Академический Документы
Профессиональный Документы
Культура Документы
McAfee SIEM
Security Information & Event Management Platform
Appliance-Based
When a POC is intended to demonstrate functionality as well as performance, it is typical that the
request will be satisfied using one or more physical appliances. Each hardware appliance will
require dedicated power, rack space and host network connectivity.
Additionally, some of the SIEM platforms (ADM/DEM) require additional network connectivity to
perform promiscuous traffic collection from a switch SPAN/Tap port. If these platforms are to be
included in the evaluation, proper switch configuration must be provisioned in advance of the POC.
VMware/ESX-Based
Some POC engagements may be satisfied using a virtual server configuration. A standard ESX
virtualized environment can be used to demonstrate one or more of the SIEM solutions, each being
provisioned as a VM guest. This reduces the operational requirements of the customer
considerably; rack space (2u), power and network connectivity are dramatically reduced while still
being able to demonstrate the entire value proposition and superior performance of the McAfee
SIEM platform.
This guide will discuss the requirements for both an Appliance-based POC as well as a VMware-
based configuration.
Proof of Concept Setup Guide McAfee SIEM
Table of Contents
Proof of Concept Setup Guide ...................................................................................................................................................................................................... 1
McAfee SIEM ....................................................................................................................................................................................................................................... 1
A McAfee SIEM Architecture Primer ........................................................................................................................................................................................ 4
ESM - Enterprise Security Manager .................................................................................................................................................................................... 4
REC - Event Receiver ................................................................................................................................................................................................................. 4
ELM - Enterprise Log Manager ............................................................................................................................................................................................. 4
ESM/REC/ELM ............................................................................................................................................................................................................................. 5
ACE - Advanced Correlation Engine ................................................................................................................................................................................... 5
ADM - Application Data Monitor .......................................................................................................................................................................................... 5
DEM - Database Event Monitor ............................................................................................................................................................................................. 5
Getting to Know the Intel Hardware ........................................................................................................................................................................................ 6
Standard 2u Appliance Rear ............................................................................................................................................................................................... 6
Front Bezel ..................................................................................................................................................................................................................................... 6
Installation and Configuration of VM Images ....................................................................................................................................................................... 7
Step 1: Initial Power-Up and Configuration ....................................................................................................................................................................... 13
Step 2: Connecting to the ESM via Web GUI ....................................................................................................................................................................... 14
Step 3: Completing the Initial ESM Configuration Wizard .......................................................................................................................................... 15
Step 4: Performing a Manual Rules Update ........................................................................................................................................................................ 18
Step 5: Configuring Event, Flow and Log Retrieval Polling Interval ....................................................................................................................... 19
Step 6: Configuring ESM Data Allocation Policy ............................................................................................................................................................... 20
Step 7: Configuring ESM SMTP Mail Settings .................................................................................................................................................................... 21
Step 8: Configuring ESM Backup Settings [Optional] ..................................................................................................................................................... 22
Step 9: Adding (Keying) Additional SIEM Appliances ................................................................................................................................................... 23
Step 10: Configuring Event Inactivity Settings ................................................................................................................................................................. 25
Step 11: Adjusting Default Port Index Settings ................................................................................................................................................................. 26
Configuring Common Data Sources for Event Collection ............................................................................................................................................. 27
Configuring a SYSLOG Data Source ........................................................................................................................................................................................ 27
Creating a Windows Data Source Profile............................................................................................................................................................................. 30
Configuring a Windows Data Source ..................................................................................................................................................................................... 31
Creating a McAfee ePolicy Orchestrator Data Source .................................................................................................................................................... 34
Configuring Advanced ePO Integration ............................................................................................................................................................................... 40
Preparing for a SIEM Software Update ................................................................................................................................................................................ 44
Performing a SIEM Software Update ESM ....................................................................................................................................................................... 45
Performing a SIEM Software Update REC, ELM, ACE, ADM, DEM ......................................................................................................................... 48
Configuring Event-Specific Aggregation .............................................................................................................................................................................. 50
Configuring Rule-Based Correlation on an Event Receiver ........................................................................................................................................ 57
Connecting the SIEM to a Windows Domain Controller ............................................................................................................................................... 58
3
Proof of Concept Setup Guide McAfee SIEM
The following list details the entire suite of available SIEM components.
