Skip to main content

How to define McAfee ELM storage volumes and set up datasources for long time retention




Once the ELM management database has been migrated to the preferred location(see previous post), we can set up ELM storage volumes to meet with the compliance and long time retention requirements of the organization.

Storage volumes can be defined using the internal storage of the ELM the additional storage provided by a Direct Attach Storage device (DAS), as well as external Storage devices (like NFS resources or SAN).

The definition of which Storage volume to use is set up by Data Source, a good practice in a shared environment, is to have one storage volume by customer.

Once the storage volume is created and used, the management database of the ELM tracks all the information sent to this volume, this characteristic is specially interesting during the analysis phase as a new tab appear on the event details panel that link the parsed event with its raw information allowing forensic investigation.

This video shows the whole process of defining multiple storage volumes, how to link the volume with the data source and use some of the searching features provided by the ELM to look for specific information.



McAfee ESM provides an  interactive dashboard that allows to look for information on the ELM, you can use Regular expressions or natural expressions for that.


One interesting feature related to the ELM, is that when a storage volume is created a virtual file system is created on the ELM accessible via an SFTP service on port 23, we can use the user NGCP and the password used for this user on the SIEM to connect to this service an extract the desired information.

Next video shows this feature.


Last thing to mention about the information stored on the ELM is that it is signed so the system can check if any manipulation has occurred against the information that affected the integrity of the data.

Next picture shows the integrity check feature.



Thanks for reading
Labels:

Comments

Post a Comment

Popular posts from this blog

Working with McAfee SIEM API

McAfee SIEM has a strong API that allows to interact with the application programatically. This API offers a RESTful interface and its documentation is available in the following URL on a running ESM https://<ESM_IP>/rs/esm/help In this post, through a set of code snippets I will show you how to connect to the ESM API via RESTful and execute different API commands. 1) Initial connection to the API Server In this first code snippet we are authenticating against the API and we obtain a token in the response that we use in order to create an authenticated header that will be used for the rest of API connections. 2) Testing that we have all the authentication parameters needed. Getting the time of the system. In this second code snippet we use the just obtained authentication header in order to get the system time through the available command (essmgtGetESSTime)   3) Getting the version (builtstamp) of the system.   4) Other useful available ...
2 comments
Read more

Integrating McAfee SIEM with Apache Nifi Video 2/3

In this second video, I will show how to create a workflow blueprint. The workflow created, does the following steps: Collect information from twitter and filter them by some keywords, in order to do this certain credentials must be obtained from the twitter api (Consumer secret and access token secret), the sensible information is not shown on the video. Next step is pull key attributes, from the twitter json string, so we don't have to deal with the information we are not interested in, in this example I am extracting user name, language used and message information. Next, we check that it is in fact a twitter message and if so we route the information to the next step. Next , the traffic flow is transformed into a json string Last step is to send the information as the message string of a syslog event to the receiver. In the SIEM receiver we create a Data Source and log the unknown syslog information as unknown, in the next post I will create a parser so the...
13 comments
Read more

How to blacklist IPs on McAfee Network Security Platform

Python script that allows to blacklist IPs on McAfee Network Security Platform. The uses is quite straightforward, bellow you can see some examples Usage nsmcli.py [-h] -u USER -p PASSWORD -nsm NSM_IP [-get_sensors][-get_qhosts][-sensor SENSOR_NAME][-i IP_ADDRESS][-quarantine][-remove] [-t {15,30,45,60,240,480,720,960,999}][--version] Examples of usage Get the list of sensors managed by a Network Security Manager nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_sensors Name ID           Model   Sensor     IP                     SW Ver    Sigset Ver   Active M2750-4pocs   1001     M-2750   192.168.0.203   7.5.3.16   7.6.14.9       1 Get the list of quarantine IPs nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_qhosts Quarantined hosts for M2750-4pocs ...
1 comment
Read more