Skip to main content

How to install McAfee SIEM

In this post I will show you how to install McAfee SIEM and its most important components for the first time.

These are the different components that I want to install:


  • Enterprise Security Manager (ESM): This is the main component, contains the Embedded Data Base (EDB) which is the proprietary Data Base used by McAfee SIEM to store all the parsed information, and also the web application from which all the management of the platform (configuration, alerting, reporting) will be made.
  • Enterprise Log Manager (ELM): This component response for the compliance use case, it is  in charge of storing the raw information for long time retention
  • Receiver (ERC): Is the component that connect the Data sources, which the ESM and the ELM, data sources can send the information to the ERC (Ex. syslog data sources) or we can configure the RCV to collect information from the data sources (Ex. Windows Management Instrumentation)
  • Advanced Correlation Engine (ACE), it is the component in charge of the correlation, it is an external box in charge of getting parsed information from the ESM Database and apply correlation rules against it.
ESM Installation

Once the virtual ip 192.168.10.120 has been assigned to the virtual appliance, we connect to the appliance using a https connection from a browser, it is important to highlight that although version 10.2.0 has many of its components migrated to html5 there are still some components build on Flash and we will need a browser able to run the Flash plugin,  Some important considerations for the ESM implementation:

  1. The solution allows to be configured on FIPS mode, this mode impose some security considerations and because of that some feature limitations. Organizations not affected by this regulation should avoid to configure the solution on this way, enabling FIPS during the installation can not be undone.
  2. All the events are stored on GMT, however during the implementation of the ESM the user can setup its time zone so the events are represented according with itstime zone.
RCV, ELM and ACE

Once the ESM system is up and running, the implementation of the rest of components is quite straight forward, we just assign an IP address to each box and connect it to the ESM adding the device from th ESM console.

The following video shows the complete process.



Labels:

Comments

Post a Comment

Popular posts from this blog

Working with McAfee SIEM API

McAfee SIEM has a strong API that allows to interact with the application programatically. This API offers a RESTful interface and its documentation is available in the following URL on a running ESM https://<ESM_IP>/rs/esm/help In this post, through a set of code snippets I will show you how to connect to the ESM API via RESTful and execute different API commands. 1) Initial connection to the API Server In this first code snippet we are authenticating against the API and we obtain a token in the response that we use in order to create an authenticated header that will be used for the rest of API connections. 2) Testing that we have all the authentication parameters needed. Getting the time of the system. In this second code snippet we use the just obtained authentication header in order to get the system time through the available command (essmgtGetESSTime)   3) Getting the version (builtstamp) of the system.   4) Other useful available ...
2 comments
Read more

Integrating McAfee SIEM with Apache Nifi Video 2/3

In this second video, I will show how to create a workflow blueprint. The workflow created, does the following steps: Collect information from twitter and filter them by some keywords, in order to do this certain credentials must be obtained from the twitter api (Consumer secret and access token secret), the sensible information is not shown on the video. Next step is pull key attributes, from the twitter json string, so we don't have to deal with the information we are not interested in, in this example I am extracting user name, language used and message information. Next, we check that it is in fact a twitter message and if so we route the information to the next step. Next , the traffic flow is transformed into a json string Last step is to send the information as the message string of a syslog event to the receiver. In the SIEM receiver we create a Data Source and log the unknown syslog information as unknown, in the next post I will create a parser so the...
13 comments
Read more

How to blacklist IPs on McAfee Network Security Platform

Python script that allows to blacklist IPs on McAfee Network Security Platform. The uses is quite straightforward, bellow you can see some examples Usage nsmcli.py [-h] -u USER -p PASSWORD -nsm NSM_IP [-get_sensors][-get_qhosts][-sensor SENSOR_NAME][-i IP_ADDRESS][-quarantine][-remove] [-t {15,30,45,60,240,480,720,960,999}][--version] Examples of usage Get the list of sensors managed by a Network Security Manager nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_sensors Name ID           Model   Sensor     IP                     SW Ver    Sigset Ver   Active M2750-4pocs   1001     M-2750   192.168.0.203   7.5.3.16   7.6.14.9       1 Get the list of quarantine IPs nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_qhosts Quarantined hosts for M2750-4pocs ...
1 comment
Read more