McAfee SIEM POC Setup Guide (9.4) PDF

Proof of Concept Setup Guide
McAfee SIEM
Security Information & Event Management Platform
Proof of Concept Setup Guide
V2.0 Jul 2014

Introduction
This document is intended to provide a walkthrough of the steps necessary to complete a McAfee
SIEM installation as part of an evaluation/proof of concept. It outlines the best practices to ensure a
successful demonstration of the ease-of-use and rapid value delivered from the platform.
Setting the Stage

There are multiple products and configuration options that may need to be supported during a POC.
An initial planning session was used to determine the scope and expectations for this project. This
information was used to select the appropriate hardware delivered to satisfy the evaluation request.
Appliance-Based
When a POC is intended to demonstrate functionality as well as performance, it is typical that the
request will be satisfied using one or more physical appliances. Each hardware appliance will
require dedicated power, rack space and host network connectivity.
Additionally, some of the SIEM platforms (ADM/DEM) require additional network connectivity to
perform promiscuous traffic collection from a switch SPAN/Tap port. If these platforms are to be
included in the evaluation, proper switch configuration must be provisioned in advance of the POC.
VMware/ESX-Based
Some POC engagements may be satisfied using a virtual server configuration. A standard ESX
virtualized environment can be used to demonstrate one or more of the SIEM solutions, each being
provisioned as a VM guest. This reduces the operational requirements of the customer
considerably; rack space (2u), power and network connectivity are dramatically reduced while still
being able to demonstrate the entire value proposition and superior performance of the McAfee
SIEM platform.
This guide will discuss the requirements for both an Appliance-based POC as well as a VMware-
based configuration.
Proof of Concept Setup Guide McAfee SIEM
Table of Contents
Proof of Concept Setup Guide ...................................................................................................................................................................................................... 1
McAfee SIEM ....................................................................................................................................................................................................................................... 1
A McAfee SIEM Architecture Primer ........................................................................................................................................................................................ 4
ESM - Enterprise Security Manager .................................................................................................................................................................................... 4
REC - Event Receiver ................................................................................................................................................................................................................. 4
ELM - Enterprise Log Manager ............................................................................................................................................................................................. 4
ESM/REC/ELM ............................................................................................................................................................................................................................. 5
ACE - Advanced Correlation Engine ................................................................................................................................................................................... 5
ADM - Application Data Monitor .......................................................................................................................................................................................... 5
DEM - Database Event Monitor ............................................................................................................................................................................................. 5
Getting to Know the Intel Hardware ........................................................................................................................................................................................ 6
Standard 2u Appliance Rear ............................................................................................................................................................................................... 6
Front Bezel ..................................................................................................................................................................................................................................... 6
Installation and Configuration of VM Images ....................................................................................................................................................................... 7
Step 1: Initial Power-Up and Configuration ....................................................................................................................................................................... 13
Step 2: Connecting to the ESM via Web GUI ....................................................................................................................................................................... 14
Step 3: Completing the Initial ESM Configuration Wizard .......................................................................................................................................... 15
Step 4: Performing a Manual Rules Update ........................................................................................................................................................................ 18
Step 5: Configuring Event, Flow and Log Retrieval Polling Interval ....................................................................................................................... 19
Step 6: Configuring ESM Data Allocation Policy ............................................................................................................................................................... 20
Step 7: Configuring ESM SMTP Mail Settings .................................................................................................................................................................... 21
Step 8: Configuring ESM Backup Settings [Optional] ..................................................................................................................................................... 22
Step 9: Adding (Keying) Additional SIEM Appliances ................................................................................................................................................... 23
Step 10: Configuring Event Inactivity Settings ................................................................................................................................................................. 25
Step 11: Adjusting Default Port Index Settings ................................................................................................................................................................. 26
Configuring Common Data Sources for Event Collection ............................................................................................................................................. 27
Configuring a SYSLOG Data Source ........................................................................................................................................................................................ 27
Creating a Windows Data Source Profile............................................................................................................................................................................. 30
Configuring a Windows Data Source ..................................................................................................................................................................................... 31
Creating a McAfee ePolicy Orchestrator Data Source .................................................................................................................................................... 34
Configuring Advanced ePO Integration ............................................................................................................................................................................... 40
Preparing for a SIEM Software Update ................................................................................................................................................................................ 44
Performing a SIEM Software Update ESM ....................................................................................................................................................................... 45
Performing a SIEM Software Update REC, ELM, ACE, ADM, DEM ......................................................................................................................... 48
Configuring Event-Specific Aggregation .............................................................................................................................................................................. 50
Configuring Rule-Based Correlation on an Event Receiver ........................................................................................................................................ 57
Connecting the SIEM to a Windows Domain Controller ............................................................................................................................................... 58
3
A McAfee SIEM Architecture Primer