The McAfee ESM is the brains of the McAfee SIEM solution. It hosts the web interface through which all SIEM
interaction is performed as well as the master database of parsed events used for forensics and compliance
reporting. It is powered by the industry-leading McAfeeEDB proprietary embedded database which boasts speeds
more than 400% faster than any leading commercial or open source database.
All McAfee SIEM deployments must start with [at least one] ESM (or ESM/REC/ELM).
The McAfee REC is used for the collection of all third-party event and flow data.
Event collection is supported via several methodologies:
2. Pull event/log data is collected from the data source using SQL, WMI, etc.
3. Agent data sources are configured to send event/log/flow data using a small-footprint agent such as
SNARE, Lasso, OPSEC, etc.
The Event Receiver can also be configured to collect scan results from existing vulnerability assessment platforms
such as McAfee MVM, Nessus, Qualys, eEye, Rapid7, etc. In addition, the REC supports the configuration of rule-
based event correlation as an application running on the Receiver.
McAfee Event Receivers come in physical appliances with EPS ratings ranging from 5k to 22k events per second as
well as VM-based models with event collection rates ranging from 250 to 1k EPS.
Multiple REC appliances (or VM platforms) can be deployed centrally to provide a consolidated collection
environment or can be geographically distributed throughout the enterprise. Typical deployment scenarios will
locate an Event Receiver in each of several data centers, all of which will feed their collected events back to a
centralized ESM (or to multiple ESM appliances for redundancy and disaster recovery purposes).
The McAfee ELM stores the raw, litigation-quality event/log data collected from data sources configured on Event
Receivers. In SIEM environments where compliance is a success factor, the ELM is used to maintain event chain of
custody and ensure full non-repudiation.
In addition to providing compliant-quality raw event archival, the ELM also supports the full-text index (FTI) for all
event details. The McAfee SIEM supports the ability to perform ad-hoc searches against the unstructured data
maintained in the archive.
4
Proof of Concept Setup Guide McAfee SIEM
ESM/REC/ELM
The ESMRECELM - also called an All-in-One (AIO) or a combo box - provides the combined functions of the
McAfee Enterprise Security Manager (ESM), Event Receiver (REC) and Enterprise Log Manager (ELM) in a single
appliance.
As most SIEM POC deployments are intended to showcase functionality rather than performance, the
ESMRECELM is commonly used to demonstrate the features and ease of use delivered by the McAfee SIEM. It
can be deployed with minimal disruption (single appliance, minimal rack space and power, single network
connection and IP address).
In larger POC or production SIEM environments, a combo box may be inadequate to handle the sizable EPS
performance requirements of an enterprise. The largest ESMRECELM peaks at 5k EPS and provides no local
storage for ELM archive but instead requires supplemental storage by means of a SAN connection, NFS or CIFS
share.
The ACE provides the SIEM with unmatched advanced correlation capabilities that include both rule- and risk-based
options. In addition to performing real-time analysis, the ACE can be configured to process historical event/log data
against the current set of rule and risk profiles. The ACE provides native risk scoring for GTI (for SIEM) and MRA-
enabled customer environments. It also allows custom risk scoring to be configured to highlight threats performed
against high-value assets, sensitive data and/or by privileged users.
Typical production SIEM deployments will include two ACE appliances one performing real-time rule and risk
correlation and another configured for historical rule and risk correlation of events.
The ADM provides layer 7 application decode of enterprise traffic via four promiscuous network interfaces. It is used
to track transmission of sensitive data and application usage as well as detect malicious, covert traffic, theft or
misuse of credentials and application-layer threats.
Not to be confused with a true DLP, the integration with the SIEM provides advanced forensics value by preserving
full transactional detail for sessions violating the user-defined policy managed from within the McAfee ESM common
user interface. Complex rule correlation can leverage policy violation or suspicious application usage events to
identify potential security incidents in real-time.
The DEM provides a network-based solution for real-time discovery and transactional monitoring of database activity
via two or four promiscuous network interfaces. It works in lieu of OR in parallel with the McAfee (Sentrigo) agent-
based database activity solution to provide comprehensive, transaction-level database monitoring of user or
application DB usage.
5
Proof of Concept Setup Guide McAfee SIEM
1 2 3 4 5 6 7 8 9 10
8 3 4 5 6
1 7 9
Front Bezel 1
2
1
1. Power Button
2. Bezel Lock
6
Proof of Concept Setup Guide McAfee SIEM
Each guest image contains three files a VM Virtual Disk file (.vmdk), an Open Virtualization Format Package file
(.ovf) and a Manifest file (.mf). All three VM files should be located in the same directory on the VSphere client
machine.
