window will open.

You should see the domain from which you retrieved user and

group information.

3. Expand the domain object to display the groups enumerated from the

Active Directory.

4. Expand the group Administrators.Builtin to see a list of Active

Directory administrators.

Now that the Active Directory user and groups have been enumerated

into the SIEM, their values can be used in future filter queries, correlation

rules and reports.


61

Conclusion

Your McAfee SIEM environment is now installed, configured, and you have begun the process of tailoring it to meet

your business requirements. Next steps from here will include outlining your initial use cases, importing necessary

content, and developing processes for monitoring and remediation.

You can find more assistance, documents, and videos at the McAfee Community:

https://community.mcafee.com/community/business/siem

https://community.mcafee.com/community/business/siem

Documents

McAfee SIEM€¦ · The McAfee SIEM solution is comprised of several appliance-based platforms working in conjunction to deliver unmatched value and performance to enterprise security