The McAfee SIEM solution is comprised of several appliance-based platforms working in conjunction to deliver
unmatched value and performance to enterprise security professionals within an enterprise. A multitude of
deployment configurations allow for the most scalable and feature-rich SIEM architecture available, delivering real-
time forensics, comprehensive application and database traffic/content monitoring, advanced rule- and risk-based
correlation for real-time as well as historical incident detection and the most complete set of compliance features of
any SIEM on the market.
The following list details the entire suite of available SIEM components.
ESM - Enterprise Security Manager
The McAfee ESM is the brains of the McAfee SIEM solution. It hosts the web interface through which all SIEM
interaction is performed as well as the master database of parsed events used for forensics and compliance
reporting. It is powered by the industry-leading McAfeeEDB proprietary embedded database which boasts speeds
more than 400% faster than any leading commercial or open source database.
All McAfee SIEM deployments must start with [at least one] ESM (or ESM/REC/ELM).
REC - Event Receiver
The McAfee REC is used for the collection of all third-party event and flow data.
Event collection is supported via several methodologies:
1. Push devices forward events or flows using SYSLOG, NetFlow, etc.
2. Pull event/log data is collected from the data source using SQL, WMI, etc.
3. Agent data sources are configured to send event/log/flow data using a small-footprint agent such as
SNARE, Lasso, OPSEC, etc.
The Event Receiver can also be configured to collect scan results from existing vulnerability assessment platforms
such as McAfee MVM, Nessus, Qualys, eEye, Rapid7, etc. In addition, the REC supports the configuration of rule-
based event correlation as an application running on the Receiver.
McAfee Event Receivers come in physical appliances with EPS ratings ranging from 5k to 22k events per second as
well as VM-based models with event collection rates ranging from 250 to 1k EPS.
Multiple REC appliances (or VM platforms) can be deployed centrally to provide a consolidated collection
environment or can be geographically distributed throughout the enterprise. Typical deployment scenarios will
locate an Event Receiver in each of several data centers, all of which will feed their collected events back to a
centralized ESM (or to multiple ESM appliances for redundancy and disaster recovery purposes).
ELM - Enterprise Log Manager
The McAfee ELM stores the raw, litigation-quality event/log data collected from data sources configured on Event
Receivers. In SIEM environments where compliance is a success factor, the ELM is used to maintain event chain of
custody and ensure full non-repudiation.
In addition to providing compliant-quality raw event archival, the ELM also supports the full-text index (FTI) for all
event details. The McAfee SIEM supports the ability to perform ad-hoc searches against the unstructured data
maintained in the archive.
4
ESM/REC/ELM
The ESMRECELM - also called an All-in-One (AIO) or a combo box - provides the combined functions of the
McAfee Enterprise Security Manager (ESM), Event Receiver (REC) and Enterprise Log Manager (ELM) in a single
appliance.
As most SIEM POC deployments are intended to showcase functionality rather than performance, the
ESMRECELM is commonly used to demonstrate the features and ease of use delivered by the McAfee SIEM. It
can be deployed with minimal disruption (single appliance, minimal rack space and power, single network
connection and IP address).
In larger POC or production SIEM environments, a combo box may be inadequate to handle the sizable EPS
performance requirements of an enterprise. The largest ESMRECELM peaks at 5k EPS and provides no local
storage for ELM archive but instead requires supplemental storage by means of a SAN connection, NFS or CIFS
share.
ACE - Advanced Correlation Engine
The ACE provides the SIEM with unmatched advanced correlation capabilities that include both rule- and risk-based
options. In addition to performing real-time analysis, the ACE can be configured to process historical event/log data
against the current set of rule and risk profiles. The ACE provides native risk scoring for GTI (for SIEM) and MRA-
enabled customer environments. It also allows custom risk scoring to be configured to highlight threats performed
against high-value assets, sensitive data and/or by privileged users.
Typical production SIEM deployments will include two ACE appliances one performing real-time rule and risk
correlation and another configured for historical rule and risk correlation of events.
ADM - Application Data Monitor
The ADM provides layer 7 application decode of enterprise traffic via four promiscuous network interfaces. It is used
to track transmission of sensitive data and application usage as well as detect malicious, covert traffic, theft or
misuse of credentials and application-layer threats.
Not to be confused with a true DLP, the integration with the SIEM provides advanced forensics value by preserving
full transactional detail for sessions violating the user-defined policy managed from within the McAfee ESM common
user interface. Complex rule correlation can leverage policy violation or suspicious application usage events to
identify potential security incidents in real-time.
DEM - Database Event Monitor
The DEM provides a network-based solution for real-time discovery and transactional monitoring of database activity
via two or four promiscuous network interfaces. It works in lieu of OR in parallel with the McAfee (Sentrigo) agent-
based database activity solution to provide comprehensive, transaction-level database monitoring of user or
application DB usage.
5
Getting to Know the Intel Hardware

McAfee SIEM 4th Generation appliances are built on the robust Intel server platform and bear a new dark grey
McAfee bezel. Intel SIEM appliance hardware has no front-panel LCD so all configuration must be performed using
an attached keyboard and monitor. (See Step 1)
Rear Appliance Configuration
1 2 3 4 5 6 7 8 9 10
8 3 4 5 6
1 7 9
1. Primary Power Supply 6. Management NIC 4 (eth3)
2. Secondary Power Supply 7. VGA Video
3. Management NIC 1 (eth0) 8. RAID NIC
4. Management NIC 2 (eth1) 9. USB Ports
5. Management NIC 3 (eth2) 10. IPMI Management NIC
Front Bezel 1
2
1
1. Power Button
2. Bezel Lock
6
Installation and Configuration of VM Images

The McAfee SIEM VM guest images are provided for use in ESX (5.0+) environments. Each virtual appliance must
be installed as an OVF template using a licensed copy of VSphere connected to an appropriate installation of
VCenter.
Each guest image contains three files a VM Virtual Disk file (.vmdk), an Open Virtualization Format Package file
(.ovf) and a Manifest file (.mf). All three VM files should be located in the same directory on the VSphere client
machine.
1. Launch the VSphere client and connect to the VCenter

management server hosting the ESX infrastructure.
2. From the File menu, select Deploy OVF Template.
3. Browse to the location of the VM SIEM appliance and select the .ovf file.
4. Click Next >.
7
5. The OVF Template Details window displays the Product, Download size and Size on disk (both thin and thick
provisioned) for the selected virtual SIEM image.
Click Next >.
6. The Name and Location window allows the unique naming of the virtual SIEM image as well as the location in the
ESX inventory.
7. Click Next >.
8
8. From the Resource Pool window, select the appropriate ESX resource pool within which you wish to deploy the
virtual SIEM template.
9. Click Next >.
10. From the Storage window, select an appropriate destination for the virtual SIEM image. Make certain you select a
location that has sufficient free disk space to host the entire guest image.
11. Click Next >.
9
12. From the Disk Format window, choose Thick Provision Eager Zeroed.
13. Click Next >.
14. From the Network Mapping window select an appropriate Destination Network for the guest virtual SIEM appliance
NIC0. (Additional NICs can be configured at a later time).
15. Click Next >.
10
16. From the Deploy OVT Template Summary window, confirm the virtual SIEM appliance configuration options.
17. Click Next >.
18. As the virtual SIEM appliance is deployed, a progress bar will show the
percent complete.
19. Once the OVF template has been fully deployed, a Success dialog box
will indicate completion.
20. Click Close.
11
21. To make additional changes to the virtual SIEM appliance guest configuration, click
Edit virtual machine settings.
22. Adjust the Memory, CPUs and/or Network Adapters as appropriate.
NOTE: Each guest virtual SIEM image has a maximum Memory and CPU core limit that cannot be exceeded. It is
possible to configure values from the minimum of 8 Gb memory and 8 CPU cores to the maximum allowed for the
OVF image.
12
Step 1: Initial Power-Up and Configuration

The first appliance to bring online is the Enterprise Security Manager (ESM). This includes any ESM combo boxes
such as ESM/REC/ELM.
1. Connect the power supplies to a properly grounded outlet (preferably on a sufficient Uninterruptable Power
Supply).
2. Connect a network cable to the Management 1 NIC.
3. Press the power button on the front of the bezel.

For VM-based SIEM appliances, power on the guest image.
Wait for the appliance to boot completely.
4. Configure the basic ESM network settings.
Using a keyboard and monitor
i. Connect a VGA monitor and keyboard.

