McAfee Security Information Event Management (SIEM) Administration Course 101



Similar documents
McAfee Enterprise Security Manager 9.3.2

McAfee Application Control / Change Control Administration Intel Security Education Services Administration Course

McAfee Network Security Platform Administration Course

McAfee VirusScan and epolicy Orchestrator Administration Course

McAfee Network Data Loss Prevention Administration Intel Security Education Services Administration Course

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Product Guide. McAfee Enterprise Security Manager 9.4.0

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

McAfee Host Data Loss Prevention Administration Intel Security Education Services Administration Course

McAfee Next Generation Firewall (NGFW) Administration Course

Data Center Connector for OpenStack

IBM Security QRadar SIEM Version MR1. Administration Guide

Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2

McAfee Content Security Reporter 2.0.0

Data Center Connector for vsphere 3.0.0

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

McAfee Asset Manager Console

Symantec Security Information Manager 4.6 Administrator's Guide

Network Security Platform 7.5

McAfee Network Security Platform 8.2

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

McAfee Data Loss Prevention 9.3.0

Integrate Websense Web Security Gateway (WSG)

Upgrade Guide. McAfee Vulnerability Manager Microsoft Windows Server 2008 R2

User Guide Secure Configuration Manager

Intel Security Certified Product Specialist McAfee Network Security Platform (NSP)

HP TippingPoint Security Management System User Guide

IBM Security SiteProtector System Configuration Guide

Product Guide. McAfee epolicy Orchestrator Software

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

IBM Security QRadar Vulnerability Manager Version User Guide IBM

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

ArcSight Express Administration and Operations Course

NMS300 Network Management System

McAfee Database Activity Monitoring 5.0.0

IBM Security QRadar Vulnerability Manager Version User Guide

Configuring Security for FTP Traffic

McAfee MOVE AntiVirus Multi-Platform 3.5.0

Symantec Security Information Manager 4.5 Administrator's Guide

McAfee Certified Product Specialist McAfee epolicy Orchestrator

VMware vcenter Log Insight Getting Started Guide

McAfee Threat Intelligence Exchange Software

SpectorSoft Disk Monitor Help

Product Guide Revision A. McAfee Web Reporter 5.2.1

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Release Notes for McAfee(R) VirusScan(R) Enterprise for Linux Version Copyright (C) 2014 McAfee, Inc. All Rights Reserved.

STRM Log Manager Administration Guide

OnCommand Performance Manager 1.1

Juniper Networks Management Pack Documentation

Creating a Content Group and assigning the Encrypt action to the Group.

TSM Studio Server User Guide

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Symantec Security Information Manager Administrator Guide

HP A-IMC Firewall Manager

Installation Guide. McAfee VirusScan Enterprise for Linux Software

Release Notes for McAfee epolicy Orchestrator 4.5

McAfee Cloud Identity Manager

McAfee Endpoint Encryption for PC 7.0

McAfee Public Cloud Server Security Suite

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

McAfee Security. Management Client

Juniper Secure Analytics Release Notes

HP IMC Firewall Manager

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Extreme Networks Security Log Manager Administration Guide

PowerLogic ION Enterprise 5.6

HP IMC User Behavior Auditor

VCE Vision Intelligent Operations Version 2.5 Technical Overview

XMS Quick Start Guide

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Freshservice Discovery Probe User Guide

User Guidance. CimTrak Integrity & Compliance Suite

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

ADMINISTRATOR GUIDE VERSION

RealPresence Platform Director

RSA Authentication Manager

WatchDox Administrator's Guide. Application Version 3.7.5

VMware vcenter Log Insight Getting Started Guide

Manage Dell Hardware in a Virtual Environment Using OpenManage Integration for VMware vcenter

NMS300 Network Management System Application

HP Operations Orchestration Software

Option Network Management Software for UPS UNMS II

Product Guide. McAfee epolicy Orchestrator Software

F-Secure Messaging Security Gateway. Deployment Guide

Network Event Viewer now supports real-time monitoring enabling system administrators to be notified immediately when critical events are logged.

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Accellion Secure File Transfer

McAfee Content Security Reporter Software

McAfee VirusScan Enterprise for Linux Software

Version 4.61 or Later. Copyright 2013 Interactive Financial Solutions, Inc. All Rights Reserved. ProviderPro Network Administration Guide.