3. Browse to the location of the VM SIEM appliance and select the .ovf file.
7
Proof of Concept Setup Guide McAfee SIEM
5. The OVF Template Details window displays the Product, Download size and Size on disk (both thin and thick
provisioned) for the selected virtual SIEM image.
6. The Name and Location window allows the unique naming of the virtual SIEM image as well as the location in the
ESX inventory.
8
Proof of Concept Setup Guide McAfee SIEM
8. From the Resource Pool window, select the appropriate ESX resource pool within which you wish to deploy the
virtual SIEM template.
10. From the Storage window, select an appropriate destination for the virtual SIEM image. Make certain you select a
location that has sufficient free disk space to host the entire guest image.
9
Proof of Concept Setup Guide McAfee SIEM
12. From the Disk Format window, choose Thick Provision Eager Zeroed.
14. From the Network Mapping window select an appropriate Destination Network for the guest virtual SIEM appliance
NIC0. (Additional NICs can be configured at a later time).
10
Proof of Concept Setup Guide McAfee SIEM
16. From the Deploy OVT Template Summary window, confirm the virtual SIEM appliance configuration options.
18. As the virtual SIEM appliance is deployed, a progress bar will show the
percent complete.
19. Once the OVF template has been fully deployed, a Success dialog box
will indicate completion.
11
Proof of Concept Setup Guide McAfee SIEM
21. To make additional changes to the virtual SIEM appliance guest configuration, click
Edit virtual machine settings.
NOTE: Each guest virtual SIEM image has a maximum Memory and CPU core limit that cannot be exceeded. It is
possible to configure values from the minimum of 8 Gb memory and 8 CPU cores to the maximum allowed for the
OVF image.
12
Proof of Concept Setup Guide McAfee SIEM
1. Connect the power supplies to a properly grounded outlet (preferably on a sufficient Uninterruptable Power
Supply).
NOTE: The keyboard may appear unresponsive and may require multiple keystrokes to recognize each
key press.
iii. Using the arrow keys on the keyboard, scroll down to MGMT IP Config.
Press Enter.
iv. Configure the MGT 1 IP address using the keyboard (accepts numeric entry).
NOTE: The remaining network configuration (DNS, etc.) can be entered through the GUI.
Repeat the initial configuration process for all remaining appliances.
13
Proof of Concept Setup Guide McAfee SIEM
RAM 1.5GB
4. Click the Login link on the page that opens. The McAfee ESM application
will load and prompt you for a username and password.
11. Enter and confirm a new password of your choice in the new password
field
It is highly recommended that you NEVER enable FIPS mode unless absolutely necessary.
FIPS mode must be selected the first time you log on to the system and cannot subsequently be changed after the
initial installation.
13. Answer No to the FIPS dialog, then confirm by answering Yes to the Disable FIPS dialog.
14
Proof of Concept Setup Guide McAfee SIEM
14. Next, a dialog box will open with the following message:
15. Click OK. The McAfee ESM Startup screen will open.
1. Select the system logging language and the time zone setting for the NGCP user.
3. Enter the appropriate DNS values for the ESM to perform name resolution.
15
Proof of Concept Setup Guide McAfee SIEM
5. If a proxy server is required for the ESM to communicate to the Internet, enter the appropriate proxy server
settings.
7. If additional static routes are required for the ESM to communicate, add them from the current screen.
16
Proof of Concept Setup Guide McAfee SIEM
9. If a local Time Server is available, replace the default NTP server IP addresses with a valid network time server
address.
11. Enter the Customer ID and Password provided during POC registration to allow automatic rule updates, place a
check in the Auto Check box and select the update interval.
13. You may see a dialog box indicating that IP address changes were
made that will require redirection. Click OK.
14. A dialog box will appear indicating that the settings will be
saved and services on the ESM will be restarted. When
asked to continue, click Yes.
17
Proof of Concept Setup Guide McAfee SIEM
1. Download the appropriate rule update file from the McAfee products website.
McAfee [Customer/Partner/SE] Resources SIEM MFE Nitro Rules Downloads
2. From the Rules and Software window, click the Manual Update button.
A file upload window will open.
3. Next, browse to the location of the rule update file from Step 1 and click Upload.
When the rule update has completed you may see the following pop-up dialog window:
NOTE: This dialog may also appear upon future logins to the SIEM after rule updates have been recently applied.
To confirm the last successful update of new rules, check the status on the ESM System Properties window.