For VM-based SIEM appliances, enter Console mode.
The LCD display is mimicked on the monitor/console.
ii. Press ESC on the keyboard to open the configuration menu.
NOTE: The keyboard may appear unresponsive and may require multiple keystrokes to recognize each
key press.
iii. Using the arrow keys on the keyboard, scroll down to MGMT IP Config.
Press Enter.
iv. Configure the MGT 1 IP address using the keyboard (accepts numeric entry).
v. Configure the NETMASK.
vi. Configure the GATEWAY IP.
vii. Save the network configuration.
NOTE: The remaining network configuration (DNS, etc.) can be entered through the GUI.
Repeat the initial configuration process for all remaining appliances.
13
Step 2: Connecting to the ESM via Web GUI

The McAfee SIEM is managed and maintained entirely through a web/Flash interface.
Following are the minimum requirements for a host connecting to the ESM:
Processor P4-class Intel (not Celeron) or higher (Mobile/Xeon/Core2/Core i3/5/7) or AMD/AMD2

class or higher (Turion64/Athlon64/Opteron64/A4/6/8)
RAM 1.5GB
Browser IE7.x or later, Firefox 3.0.0.0+, Chrome 12.0.742.91+, Safari 5.1.7+

NOTE: Since some features of the web application utilize pop-up windows, it is recommended that you
allow pop-ups for the IP address/hostname of the ESM.
Adobe Flash Player Version 11.2.x.x or later
To log into the ESM, follow the steps below.
1. Open a web browser on your client computer.
2. Connect to the IP address specified in previous section.
3. Accept the security certificate error.

NOTE: All McAfee SIEM appliances ship with a self-signed certificate. The customer can provide a valid security
certificate through the GUI to avoid this certificate error.
4. Click the Login link on the page that opens. The McAfee ESM application
will load and prompt you for a username and password.
5. Choose a default Language.
6. Enter the default username NGCP.
7. Enter the default password security.4u.
8. Accept the EULA.
9. You will be then be prompted to change your password.
10. Enter security.4u in the current password field.
11. Enter and confirm a new password of your choice in the new password
field
12. Click OK. The Enable FIPS dialog will appear.
It is highly recommended that you NEVER enable FIPS mode unless absolutely necessary.
FIPS mode must be selected the first time you log on to the system and cannot subsequently be changed after the
initial installation.
13. Answer No to the FIPS dialog, then confirm by answering Yes to the Disable FIPS dialog.
14
14. Next, a dialog box will open with the following message:
15. Click OK. The McAfee ESM Startup screen will open.
Step 3: Completing the Initial ESM Configuration Wizard

The initial configuration of network settings (IP address, Netmask, Gateway) was sufficient to allow the basic log on
via the web GUI. Additional configuration will be performed by the ESM setup wizard in the following dialogs.
1. Select the system logging language and the time zone setting for the NGCP user.
2. Click Next >.
3. Enter the appropriate DNS values for the ESM to perform name resolution.
4. Click Next >.
15
5. If a proxy server is required for the ESM to communicate to the Internet, enter the appropriate proxy server
settings.
6. Click Next >.
7. If additional static routes are required for the ESM to communicate, add them from the current screen.
8. Click Next >.
16
9. If a local Time Server is available, replace the default NTP server IP addresses with a valid network time server
address.
10. Click Next >.
11. Enter the Customer ID and Password provided during POC registration to allow automatic rule updates, place a
check in the Auto Check box and select the update interval.
12. Click Finish.
13. You may see a dialog box indicating that IP address changes were
made that will require redirection. Click OK.
14. A dialog box will appear indicating that the settings will be
saved and services on the ESM will be restarted. When
asked to continue, click Yes.
15. Once the ESM services have restarted, re-enter your

password to complete the ESM setup wizard.
17
Step 4: Performing a Manual Rules Update

For SIEM deployments that do not have access to the public Internet from which to download new rules, a manual
rule update can be performed using the following steps.
1. Download the appropriate rule update file from the McAfee products website.
McAfee [Customer/Partner/SE] Resources SIEM MFE Nitro Rules Downloads
NOTE: Rule updates are version-specific.

Make certain to download the rules update file for your version of McAfee SIEM.
GTI subscription updates can only be downloaded via the automated rules update process and cannot be manually
updated.
2. From the Rules and Software window, click the Manual Update button.
A file upload window will open.
3. Next, browse to the location of the rule update file from Step 1 and click Upload.
When the rule update has completed you may see the following pop-up dialog window:
NOTE: This dialog may also appear upon future logins to the SIEM after rule updates have been recently applied.
To confirm the last successful update of new rules, check the status on the ESM System Properties window.
18
Step 5: Configuring Event, Flow and Log Retrieval Polling Interval

Events and flows collected by an Event Receiver are stored locally until requested by the ESM. The frequency with
which this happens is user definable. By default, this polling interval is it is 10 minutes. When the interval is
reached, all new data is synchronized from the Event Receiver to the master database residing in the ESM.
The best practice in a POC is to reduce this time value to between 1 and 5 minutes to provide a more real-time
analysis of collected event and flow data.
The following steps describe the process.
1. Click the ESM System Properties button in the upper right of the interface.
2. Click Events, Flows and Logs. The Events, Flows and Logs window will open.
3. Adjust the Auto check interval to 5 minutes.
4. Click OK.
19
Step 6: Configuring ESM Data Allocation Policy

Each McAfee SIEM ESM allocates storage for both Event and Flow data. By default, the ratio of events to flows is
50:50 by volume. Most SIEM deployments require a higher percentage of event allocation than flow.
In order to adjust the database allocation ratio to favor larger event volume, follow these steps.
1. Click the ESM System Properties button in the upper right of the interface.
2. Select the Database menu from the list of options on the left.
Then Click the Data Allocation button.
3. In the Data Allocation window that opens, configure the appropriate event:flow ratio by sliding the arrow right or
left. Right indicates a higher ratio of event data Left indicates a higher ratio of flow data.
4. Click OK.
20
Step 7: Configuring ESM SMTP Mail Settings

The McAfee SIEM provides the ability to send email notifications based on alarm conditions as well as deliver
scheduled forensics and analysis reports to named recipients. This requires that the ESM be configured with an
operational SMTP server through which email messages will be delivered.
To configure the SMTP server settings, follow these steps.
1. From the ESM System Properties window, select the Email Settings menu option.
2. Enter the necessary configuration settings including the email host, SMTP port, TLS (if required by the SMTP
server), username/password, title (to be used in the email message subject line) and the from address.
3. Confirm the SMTP settings are correct by pressing the Send Test Email button and providing a destination
email account to which the test email will be sent.
4. Click OK to save the SMTP settings.
21
Step 8: Configuring ESM Backup Settings [Optional]

By default, the McAfee SIEM performs automatic backups of the ESM configuration every 7 days. The default
backup location resides on the ESM appliance. It is generally best practice to schedule data and log backups in
addition to configuration backups to a secondary host storage platform. This ensures that a reliable restoration can
be performed in the unfortunate event of a catastrophic failure of the ESM and that the backup files do not consume
precious storage on the ESM.
To configure the ESM backup settings, follow these steps.
1. From the ESM System Properties window, select the System Information menu option.
2. Click Backup & Restore. The Backup & Restore window will open.
3. Update the backup frequency (default every 7 days).
4. Select Backup Data for Events and Event Logs.
5. Select the radio button for Remote Location and provide the necessary CIFS/NFS location details including the
remote IP address, share name, path, and credentials (CIFS only).
6. Confirm the ESM can communicate to the remote location using the Test Connection button.
22
Step 9: Adding (Keying) Additional SIEM Appliances