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Enterprise Manager. Version 6.2. Administrator s Guide

How To Set Up A Firewall Enterprise, Multi Firewall Edition And Virtual Firewall

Smart Business Architecture for Midsize Networks Network Management Deployment Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Transcription:

McAfee Security Information Event Management (SIEM) Administration Course 101 Intel Security Education Services Administration Course The McAfee SIEM Administration course from McAfee Education Services provides attendees with hands-on training on the design, setup, configuration, communication flow, and data source management of SIEM appliances. In addition, students will understand how to effectively implement the appliances in a complex enterprise environment. Course Goals Configure McAfee Enterprise Log Manager. install and configure McAfee Enterprise Security Manager. Work with the receiver. Work with the advanced correlation engine. Add data sources. Work with the policy editor. Agenda At A Glance Day 1 SIEM Overview ESM and Receiver Overview ESMI Views Filtering, Watchlists, and Variables Day 2 Receiver Data Source Configuration Aggregation Policy Editor Audience System and network administrators, security personnel, auditors, and/or consultants concerned with network and system security should take this course. Register Now for Training

Agenda At A Glance Continued Day 3 Correlation Notifications and Reporting Day 4 Working with ELM Troubleshooting and System Management Recommended Pre-Work It is recommended that the students have a working knowledge of Microsoft Windows administration, system administration concepts, a basic understanding of computer security concepts, and a working knowledge of McAfee epolicy Orchestrator software administration. Course Outline Module 1: SIEM Overview What is SIEM? Security Information and Event Management (SIEM) Event Analysis and Workflow Event Normalization Event Aggregation Event Correlation Log Management and Retention Security Information Management Security Event Management How SIEM is Used Compliance Obligations Elusive Security Events SIEM Components Overview McAfee Enterprise Security Manager (ESM) McAfee Enterprise Log Manager (ELM) McAfee Event Receiver (ERC) McAfee Application Data Monitor (ADM) McAfee Database Event Monitor (DEM) McAfee Advanced Correlation Engine (ACE) McAfee SIEM Architecture Combo Boxes Enterprise Security Manager (ESM) Receiver (ERC) Database Event Monitor (DEM) Application Data Monitor (ADM) Advanced Correlation Engine (ACE) Risk Correlation Correlation The Big Picture Identifying Business Needs and Stakeholders Deployment Scenarios Large Centralized Deployment Large Distributed Deployment First-Time ESM Setup Navigating the ESMI Configure the Properties for the ESMI System Add the Devices to the System Configure the Device Properties FIPS Compliant Mode Implementation Process Checklist Back-up and recovery plans Consider integration with existing products

Ensure end-user communications Apply Software Updates Do Validation Testing Follow Testing Procedures Change Control Module 2: ESM and Receiver Overview McAfee Enterprise Security Manager McAfee ESM Properties ESM System Information Content Packs ESM Custom Settings Login and Print Settings Custom Device Event Links Remedy Email Server Settings Cyber Threat Feeds ESM Email Settings ESM - Configuration, Key Management and Maintenance ESM Settings File Maintenance ESM Login Security ESM Profile Management ESM Reports ESM System Logs ESM Users and Groups ESM Add User ESM Add Group ESM Add Privileges ESM - Watchlists McAfee Receiver Receiver Properties Receiver Name and Description Receiver Connection Receiver Configuration Receiver Management Receiver Key Management Receiver Device Log Receiver Asset Sources Receiver HA Practice 2: SIEM Users and Groups Module 3: ESMI Views The Data Problem Increased Incidents Filtering Issues Event Management Challenges The Solution McAfee ESMI McAfee User Interface ESMI Desktop Views Toolbar Views Toolbar Out-of-Box Views Use-Case Scenarios Using ESMI Dashboards Key Dashboards Summarize By Normalized Dashboard Asset Vulnerability Summary Geolocation Map Source User Summary Host Summary Default Flow Summary Incident Dashboard Incidents Dashboard Event Drilldown Custom Views Data Binding SIEM Workflow Demonstration Identify Slow and Low Data Exfiltration Key take-aways from this demonstration Configure User-specific ESM Settings Configure User Time Zone Configure User Default Views Practice 3: Creating a Custom View

Module 4: Filtering, Watchlists, and Variables Filters Filter a view Filter Sets Default Filters Using Multiple Filter Sets Description of contains and regex Filters Syntax for contains and regex Points to consider when using contains or regex: String Normalization String Normalization File Watchlists and Variables Watchlists Creating a Watchlist Adding a Watchlist Static and Dynamic Watchlists GTI Watchlist Create a watchlist of threat or IOC feeds from the Internet Rule Variables Common list of Variables Configure Variables Practice 4: Watchlists Module 5: Receiver Data Source Configuration Receiver Data Sources Data Sources Screen Add Data Source Definitions Client Data Sources Adding Client Data Sources: Match on Type vs. IP Child Data Sources Data Source Grouping Data Source Profiles Data Sources Auto Learn Data Sources WMI Data Sources WMI Event Logs Data Sources Syslog Data Sources Generic Net Flow Data Sources - Correlation Engine McAfee epo Importing and Exporting Data Sources Data Source Time Problems Time Delta Page Discovered Assets Asset Manager Vulnerability Assessment Data Sources Vulnerability Assessments Enable VA Real Time Data Enrichment Case Management Remedy (Ticketing System) Interface Practice 5: Data Sources Module 6: Aggregation Aggregation Overview SIEM Architecture How Aggregation Works Simplified Aggregation Raw Events Aggregated Events Event Aggregation Dynamic Aggregation Automatic Retrieval Manual Retrieval Changing Settings Sample Aggregated Event Count Event Aggregation Start at Event Aggregation - Custom Custom Field Aggregation