18
Proof of Concept Setup Guide McAfee SIEM
The best practice in a POC is to reduce this time value to between 1 and 5 minutes to provide a more real-time
analysis of collected event and flow data.
1. Click the ESM System Properties button in the upper right of the interface.
2. Click Events, Flows and Logs. The Events, Flows and Logs window will open.
4. Click OK.
19
Proof of Concept Setup Guide McAfee SIEM
In order to adjust the database allocation ratio to favor larger event volume, follow these steps.
1. Click the ESM System Properties button in the upper right of the interface.
2. Select the Database menu from the list of options on the left.
Then Click the Data Allocation button.
3. In the Data Allocation window that opens, configure the appropriate event:flow ratio by sliding the arrow right or
left. Right indicates a higher ratio of event data Left indicates a higher ratio of flow data.
4. Click OK.
20
Proof of Concept Setup Guide McAfee SIEM
1. From the ESM System Properties window, select the Email Settings menu option.
2. Enter the necessary configuration settings including the email host, SMTP port, TLS (if required by the SMTP
server), username/password, title (to be used in the email message subject line) and the from address.
3. Confirm the SMTP settings are correct by pressing the Send Test Email button and providing a destination
email account to which the test email will be sent.
21
Proof of Concept Setup Guide McAfee SIEM
1. From the ESM System Properties window, select the System Information menu option.
2. Click Backup & Restore. The Backup & Restore window will open.
5. Select the radio button for Remote Location and provide the necessary CIFS/NFS location details including the
remote IP address, share name, path, and credentials (CIFS only).
6. Confirm the ESM can communicate to the remote location using the Test Connection button.
22
Proof of Concept Setup Guide McAfee SIEM
The McAfee SIEM solution is comprised of several platforms, each performing a specialized function. The
combined value of all of the discreet components makes the McAfee SIEM solution stand apart from any competitive
solution.
The process of connecting additional appliances to the McAfee SIEM platform is known as keying since the
provisioning activity creates/exchanges a unique SSH key for each attached device. This ensures a secure,
encrypted path of communication between the ESM and all subordinate SIEM appliances.
The following steps must be completed for each subordinate appliance added to the SIEM environment.
1. Click the Add Device button from the Actions Toolbar in the upper right of
the user interface.
NOTE: The Actions Toolbar is context-sensitive and will change based on the
object selected in the system tree. Be certain to have either the Physical
Display or the Local ESM selected for this step.
4. Provide a unique name for the device being added. This will be
the name used in the System Tree.
23
Proof of Concept Setup Guide McAfee SIEM
NOTE: If during the keying process an error dialog is displayed claiming the SSH
connection failed or a similar error message, follow these steps to troubleshoot.
1. Confirm that network link connectivity exists between the new device (MGMT
NIC 1) and a working switch port.
2. Confirm that the network switch port connecting the ESM and the switch port connecting the new device are
either on the same VLAN or, if separated by a layer 3 device that the appropriate routing is configured to
support communication between the two devices.
3. If the ESM and the device being added are separated by a firewall or IPS, make certain there are no traffic rules
that would prevent communication over the designated port (default:22).
4. If the POC deployment is taking place in an ESX-based virtualized environment, it may be necessary to simply
repeat the keying process a second time. In many cases, the first attempt creates the ARP entry in the vswitch
but not until the second attempt will traffic be passed between the ESM and new SIEM device permitting the
proper key exchange.
24
Proof of Concept Setup Guide McAfee SIEM
The following steps should be performed to disable the Event Inactivity settings.
1. Click the System Properties button in the upper right of the interface.
2. Click Events, Flows & Logs. The Events, Flows & Logs window will open.
4. Place a check in the Inherit option box for the ESM object. This will
force all devices and subsequent data sources added to the SIEM
to inherit the System Inactivity Threshold which is set to Days: 0,
Hours: 0, Minutes: 0.
This effectively disables the SIEM Inactivity health status warnings.
25
Proof of Concept Setup Guide McAfee SIEM
1. Click the System Properties button in the upper right of the interface.
2. Click Database.
4. Click the word Custom under the Events/Port heading. An option box will open.
6. Repeat the process for Flows/Port, modifying the setting from Custom to All.
7. Click OK.
26
Proof of Concept Setup Guide McAfee SIEM
There are several methods that can be used to add a Data Source to an Event Receiver for collection One at a
time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties
window, Bulk creation via CSV file import and Auto Learn.