NOTE: This step may be skipped if the POC platform being evaluated is limited to an All-in-One (AIO) platform such
as the ESM/REC/ELM since that appliance has the combined functionality of the ESM, Event Receiver and Log
Manager. If and AIO appliance is being installed AND additional appliances are to be evaluated (ACE, DEM, ADM,
dedicated ELM) then this step must be performed.
The McAfee SIEM solution is comprised of several platforms, each performing a specialized function. The
combined value of all of the discreet components makes the McAfee SIEM solution stand apart from any competitive
solution.
The process of connecting additional appliances to the McAfee SIEM platform is known as keying since the
provisioning activity creates/exchanges a unique SSH key for each attached device. This ensures a secure,
encrypted path of communication between the ESM and all subordinate SIEM appliances.
The following steps must be completed for each subordinate appliance added to the SIEM environment.
1. Click the Add Device button from the Actions Toolbar in the upper right of
the user interface.
NOTE: The Actions Toolbar is context-sensitive and will change based on the
object selected in the system tree. Be certain to have either the Physical
Display or the Local ESM selected for this step.
2. From the Add Device Wizard window, select the subordinate

device to be added (ie. McAfee Event Receiver).
3. Click Next >.
4. Provide a unique name for the device being added. This will be
the name used in the System Tree.
5. Click Next >.
6. Provide the IP address and communication port assigned to

the appliance.
NOTE: The default communication port assigned to all McAfee

SIEM appliances is 22. This can be modified to a TCP port of the
customers choosing, though all communication between the ESM
and a subordinate SIEM appliance will still utilize the SSH/SCP
application protocol. Make certain any firewall or network
device placed between the two devices have the appropriate
rules and/or ACL filters required to permit communication on
this port.
7. Click Next >.
23
8. Click the Key Device button.
9. Provide a customer-assigned password for the device. The root

user account on the subordinate appliance will be assigned this
password.
NOTE: It is helpful for administrative purposes to assign the

same password to the NGCP account as well as all
subordinate device keys.
10. Click Next >.
11. When the device has been successfully keyed, a confirmation

window will open offering to Export Key or view the device
Properties.
12. Click Finish.
13. Repeat this process for all subordinate devices to be

added as part of the POC.
NOTE: If during the keying process an error dialog is displayed claiming the SSH
connection failed or a similar error message, follow these steps to troubleshoot.
1. Confirm that network link connectivity exists between the new device (MGMT
NIC 1) and a working switch port.
2. Confirm that the network switch port connecting the ESM and the switch port connecting the new device are
either on the same VLAN or, if separated by a layer 3 device that the appropriate routing is configured to
support communication between the two devices.
3. If the ESM and the device being added are separated by a firewall or IPS, make certain there are no traffic rules
that would prevent communication over the designated port (default:22).
4. If the POC deployment is taking place in an ESX-based virtualized environment, it may be necessary to simply
repeat the keying process a second time. In many cases, the first attempt creates the ARP entry in the vswitch
but not until the second attempt will traffic be passed between the ESM and new SIEM device permitting the
proper key exchange.
24
Step 10: Configuring Event Inactivity Settings

The McAfee SIEM can generate a health status alert when a device stops communicating or when a configured data
source stops collecting events for a specified period of time by default 30 minutes. It is helpful in POC
deployments to disable the inactivity timer as the event volumes typically observed in evaluations may be lower than
a production SIEM.
The following steps should be performed to disable the Event Inactivity settings.
1. Click the System Properties button in the upper right of the interface.
2. Click Events, Flows & Logs. The Events, Flows & Logs window will open.
3. Click the Inactivity Settings button.

The Inactivity Threshold window will open.
4. Place a check in the Inherit option box for the ESM object. This will
force all devices and subsequent data sources added to the SIEM
to inherit the System Inactivity Threshold which is set to Days: 0,
Hours: 0, Minutes: 0.
This effectively disables the SIEM Inactivity health status warnings.
25
Step 11: Adjusting Default Port Index Settings

The McAfee SIEM is configured, by default, to index only ports 1-1024. This will sometimes be exhibited in the user
interface as a value described as others. Best practice in a POC is to enable indexing for all ports.
The following steps must be followed to enable indexing on all ports.
2. Click Database.
3. Click Settings. The Database Indexing window will open.
4. Click the word Custom under the Events/Port heading. An option box will open.
5. Click All from the option box.
6. Repeat the process for Flows/Port, modifying the setting from Custom to All.
7. Click OK.
26
Configuring Common Data Sources for Event Collection

Multi-vendor event collection is performed by the McAfee Event Receiver. Each device from which event, flow or log
data is to be collected must be defined as a Data Source on a specific Receiver.
There are several methods that can be used to add a Data Source to an Event Receiver for collection One at a
time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties
window, Bulk creation via CSV file import and Auto Learn.
The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log
collection one at a time from the Action Toolbar as well as any additional configuration steps required to perform
event/log/flow collection by the SIEM.
Configuring a SYSLOG Data Source

Most POC deployments will require at least one Data Source of type SYSLOG. Most event sources such as
firewalls, intrusion detection/prevention systems and Linux hosts will support forwarding logs and events to a
collection platform in this case the McAfee Event Receiver will be the destination of all forwarded events.
NOTE: As an example, the following steps would be necessary to add event collection for a Linux host via
SYSLOG.
1. Configure the Linux Data Source to forward all necessary events and logs to the IP address assigned to the
Event Receiver. Refer to the vendor-supplied instructions for each Data Source to determine the appropriate
steps necessary to perform this event forwarding.
2. From the System Tree, select the Event Receiver on

which you will be configuring the SYSLOG Data Source.
3. Click the Add Data Source button from the Action

Toolbar located in the upper left of the interface. The Add
Data Source window will open.
27
4. From the Data Source Vendor dropdown menu,

select UNIX.
5. From the Data Source Model dropdown menu, select

Linux (ASP).
6. Enter a Name to be used for this Data Source.
7. Enter the IP Address from which this Data Source will

be sending SYSLOG data.
8. Set the appropriate Time Zone in which this Data

Source resides.
NOTE: Most Data Sources do NOT require any

modification to the Data Format, Data Retrieval method,
SYSLOG Relay, Mask or any additional fields presented
in the Add Data Source dialog.
9. A dialog box will open warning that for a Policy Rollout will be
required for this Data Source to properly function. Click Yes.
28
10. A dialog box will open indicating that the new Data Source
configuration must be written to the Receiver.
Click Yes.
11. A dialog box will open offering to roll out

policy to the newly created Data Source.
Click OK.
12. Once complete, a dialog box will open indicating the

successful rollout of the new policy. Click Close.
13. To confirm event collection from the newly created Linux

Data Source, select the
Linux Host from the Device Tree.
29
Creating a Windows Data Source Profile

