Issue
If you are using McAfee SIEM (previously Nitro SIEM) and don't have Nitro IPS then you might face issues with correlating IPS events. This is because McAfee SIEM doesn't automatically normalize other IPSs data and label IPS events as uncategorized.
Solution
A work around to this is to manually normalize your IPS events in categories e.g. exploit, p2p etc and then use these normalization rules in correlation rules. However, this is not a permanent solution as IPS signatures are constantly updated and new attacks signature will be added from time to time.
Example scenario
You have a set of critical servers for which you want to see exploit attacks. The first step would be to select your IPS in "physical display" and select "Normalized dashboard" from the list of available dashboards. Next select an exploit event in the "Event Summary" sub-group and go to rule definition by selecting "Show rule" option.
Policy editor window will be opened showing the rule definition you selected previously. Double click on the rule definition and click on the green button next to "Normalized ID". Next you can move this rule to the exploit category in normalization taxonomy.
Once you normalize all your exploit events, you are ready to proceed with writing correlation rule to see all exploit events to your critical servers. First create a variable rule defining IP addresses of all your critical servers.
Next create a correlation rule as following.
You can further reduce resultant events by excluding all events that are blocked by your IPS as shown in the above rule.
If you are using McAfee SIEM (previously Nitro SIEM) and don't have Nitro IPS then you might face issues with correlating IPS events. This is because McAfee SIEM doesn't automatically normalize other IPSs data and label IPS events as uncategorized.
Solution
A work around to this is to manually normalize your IPS events in categories e.g. exploit, p2p etc and then use these normalization rules in correlation rules. However, this is not a permanent solution as IPS signatures are constantly updated and new attacks signature will be added from time to time.
Example scenario
You have a set of critical servers for which you want to see exploit attacks. The first step would be to select your IPS in "physical display" and select "Normalized dashboard" from the list of available dashboards. Next select an exploit event in the "Event Summary" sub-group and go to rule definition by selecting "Show rule" option.
Policy editor window will be opened showing the rule definition you selected previously. Double click on the rule definition and click on the green button next to "Normalized ID". Next you can move this rule to the exploit category in normalization taxonomy.
Next create a correlation rule as following.
You can further reduce resultant events by excluding all events that are blocked by your IPS as shown in the above rule.
6 comments:
MS Office.com/setup is becomes the necessary software in your daily life as it fulfills the requirement of each and every organization and also for the people who are working from home.
https://bit.ly/2xexdST
https://bit.ly/3aJUlYb
Webroot.com/safe antivirus is the software which secures your device from unauthorized access by hackers and also protect from emerging threat.https://bit.ly/3c0WdMn
https://bit.ly/2V3u6oO
https://bit.ly/3aIzwwd
AVG.com/retail antivirus is the well known software which scans the device timely to protect your system from malware and viruses.
https://bit.ly/34ljYMF
https://bit.ly/2V419sK
https://assistancehelp.blogspot.com/2020/04/is-it-safe-to-download-free-ebooks.html
https://1stfixsupport.weebly.com/blog/is-paying-for-antivirus-software-worth-it-takes-malware-for-instance
https://techassistance.tech.blog/2020/04/09/how-do-cybercriminals-get-caught/
office.com/setup - To Install Office Setup Enter Office Setup Product Key and activate, setup office product, visit Microsoft Office at www.office.com/setup.
Download the Norton setup file by creating an account on Norton.com/setup. Install the setup and activate it on www.norton.com/setup.
Post a Comment