The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log
collection one at a time from the Action Toolbar as well as any additional configuration steps required to perform
event/log/flow collection by the SIEM.
NOTE: As an example, the following steps would be necessary to add event collection for a Linux host via
SYSLOG.
1. Configure the Linux Data Source to forward all necessary events and logs to the IP address assigned to the
Event Receiver. Refer to the vendor-supplied instructions for each Data Source to determine the appropriate
steps necessary to perform this event forwarding.
27
Proof of Concept Setup Guide McAfee SIEM
9. A dialog box will open warning that for a Policy Rollout will be
required for this Data Source to properly function. Click Yes.
28
Proof of Concept Setup Guide McAfee SIEM
10. A dialog box will open indicating that the new Data Source
configuration must be written to the Receiver.
Click Yes.
29
Proof of Concept Setup Guide McAfee SIEM
One of the most useful profiles to configure is that of a Windows Data Source. The Windows profile stores the
credentials and log collection details that can later be used when defining a Windows (WMI) data source in the
Event Receiver. By using a profile during the creation of a Windows data source, the SIEM operator need not enter
the credentials but instead, assigns the attributes of the profile to the data source. This also allows for the
credentials to be maintained in a central location and any modifications to the username/password can be made
once within the profile and all data sources making reference to the profile will automatically utilize the modified
values.
The following steps must be taken to create a Windows Data Source Profile.
1. Click the System Properties icon from the Quick Launch menu in the
upper right of the interface.
3. Click the Add button. The Add System Profile window will open.
8. Enter a Password.
30
Proof of Concept Setup Guide McAfee SIEM
The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log
collection One at a time from the Action Toolbar.
b. From the Data Source Model dropdown menu, select WMI Event Log.
c. Enter a Username with sufficient privileges to connect to the Windows host and retrieve the WMI logs.
31
Proof of Concept Setup Guide McAfee SIEM
8. Click the Connect button to test the connection to the Windows Data Source.
10. If the connection attempt fails, a dialog box will open to provide
details that can be used to troubleshoot the connection. Common
connection problems include incorrect IP Address or NETBIOS
name, improper user credentials or insufficient user privilege
necessary to retrieve the defined WMI log source. Correct any
errors and re-test the WMI connection until the response is
successful.
32
Proof of Concept Setup Guide McAfee SIEM
11. Once the WMI Connection Test is successful, click OK. The Apply Data Source Settings dialog box will open.
12. Click Yes to apply the Windows Data Source configuration to the
Event Receiver.
13. Once the Windows Data Source has been written to the
Event Receiver, a dialog box will open to confirm.
Click Close.
14. Since a new event collection source has been configured on the Event Receiver, the policy must be rolled out to
support the event formats associated with the Windows Data Source. The Rollout Policy window will open
listing the Data Sources defined on the Event Receiver that must be applied for event collection to begin.
NOTE: Some Data Sources in the list may read Skip This policy is up to date while others, like the Windows
Data Source recently added, will read Roll this policy out now. The SIEM is intelligent enough to know which
Data Source policies are new or recently modified and must be rolled out and will skip those policies that are
current.
33
Proof of Concept Setup Guide McAfee SIEM
The following outlines the configuration steps required on the ePO Database server.
1. Ensure that a SQL Login account is available with appropriate privilege to the McAfee ePO database. For this
example, an account named epo has been created using SQL authentication and a Default Database set to
that of the ePO database.
34
Proof of Concept Setup Guide McAfee SIEM
The following outlines the configuration steps required to add the ePO Data Source to the McAfee SIEM running
version 9.2.0 or higher.
2. From the Add Device Wizard window, select McAfee ePolicy Orchestrator (v4.6 or newer)
and click Next.
NOTE: Depending upon the appliance deployed in the POC, some of the device options may not be available
as indicated by the device type being greyed out. This is expected in POC installations deployed using an All-
in-One combo appliance.
35
Proof of Concept Setup Guide McAfee SIEM
NOTE: Each application installed in ePO (VSE, HIPS, etc.) will be added to the ePO data source as children using
this name as a prefix.
Example: McAfee ePO_VirusScan, McAfee ePO_Application and Change Control, etc.
To prevent these child data source names from becoming truncated, use a short descriptive name for the parent
ePO data source.