The McAfee SIEM provides a facility to store commonly used profiles for such attributes as Windows Account
Credentials and data storage mount parameters (CIFS, NFS, etc.). This allows the SIEM administrator to enter the
required profile information in a central location which is later referenced by the SIEM when necessary.
One of the most useful profiles to configure is that of a Windows Data Source. The Windows profile stores the
credentials and log collection details that can later be used when defining a Windows (WMI) data source in the
Event Receiver. By using a profile during the creation of a Windows data source, the SIEM operator need not enter
the credentials but instead, assigns the attributes of the profile to the data source. This also allows for the
credentials to be maintained in a central location and any modifications to the username/password can be made
once within the profile and all data sources making reference to the profile will automatically utilize the modified
values.
The following steps must be taken to create a Windows Data Source Profile.
1. Click the System Properties icon from the Quick Launch menu in the
upper right of the interface.
2. Click Profile Management.
3. Click the Add button. The Add System Profile window will open.
4. From the Profile Type dropdown menu, select Data Source.
5. From the Profile Agent dropdown menu select Windows.
6. Enter a Profile Name.
7. Enter a Username. This can be a local account or domain account credentials.
8. Enter a Password.
9. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.
10. Click OK. Close the System Properties window.
30
Configuring a Windows Data Source

There are several methods that can be used to add a Data Source to an Event Receiver for collection One at a
time from the Action Toolbar, Multiple sources from the Data Source section of the Event Receiver Properties
window, Bulk creation via CSV file import and Auto Learn.
The following steps will describe the simplest way to add a single Data Source to a Receiver to begin event and log
collection One at a time from the Action Toolbar.
1. From the System Tree, select the Event Receiver on

which you will be configuring the Windows Data Source.
2. Click the Add Data Source button from the Action

Toolbar located in the upper left of the interface.
The Add Data Source window will open.
3. To use the Windows Data Source Profile created in the

previous step:
a. Place a check mark in the Use System Profiles option box.

The Add Data Source window will populate the Data Source Vendor (Microsoft),
Data Source Model (WMI Event Log), Username, Password and Event Log details defined in the Profile.
4. To define a Windows Data Source without using a profile:
a. From the Data Source Vendor dropdown menu, select Microsoft.
b. From the Data Source Model dropdown menu, select WMI Event Log.
c. Enter a Username with sufficient privileges to connect to the Windows host and retrieve the WMI logs.
d. Enter the Password.
e. In the Event Logs field, enter SYSTEM,SECURITY,APPLICATION.
5. Enter a Name to be used for this Data Source.
6. Enter the IP Address for the Windows host.

NOTE: For Windows hosts that acquire an IP address from DHCP, this field can be left blank. The SIEM will
perform a DNS lookup using the hostname to obtain the current IP address at each polling interval.
7. Enter the NETBIOS Name assigned to the Windows host.

Example: If the DNS name is hostname.domain.com, the NETBIOS name will likely be just hostname.
31
8. Click the Connect button to test the connection to the Windows Data Source.
9. If the connection attempt is successful, a dialog box will open

indicating that the Windows Data Source configuration is correctly
configured to support event collection from the Windows host AND
that the credentials provided are sufficient to retrieve the defined
WMI logs.
10. If the connection attempt fails, a dialog box will open to provide
details that can be used to troubleshoot the connection. Common
connection problems include incorrect IP Address or NETBIOS
name, improper user credentials or insufficient user privilege
necessary to retrieve the defined WMI log source. Correct any
errors and re-test the WMI connection until the response is
successful.
32
11. Once the WMI Connection Test is successful, click OK. The Apply Data Source Settings dialog box will open.
12. Click Yes to apply the Windows Data Source configuration to the
Event Receiver.
13. Once the Windows Data Source has been written to the
Event Receiver, a dialog box will open to confirm.
Click Close.
14. Since a new event collection source has been configured on the Event Receiver, the policy must be rolled out to
support the event formats associated with the Windows Data Source. The Rollout Policy window will open
listing the Data Sources defined on the Event Receiver that must be applied for event collection to begin.
NOTE: Some Data Sources in the list may read Skip This policy is up to date while others, like the Windows
Data Source recently added, will read Roll this policy out now. The SIEM is intelligent enough to know which
Data Source policies are new or recently modified and must be rolled out and will skip those policies that are
current.
Click OK to rollout policy to the Event Receiver Data Sources.
33
Creating a McAfee ePolicy Orchestrator Data Source

The McAfee SIEM supports event collection from ePolicy Orchestrator via a connection to the ePO SQL database.
To define an ePO Data Source connection, you will require a SQL account on the ePO database server with
sufficient privilege to read from the ePOEvents table.
The following outlines the configuration steps required on the ePO Database server.
1. Ensure that a SQL Login account is available with appropriate privilege to the McAfee ePO database. For this
example, an account named epo has been created using SQL authentication and a Default Database set to
that of the ePO database.
2. Configure the appropriate User Mapping,

granting Public and db_datareader roles to this
user.
34
The following outlines the configuration steps required to add the ePO Data Source to the McAfee SIEM running
version 9.2.0 or higher.
1. With the Physical Display selected on the

System Tree, click the Add Device button from the Action Toolbar
located in the upper left of the interface.
The Add Device Wizard window will open.
2. From the Add Device Wizard window, select McAfee ePolicy Orchestrator (v4.6 or newer)
and click Next.
NOTE: Depending upon the appliance deployed in the POC, some of the device options may not be available
as indicated by the device type being greyed out. This is expected in POC installations deployed using an All-
in-One combo appliance.
35
3. Enter a Name for this ePO Data Source.
NOTE: Each application installed in ePO (VSE, HIPS, etc.) will be added to the ePO data source as children using
this name as a prefix.
Example: McAfee ePO_VirusScan, McAfee ePO_Application and Change Control, etc.
To prevent these child data source names from becoming truncated, use a short descriptive name for the parent
ePO data source.
4. Click Next.
36
The ePO data source requires information relating to both the ePO Application Server and the ePO Database
Server. In some ePO deployments this may be the same host however appropriate credentials must be supplied
individually for each. Application credentials are used for the purposes of connecting to the ePO server to apply
policy tags while database credentials are used by the SIEM to retrieve events for analysis, correlation and
reporting.
The Wizard will prompt you for both the Application details as well as the Database details on separate windows
starting with the ePO Application information.
5. Select the Receiver on which this ePO data source will

reside.
6. Enter the IP Address of the ePO Application Server.
7. Enter the appropriate Application Port (default is 8443).
8. Enter the Application Username.
NOTE: The ePO user provided must have Group Admin

privileges assigned within ePO.
9. Enter the Password assigned to this ePO user.
10. Click the Connect button to test the connection to the ePO
application. If the connection is completed successfully, a
confirmation dialog box will open. Click Close.
If the connection test is unsuccessful, verify the ePO user credentials
and privileges.
11. Click Next.
37
The Wizard now prompts you for the ePO Database details.
12. Enter the IP Address of the ePO Database Server.
13. Enter the User ID of the SQL Login Account created

earlier.
14. Enter the Password assigned to the SQL Login Account.
15. Enter the appropriate SQL Communication Port