4. Click Next.
36
Proof of Concept Setup Guide McAfee SIEM
The ePO data source requires information relating to both the ePO Application Server and the ePO Database
Server. In some ePO deployments this may be the same host however appropriate credentials must be supplied
individually for each. Application credentials are used for the purposes of connecting to the ePO server to apply
policy tags while database credentials are used by the SIEM to retrieve events for analysis, correlation and
reporting.
The Wizard will prompt you for both the Application details as well as the Database details on separate windows
starting with the ePO Application information.
10. Click the Connect button to test the connection to the ePO
application. If the connection is completed successfully, a
confirmation dialog box will open. Click Close.
If the connection test is unsuccessful, verify the ePO user credentials
and privileges.
37
Proof of Concept Setup Guide McAfee SIEM
The Wizard now prompts you for the ePO Database details.
18. Click the Connect button to test the connection to the ePO database.
If the connection is completed successfully, a confirmation dialog box
will open. Click Close.
If the connection test is unsuccessful, verify the SQL credentials and
privileges.
38
Proof of Concept Setup Guide McAfee SIEM
20. A dialog box will open regarding the use of McAfee Risk Advisor
data within the SIEM.
The McAfee SIEM can utilize Risk Advisor asset reputation
scoring as a component of a Risk Correlation policy. If Risk
Advisor is present in the ePO installation AND if the Advanced
Correlation Engine is being deployed with the SIEM, click Yes.
21. Once complete, the Add Device Wizard will present a status window indicating that the ePO data source was
successfully added and configured.
23. Expand the new ePO Data Source in the Device Tree to
confirm the connection to the ePolicy Orchestrator host and
to identify the McAfee products that were found to be
installed.
39
Proof of Concept Setup Guide McAfee SIEM
NOTE: This configuration example assumes a single ePO server with a local SQL database. In configurations
where the ePO server is connected to a secondary SQL DB server, please contact McAfee support for assistance.
1. Click the Asset Manager icon from the Quick Launch menu in the upper
right of the interface.
4. In the Homenet dialog box that appears, enter the subnet(s) that
represent the ePO managed endpoints.
40
Proof of Concept Setup Guide McAfee SIEM
2. Click the Menu button in the upper left of the Source IP Address
component.
3. From the menu that appears, select Actions, then View in ePO.
41
Proof of Concept Setup Guide McAfee SIEM
6. Once authenticated, the ePO asset information window will open displaying the information related to the
endpoint selected in the McAfee SIEM.
42
Proof of Concept Setup Guide McAfee SIEM
In addition to viewing the managed endpoint within ePO, McAfee SIEM also supports the assignment of ePO policy
tags directly to assets from within the SIEM console.
1. From the SIEM user interface, select an IP address representing a managed asset within ePO.
2. Click the Menu button in the upper left of the Source IP Address
component.
43
Proof of Concept Setup Guide McAfee SIEM
NOTE: Important information relating to the SIEM update process can always be found in the version release notes.
Make certain to carefully read the published documentation prior to initiating the update process.
Code updates are made available as a single tarball file, along with a corresponding hash file that can be used to
confirm the validity and consistency of the file downloaded and each discreet platform in the McAfee SIEM suite has
a unique code update path. Since ALL appliances connecting to the SIEM solution must be running the same
version of code, it is important to obtain any/all tarball files necessary to perform an update to each of the appliances
used in a POC.
The following table describes the SIEM appliance and corresponding upgrade file requirements.
ESM ESS_Update_X.x.x.signed.tgz 1
ESM/REC/ELM ESSREC_Update_X.x.x.signed.tgz 1
REC RECEIVER_Update_X.x.x.signed.tgz 2
ELM RECEIVER_Update_X.x.x.signed.tgz 2
ACE RECEIVER_Update_X.x.x.signed.tgz 2
ADM APM_Update_X.x.x.signed.tgz 3
DEM DBM_Update_X.x.x.signed.tgz 3
The McAfee ESM maintains a file repository into which all code update tarball files can be uploaded. Once
uploaded, each tarball update can be applied to the appropriate device from within the SIEM user interface either
individually or, in the case of multiple devices of the same type, en masse.
The order in which SIEM appliances are updated must be determined by reviewing the release notes published with
each update. In most circumstances, when multiple appliances in a SIEM hierarchy are to be updated, it will be
necessary to start with the ESM (or ESM/REC/ELM). Once complete, any Event Receiver appliances should be
updated to the new version including any ELM or ACE appliances since they share the same Receiver codebase.
Lastly, any additional subordinate appliances such as ADM or BEM should be updated.