(default is 1433).
16. Enter the ePO Database Name.
NOTE: If the ePO Database Name contains a hyphen, the

value entered MUST be surrounded by square brackets.
Example: [ePO4_MCAFEE-123]
17. If multiple SQL instances are present on this database

server, enter the unique Database Instance associated
with ePO.
18. Click the Connect button to test the connection to the ePO database.
If the connection is completed successfully, a confirmation dialog box
will open. Click Close.
If the connection test is unsuccessful, verify the SQL credentials and
privileges.
19. Click Next.
38
20. A dialog box will open regarding the use of McAfee Risk Advisor
data within the SIEM.
The McAfee SIEM can utilize Risk Advisor asset reputation
scoring as a component of a Risk Correlation policy. If Risk
Advisor is present in the ePO installation AND if the Advanced
Correlation Engine is being deployed with the SIEM, click Yes.
21. Once complete, the Add Device Wizard will present a status window indicating that the ePO data source was
successfully added and configured.
22. Click Finish.
23. Expand the new ePO Data Source in the Device Tree to
confirm the connection to the ePolicy Orchestrator host and
to identify the McAfee products that were found to be
installed.
39
Configuring Advanced ePO Integration

The McAfee SIEM supports the ability to launch ePO directly from the SIEM interface to view endpoint details as
defined within ePolicy Orchestrator. The following outlines the steps necessary to complete this configuration.
NOTE: This configuration example assumes a single ePO server with a local SQL database. In configurations
where the ePO server is connected to a secondary SQL DB server, please contact McAfee support for assistance.
1. Click the Asset Manager icon from the Quick Launch menu in the upper
right of the interface.
2. Select the Network Discovery tab.
3. Next click the Homenet button.
4. In the Homenet dialog box that appears, enter the subnet(s) that
represent the ePO managed endpoints.
NOTE: CIDR notation can be used to identify subnet ranges and

multiple address ranges can be identified using a comma-
separated array.
5. Click OK to accept the Homenet settings.
6. Click OK to close the Asset Manager.
40
Testing Advanced ePO Integration

Once the McAfee SIEM has been configured with at least one ePO data source and the Homenet value has been
defined within the Network Discovery section of the Asset Manager, the SIEM will allow the operator to launch the
ePO interface from within the Security Management platform to view asset details specific to a given endpoint.
1. From the SIEM user interface, select an IP

address representing a managed asset
within ePO.
2. Click the Menu button in the upper left of the Source IP Address
component.
3. From the menu that appears, select Actions, then View in ePO.
4. If multiple ePO servers are defined in the McAfee SIEM, an

additional dialog box will open requiring the ePO server to launch.
Make the appropriate selection and press OK.
41
5. The ePO interface will open in a new browser window requiring

authentication. Enter the appropriate ePO credentials to log
into the ePolicy Orchestrator interface.
6. Once authenticated, the ePO asset information window will open displaying the information related to the
endpoint selected in the McAfee SIEM.
42
In addition to viewing the managed endpoint within ePO, McAfee SIEM also supports the assignment of ePO policy
tags directly to assets from within the SIEM console.
1. From the SIEM user interface, select an IP address representing a managed asset within ePO.
2. Click the Menu button in the upper left of the Source IP Address
component.
3. From the menu that appears, select Actions,

then ePO Tagging.
4. Select an appropriate policy tag from the list and

click the Assign button.
Optionally, the client wakeup can be performed

by the SIEM once the ePO policy tag has been
assigned to the endpoint.
43
Advanced SIEM Configuration

The following section details some of the more common advanced configuration or maintenance tasks of the
McAfee SIEM.
Preparing for a SIEM Software Update

Once all subordinate SIEM devices have been keyed to the ESM, consider the requirement to perform any updates
to the platform codebase. McAfee SE resources as well as customers can refer to the Product Download pages on
the McAfee website to determine the latest code version available for the SIEM.
NOTE: Important information relating to the SIEM update process can always be found in the version release notes.
Make certain to carefully read the published documentation prior to initiating the update process.
Code updates are made available as a single tarball file, along with a corresponding hash file that can be used to
confirm the validity and consistency of the file downloaded and each discreet platform in the McAfee SIEM suite has
a unique code update path. Since ALL appliances connecting to the SIEM solution must be running the same
version of code, it is important to obtain any/all tarball files necessary to perform an update to each of the appliances
used in a POC.
The following table describes the SIEM appliance and corresponding upgrade file requirements.
Platform Update Tarball Recommended Order
ESM ESS_Update_X.x.x.signed.tgz 1
ESM/REC/ELM ESSREC_Update_X.x.x.signed.tgz 1
REC RECEIVER_Update_X.x.x.signed.tgz 2
ELM RECEIVER_Update_X.x.x.signed.tgz 2
ACE RECEIVER_Update_X.x.x.signed.tgz 2
ADM APM_Update_X.x.x.signed.tgz 3
DEM DBM_Update_X.x.x.signed.tgz 3
The McAfee ESM maintains a file repository into which all code update tarball files can be uploaded. Once
uploaded, each tarball update can be applied to the appropriate device from within the SIEM user interface either
individually or, in the case of multiple devices of the same type, en masse.
The order in which SIEM appliances are updated must be determined by reviewing the release notes published with
each update. In most circumstances, when multiple appliances in a SIEM hierarchy are to be updated, it will be
necessary to start with the ESM (or ESM/REC/ELM). Once complete, any Event Receiver appliances should be
updated to the new version including any ELM or ACE appliances since they share the same Receiver codebase.
Lastly, any additional subordinate appliances such as ADM or BEM should be updated.
During most major (and some minor) updates, it will be necessary for the master ESM database to be rebuilt as part
of the automated code update process. Depending upon the amount of data residing in the ESM database, this
process can take anywhere from 30 minutes to several hours. In POC environments where the event volume will
likely be minimal, the database rebuild process should complete in under an hour.
44
The following steps must be completed to perform a code update on one or more SIEM appliance.
1. Determine which update tarball files will be required and download

from the McAfee product download site.
Example: This SIEM environment consists of a standalone ESM and a