During most major (and some minor) updates, it will be necessary for the master ESM database to be rebuilt as part
of the automated code update process. Depending upon the amount of data residing in the ESM database, this
process can take anywhere from 30 minutes to several hours. In POC environments where the event volume will
likely be minimal, the database rebuild process should complete in under an hour.
44
Proof of Concept Setup Guide McAfee SIEM
The following steps must be completed to perform a code update on one or more SIEM appliance.
2. Click the System Properties button in the upper right of the interface.
4. From the File Type dropdown menu, select Software Update Files.
5. Click the Upload button. The File Upload window will open.
6. Browse to the location of the tarball update. Select a single tarball file and click Upload.
7. Repeat for each update file until all required tarball images have been uploaded to the repository.
45
Proof of Concept Setup Guide McAfee SIEM
NOTE: If the POC is being performed on an ESM/REC/ELM combo, select the ESSREC_Update_X.x.x signed
tarball.
4. Click OK.
5. A dialog box will open warning that the ESM will reboot during the update
process and all active connections will be dropped. Click Yes to proceed.
6. A dialog box will open indicating that the update process has been initiated
and instructing you to close the browser window
7. Click OK.
9. The ESM will reboot multiple times to perform the update process.
Once the update is complete, open a web browser on your client
computer.
46
Proof of Concept Setup Guide McAfee SIEM
12. You will likely be prompted with a dialog box indicating that you
must clear your browser cache. Press CTRL-SHIFT-DEL and
clear the most recent browser cache.
13. Click the Login link once again. The McAfee ESM application will
load and prompt you for a username and password.
14. If the ESM is still performing any portion of the code update, you
may be presented with an error indicating that the system is not
ready. Simply wait another minute and attempt once again to log
into the SIEM.
15. Once the server is ready and your credentials are accepted, you will
likely see a dialog box indicating that you have recently performed an
upgrade and instructing you to read the necessary release notes to
determine if additional actions are required.
16. Continue with the update process on each of the remaining SIEM
appliances, starting with any Event Receiver devices (REC, ACE, ELM),
then continuing with any remaining device (ADM, DEM).
NOTE: If the POC is being performed on an ESM/REC/ELM combo you can proceed to
Step 12 as the ESSREC_Update tarball provides both the ESM as well as REC feature update.
47
Proof of Concept Setup Guide McAfee SIEM
6. Click OK.
48
Proof of Concept Setup Guide McAfee SIEM
7. A dialog box will open indicating that the device will reboot when the
update process begins.
8. Click YES.
9. The device will restart. A dialog box will open, counting down
from 3 minutes while the device update is applied.
10. A dialog box will indicate the successful restart of the device
once connectivity has been restored.
12. After the successful update of an Event Receiver appliance, it is necessary to perform additional configuration
updates.
49
Proof of Concept Setup Guide McAfee SIEM
Repeat these steps to apply all necessary update tarball files to remaining subordinate devices.
The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The
taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit,
Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then
broken down further into sub-groups and even further as necessary, each lower tier representing more specific
event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications
in that branch are included in the selection. This allows the operator to select a more general event group, such as
Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login,
Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.
Additionally, it is recommended that event aggregation be disabled for all correlated events.
Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known
patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the
SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine.
Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields.
Please refer to the ESM help documentation for more information regarding setting custom aggregation values.
50
Proof of Concept Setup Guide McAfee SIEM
The following steps must be followed to disable event-specific aggregation for these normalized event categories.
1. Click the Policy Editor button from the Navigation Bar located in the upper
right of the user interface. The Policy Manager window will open.
NOTE: The policy manager groups events into various Rule Types
including Advanced Syslog Parser, Data Source and Windows Events. The
following steps will need to be performed against each of these event type branches.
2. Expand the Receiver object from the Rule Types panel and select Data Source.
51
Proof of Concept Setup Guide McAfee SIEM
3. Click the Advanced bar at the bottom right of the Policy Editor window beneath the Filters/Tags panel. This will
hide the Tags and display the Advanced filters panel.
4. Click the Filter button to the right of the Normalized ID form field.
The Filter Variables window will open to display the top-tier Normalized event categories.
6. Click OK.
7. This will populate the Normalized ID form field with the IDs
associated with the selected event categories.
52
Proof of Concept Setup Guide McAfee SIEM
8. Click the Run Query icon to refresh the list of Advanced Syslog
Parser rules which will now be filtered to display ONLY those event
rules matching the categories selected from the Normalized
Taxonomy filter.