standalone REC. Both the ESS_Update and the RECEIVER_Update
tarball files would be required.
3. Click File Maintenance.
4. From the File Type dropdown menu, select Software Update Files.
5. Click the Upload button. The File Upload window will open.
6. Browse to the location of the tarball update. Select a single tarball file and click Upload.
7. Repeat for each update file until all required tarball images have been uploaded to the repository.
45
Performing a SIEM Software Update ESM
1. Click on ESM Management.
2. Click the Update ESM button.
3. Select the ESS_Update_X.x.x signed tarball file.
NOTE: If the POC is being performed on an ESM/REC/ELM combo, select the ESSREC_Update_X.x.x signed
tarball.
4. Click OK.
5. A dialog box will open warning that the ESM will reboot during the update
process and all active connections will be dropped. Click Yes to proceed.
6. A dialog box will open indicating that the update process has been initiated
and instructing you to close the browser window
7. Click OK.
8. Close the browser window.
9. The ESM will reboot multiple times to perform the update process.
Once the update is complete, open a web browser on your client
computer.
46
10. Connect to the IP address of the ESM.
11. Click the Login link on the page that opens.
12. You will likely be prompted with a dialog box indicating that you
must clear your browser cache. Press CTRL-SHIFT-DEL and
clear the most recent browser cache.
13. Click the Login link once again. The McAfee ESM application will
load and prompt you for a username and password.
14. If the ESM is still performing any portion of the code update, you
may be presented with an error indicating that the system is not
ready. Simply wait another minute and attempt once again to log
into the SIEM.
15. Once the server is ready and your credentials are accepted, you will
likely see a dialog box indicating that you have recently performed an
upgrade and instructing you to read the necessary release notes to
determine if additional actions are required.
16. Continue with the update process on each of the remaining SIEM
appliances, starting with any Event Receiver devices (REC, ACE, ELM),
then continuing with any remaining device (ADM, DEM).
NOTE: If the POC is being performed on an ESM/REC/ELM combo you can proceed to
Step 12 as the ESSREC_Update tarball provides both the ESM as well as REC feature update.
47
Performing a SIEM Software Update REC, ELM, ACE, ADM, DEM

The following steps must be performed to update any subordinate SIEM appliances.
1. From the System Tree, select the appliance to be updated.
NOTE: A yellow flag icon shown beside an appliance is an

indication that the device is out of sync until it has been updated.
2. Click the Device Properties button from the Actions Toolbar.

The device properties window will open.
3. Click Receiver Management.
4. Click the Update Device button. The Select Software Update

File window will open.
5. Select the appropriate tarball update file.
6. Click OK.
48
7. A dialog box will open indicating that the device will reboot when the
update process begins.
8. Click YES.
9. The device will restart. A dialog box will open, counting down
from 3 minutes while the device update is applied.
NOTE: If the device has not completely updated after 3

minutes, the counter will restart. You must wait until the
device has fully updated and communication has been
restored to continue.
10. A dialog box will indicate the successful restart of the device
once connectivity has been restored.
11. Click OK.
12. After the successful update of an Event Receiver appliance, it is necessary to perform additional configuration
updates.
13. Click on Data Sources.
14. Click the Write button.
49
15. After successfully writing the Data Source configuration, a

dialog box will open indicating the Command Executed
Completely.
16. Click the Close button.
17. Click OK.
Repeat these steps to apply all necessary update tarball files to remaining subordinate devices.
Configuring Event-Specific Aggregation

Even with the Event Receiver event aggregation set to dynamic, there are certain events that should never be
allowed to aggregate during a POC (and potentially in a production SIEM deployment). In particular, the following
types of events should be set to NOT aggregate in order to guarantee the highest visibility for each event.
a. Authentication Events Events describing user login/logoff activities.
b. Exploit Events Events describing potential Exploit behaviors.
c. Malware Events Events describing potential Malware activities.
d. Correlated Events Events generated from the Correlation Engine.
The McAfee SIEM classifies each event collected in accordance with a default Normalization Taxonomy. The
taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit,
Informational, Malware, Policy, Recon, Suspicious Activity, System and unknown. Each first-tier group is then
broken down further into sub-groups and even further as necessary, each lower tier representing more specific
event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications
in that branch are included in the selection. This allows the operator to select a more general event group, such as
Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login,
Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.
Additionally, it is recommended that event aggregation be disabled for all correlated events.
Rule-based event correlation performs pattern-matching using complex Boolean expressions to identify known
patterns of possible attacks. Since each correlated event will correspond to a sequence of events analyzed by the
SIEM, it is beneficial to maintain full granularity for all events generated by the McAfee correlation engine.
Custom aggregation can also be defined to tune specific event aggregation settings based on user-selected fields.
Please refer to the ESM help documentation for more information regarding setting custom aggregation values.
50
The following steps must be followed to disable event-specific aggregation for these normalized event categories.
1. Click the Policy Editor button from the Navigation Bar located in the upper
right of the user interface. The Policy Manager window will open.
NOTE: The policy manager groups events into various Rule Types
including Advanced Syslog Parser, Data Source and Windows Events. The
following steps will need to be performed against each of these event type branches.
2. Expand the Receiver object from the Rule Types panel and select Data Source.
51
3. Click the Advanced bar at the bottom right of the Policy Editor window beneath the Filters/Tags panel. This will
hide the Tags and display the Advanced filters panel.
4. Click the Filter button to the right of the Normalized ID form field.
The Filter Variables window will open to display the top-tier Normalized event categories.
5. While holding the CTRL key, select each of the Normalized

categories Authentication, Exploit and Malware.
6. Click OK.
7. This will populate the Normalized ID form field with the IDs
associated with the selected event categories.
52
8. Click the Run Query icon to refresh the list of Advanced Syslog
Parser rules which will now be filtered to display ONLY those event
rules matching the categories selected from the Normalized
Taxonomy filter.
9. To disable Event Aggregation for the refined list of Data Source rules, click the Aggregation column heading.
The action window will open to present three options
Inherit parent value, On (enable) or Off (disable).
10. Click the Off menu option.
11. A dialog box will open, prompting for confirmation to modify the settings
for the entire list of filtered rules.
12. Click Yes to confirm the modification.
13. All Data Source rules in the filtered list will now have the Aggregation
attribute set to Off (disabled).
53
14. From the Rule Types panel, select Windows Events.
NOTE: The filter panel will preserve the current selection of Normalized categories. The resulting list of Windows
Event rules will inherit the previous filters of Authentication, DoS, Exploit and Malware.
15. Once again, click the Aggregation column heading. The action window will open to present three options
19. All Windows Event rules in the filtered list will now have the
Aggregation attribute set to Off (disabled).
54
20. From the Rule Types panel select Correlation.
21. Next, clear the filters by clicking the orange funnel icon in the upper right of the Correlation Rules panel.
22. Once again, click the Aggregation column heading. The action window will open to present three options
55
26. All Correlated rules in the list will now have the Aggregation attribute
set to Off (disabled).
NOTE: If the Event Receiver is already configured with any Data Sources, it will be necessary to perform a Policy
Rollout after making changes to the rule Aggregation settings. To do so, complete the following additional steps.
a. Click the Rollout icon on the Action Bar in the upper right of the Policy
Editor window. The Rollout window will open.
b. Click OK.
c. The new Aggregation settings will be rolled out to all Event Receiver
data sources.
d. Close the Policy Editor.
56
Configuring Rule-Based Correlation on an Event Receiver

Rule-based Event Correlation can be performed on any available McAfee Event Receiver and/or on a dedicated
Advanced Correlation Engine appliance. In a POC where an ESM/REC/ELM combo is being deployed OR when a
dedicated ESM and REC is used without an ACE, the following steps must be followed to enable rule-based event
correlation on the Event Receiver as a data source.
1. Click on any available Event Receiver from the System Tree.
2. Click the Add Data Source button from the Actions Toolbar. The Add
Data Source window will open.
3. From the Data Source Vendor dropdown,

select McAfee.
4. From the Data Source Model dropdown,

select Correlation Engine.
5. Enter a Name for this Correlation Data Source.
6. Click OK.
7. A dialog box will open indicating that Data Source Settings have changed
and must be applied to the Event Receiver. Click Yes.
8. When the Data Source Settings have been written to the Event
Receiver, a dialog box will provide confirmation. Click Close.
9. Since each Data Source must have a policy applied, the Rollout
window will appear. It is a requirement that policy be properly rolled
out to the Event Receiver and all corresponding Data Sources after making any changes. Click OK.
57
Connecting the SIEM to a Windows Domain Controller

One of the most relevant forms of event context in a SIEM is that of user identity and the most common sources for
this context in an enterprise is typically the Active Directory database maintained by a Windows Domain Controller.
By connecting the DC to the SIEM, operators can issue filtered queries against specific domain users and/or groups
as well as include user and group context within a correlation rule. Examples of this will be provided in a later
section of this document.
To connect the SIEM to a Windows DC, the following steps must be taken.
1. Click on the Asset Manager icon from the Quick Launch menu. The Asset
manager window will open.
2. Select the Asset Sources tab.
3. Select the ESM object from the list of available devices. It is from this
device that the Active Directory connection will be made.
4. Click the Add button.
5. Enter a Name for the Domain Controller.
6. Enter the IP Address of the Domain Controller.
7. Enter an authorized Username in the format user@domain.tld.
8. Enter the Password used by this user to authenticate.
9. Enter the appropriate Search Base that will be used to

enumerate the domain groups and users.
Example: dc=domain,dc=tld.
10. Configure the retrieval interval and time. The default settings
will query the Active Directory once daily at midnight.
11. Click the Connect button to test the connection to the Domain
Controller.
58
12. If the connection test is successful, a dialog box will open to confirm. Click
OK.
13. If the connection to the Domain Controller is unsuccessful, a dialog box will open
indicating that the connection test failed. If this happens, confirm the IP address of
the Domain controller, the port number across which the LDAP query will occur
(default 389), the username (in the correct username@domain.tld format), the
password and the Search Base. Determine from the customer if TLS is required to
connect to this Domain Controller and, if so, enable it using the check box provided
on the Asset Data Source form.
14. Once the connection test to the Domain Controller is successful, click OK.
15. Click the Write button in the bottom left of the Asset Sources window. The Writing changes to device window
will open.
16. After the changes have been successfully written to the

device, click Close.
17. Select the newly created Active Directory Domain Controller from the list of available asset sources.
18. Click the Retrieve button.
59
19. A Dialog box will open indicating that the Active Directory user and group data is being retrieved. Depending on
the size of the customer Active Directory, this process may take several minutes or longer to complete.
20. When the Active Directory data retrieval has successfully completed, a
dialog box will open.
Click OK.
21. Close the Asset Manager window.
To confirm the successful retrieval of Active Directory user and group information, follow these steps.
1. Scroll down the list of objects in the Filter Panel to the Source User form field.
2. Click the Filter icon beside the Source User field. The Filter
Variables window will open.
You should see the domain from which you retrieved user and
group information.
3. Expand the domain object to display the groups enumerated from the
Active Directory.
4. Expand the group Administrators.Builtin to see a list of Active

Directory administrators.
Now that the Active Directory user and groups have been enumerated
into the SIEM, their values can be used in future filter queries, correlation
rules and reports.
60
Conclusion
Your McAfee SIEM environment is now installed, configured, and you have begun the process of tailoring it to meet
your business requirements. Next steps from here will include outlining your initial use cases, importing necessary
content, and developing processes for monitoring and remediation.
You can find more assistance, documents, and videos at the McAfee Community:
https://community.mcafee.com/community/business/siem
61

McAfee SIEM POC Setup Guide (9.4) PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

McAfee SIEM POC Setup Guide (9.4) PDF

Загружено:

Авторское право:

Доступные форматы

Proof of Concept Setup Guide

Proof of Concept Setup Guide

V2.0 Jul 2014

Setting the Stage

A McAfee SIEM Architecture Primer

ESM - Enterprise Security Manager

REC - Event Receiver

1. Push devices forward events or flows using SYSLOG, NetFlow, etc.

ELM - Enterprise Log Manager

ACE - Advanced Correlation Engine

ADM - Application Data Monitor

DEM - Database Event Monitor

Getting to Know the Intel Hardware

Rear Appliance Configuration

1. Primary Power Supply 6. Management NIC 4 (eth3)

2. Secondary Power Supply 7. VGA Video

3. Management NIC 1 (eth0) 8. RAID NIC

4. Management NIC 2 (eth1) 9. USB Ports

5. Management NIC 3 (eth2) 10. IPMI Management NIC

Installation and Configuration of VM Images

1. Launch the VSphere client and connect to the VCenter

2. From the File menu, select Deploy OVF Template.

4. Click Next >.

Click Next >.

7. Click Next >.

9. Click Next >.

11. Click Next >.

13. Click Next >.

15. Click Next >.

17. Click Next >.

20. Click Close.

22. Adjust the Memory, CPUs and/or Network Adapters as appropriate.

Step 1: Initial Power-Up and Configuration

2. Connect a network cable to the Management 1 NIC.

3. Press the power button on the front of the bezel.

4. Configure the basic ESM network settings.

Using a keyboard and monitor

i. Connect a VGA monitor and keyboard.

ii. Press ESC on the keyboard to open the configuration menu.

v. Configure the NETMASK.

vi. Configure the GATEWAY IP.

vii. Save the network configuration.

Step 2: Connecting to the ESM via Web GUI

Processor P4-class Intel (not Celeron) or higher (Mobile/Xeon/Core2/Core i3/5/7) or AMD/AMD2

Browser IE7.x or later, Firefox 3.0.0.0+, Chrome 12.0.742.91+, Safari 5.1.7+

Adobe Flash Player Version 11.2.x.x or later

To log into the ESM, follow the steps below.

1. Open a web browser on your client computer.

2. Connect to the IP address specified in previous section.

3. Accept the security certificate error.

5. Choose a default Language.

6. Enter the default username NGCP.

7. Enter the default password security.4u.

8. Accept the EULA.

9. You will be then be prompted to change your password.

10. Enter security.4u in the current password field.

12. Click OK. The Enable FIPS dialog will appear.

Step 3: Completing the Initial ESM Configuration Wizard

2. Click Next >.

4. Click Next >.

6. Click Next >.

8. Click Next >.

10. Click Next >.