9. To disable Event Aggregation for the refined list of Data Source rules, click the Aggregation column heading.
The action window will open to present three options
Inherit parent value, On (enable) or Off (disable).
11. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
13. All Data Source rules in the filtered list will now have the Aggregation
attribute set to Off (disabled).
53
Proof of Concept Setup Guide McAfee SIEM
NOTE: The filter panel will preserve the current selection of Normalized categories. The resulting list of Windows
Event rules will inherit the previous filters of Authentication, DoS, Exploit and Malware.
15. Once again, click the Aggregation column heading. The action window will open to present three options
Inherit parent value, On (enable) or Off (disable).
17. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
19. All Windows Event rules in the filtered list will now have the
Aggregation attribute set to Off (disabled).
54
Proof of Concept Setup Guide McAfee SIEM
21. Next, clear the filters by clicking the orange funnel icon in the upper right of the Correlation Rules panel.
22. Once again, click the Aggregation column heading. The action window will open to present three options
Inherit parent value, On (enable) or Off (disable).
55
Proof of Concept Setup Guide McAfee SIEM
24. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
26. All Correlated rules in the list will now have the Aggregation attribute
set to Off (disabled).
NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy
Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.
a. Click the Rollout icon on the Action Bar in the upper right of the Policy
Editor window. The Rollout window will open.
b. Click OK.
c. The new Aggregation settings will be rolled out to all Event Receiver
data sources.
56
Proof of Concept Setup Guide McAfee SIEM
2. Click the Add Data Source button from the Actions Toolbar. The Add
Data Source window will open.
6. Click OK.
7. A dialog box will open indicating that Data Source Settings have changed
and must be applied to the Event Receiver. Click Yes.
8. When the Data Source Settings have been written to the Event
Receiver, a dialog box will provide confirmation. Click Close.
9. Since each Data Source must have a policy applied, the Rollout
window will appear. It is a requirement that policy be properly rolled
out to the Event Receiver and all corresponding Data Sources after making any changes. Click OK.
57
Proof of Concept Setup Guide McAfee SIEM
To connect the SIEM to a Windows DC, the following steps must be taken.
1. Click on the Asset Manager icon from the Quick Launch menu. The Asset
manager window will open.
3. Select the ESM object from the list of available devices. It is from this
device that the Active Directory connection will be made.
10. Configure the retrieval interval and time. The default settings
will query the Active Directory once daily at midnight.
11. Click the Connect button to test the connection to the Domain
Controller.
58
Proof of Concept Setup Guide McAfee SIEM
12. If the connection test is successful, a dialog box will open to confirm. Click
OK.
13. If the connection to the Domain Controller is unsuccessful, a dialog box will open
indicating that the connection test failed. If this happens, confirm the IP address of
the Domain controller, the port number across which the LDAP query will occur
(default 389), the username (in the correct username@domain.tld format), the
password and the Search Base. Determine from the customer if TLS is required to
connect to this Domain Controller and, if so, enable it using the check box provided
on the Asset Data Source form.
14. Once the connection test to the Domain Controller is successful, click OK.
15. Click the Write button in the bottom left of the Asset Sources window. The Writing changes to device window
will open.
17. Select the newly created Active Directory Domain Controller from the list of available asset sources.
59
Proof of Concept Setup Guide McAfee SIEM
19. A Dialog box will open indicating that the Active Directory user and group data is being retrieved. Depending on
the size of the customer Active Directory, this process may take several minutes or longer to complete.
20. When the Active Directory data retrieval has successfully completed, a
dialog box will open.
Click OK.
To confirm the successful retrieval of Active Directory user and group information, follow these steps.
1. Scroll down the list of objects in the Filter Panel to the Source User form field.
2. Click the Filter icon beside the Source User field. The Filter
Variables window will open.
You should see the domain from which you retrieved user and
group information.
3. Expand the domain object to display the groups enumerated from the
Active Directory.
Now that the Active Directory user and groups have been enumerated
into the SIEM, their values can be used in future filter queries, correlation
rules and reports.
60
Proof of Concept Setup Guide McAfee SIEM
Conclusion
Your McAfee SIEM environment is now installed, configured, and you have begun the process of tailoring it to meet
your business requirements. Next steps from here will include outlining your initial use cases, importing necessary
content, and developing processes for monitoring and remediation.
You can find more assistance, documents, and videos at the McAfee Community:
https://community.mcafee.com/community/business/siem
61