Modify Event Aggregation Settings Flow Aggregation Flow Aggregation Levels Start at Flow Aggregation - Custom Flow Aggregation - Ports Port Values Practice 6: Aggregation Module 7: Policy Editor Policy Editor Overview Policy Editor Screen Default Policy Policy Tree Policy Tree icons Policy Tree Menu Items Copy or Copy and Replace a Policy To copy a policy, follow the steps below. Import a Policy Export a Policy Policy Change History Policy Status Policy Rollout Rollout Policy Correlation Tags Operations Menu Tools Menu Normalization Categories Severity Weights Rule Types Rules Display Pane Rule Inheritance The Inheritance Icons Rule Properties - Settings Action Severity Blacklisting Aggregation Copy packet Advanced Syslog Parser Rules Parsing Tab Field Assignment Tab Mapping Data Source Rules Auto Learned Practice 7.1: Using the Syslog Parser - Part 1 Practice 7.2: Using the Syslog Parser - Part 2 Module 8: Correlation Optimized Risk Management SIEM Technology Adoption Curve Event Normalization Event Correlation Event Correlation Engine Understanding Correlation Multiple Attackers - Scanning Single Server (Distributed Dictionary Attack) Receiver-based Correlation Advanced Correlation Engine Advanced Correlation Engine - Risk Content, Context and Risk Correlation Add a Correlation Data Source Correlation Rule Editor Component of a rule Correlation Rule Editor - Filters Simple : Creating a Custom Correlation Rule Criteria

System penetration scenario Rollout Correlation Policy Scenarios Rollout Correlation Policy Practice 8.1: Correlation Rules Practice 8.2: Adding an ACE Appliance Practice 8.3: Historical Correlation Module 9: Notifications and Reporting Alarms Create an Alarm Alarm Settings Alarm Settings Condition Types Deviation from Baseline Device Failure Device Status Change Event Delta FIPS Failure HA Failure Field Match Internal Event Match Specified Event Rate Alarm Settings - Devices Alarm Settings - Actions Alarm Settings - Escalation Alarm Settings Additional Notes Additional Alarm Options Alarms Log Alarm Details Triggered Alarms View Reporting Overview Out of Box Reports Create Reports System Properties - Reports Add Report Sections 1, 2, and 3 Section 4 Section 5 Section 6 New Report Layout Designing Report Layout Document Properties Report Conditions Query Wizard UCF Report Filter Email Report Recipients Email Report Groups SMS Report Recipients SNMP Reports Recipients Syslog Report Recipients Add a Syslog Recipient Remove a Syslog Recipient View Running Reports View Report Files Export views and reports Practice 9.1: Creating Alarms Practice 9.2: Reporting Module 10: Working with ELM ELM Overview Important Terms Adding an ELM ELM Properties ELM Information ELM Configuration ELM Management ELM Redundancy Device Log ELM Data Enhanced ELM Search View Configuring the ELM for Storage ELM Storage Estimating ELM Storage ELM Storage Pools Add, Edit, or Delete a Storage

Device Add, Edit, Delete a Storage Pool Mapping data sources to ELM storage Pools ELM MigrateDB ELM Mirrored Data Storage Creating an Integrity Check Job Module 11: Troubleshooting and System Management McAfee Technical Support ServicePortal (http://mysupport. mcafee.com) Web Gateway Extranet (https:// contentsecurity.mcafee.com) McAfee Customer Service (http://service.mcafee.com) 1-866-622-3911 261 Login Troubleshooting ESM Fails to Communicate with the Client Client Fails Version Validation Test ESM is Rebuilding ESM is Backing Up or Restoring the Database Unable to SSH or login to the ESM The NGCP password for the ESMI desktop has been lost User can log in to ESMI but they have no rights Operating System and Browserspecific Issues ESM Login Screen Does Not Come Up on Linux Browser Login - unable to get the certificate using Firefox using IPv6 address Export/Download Troubleshooting When Using Windows 7 Hardware Issues How to obtain the serial number from a device Beeping during initial startup Update and Upgrade Issues Software Upgrade Process How to ensure that the update file is not corrupt Manual rules updates Troubleshooting Upgrade to Version 9.5.0 Reasons for Flags Device Status Alerts Device Status Window ESM and ESMI Troubleshooting How to initiate a callhome How to access the terminal via the GUI ESM Settings - Database How to export the ESMI login history How to manually set the time if no NTP server is available Unable to download rules from the McAfee servers How to determine if you are getting data from your data source McAfee SIEM Sizing Overview Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2015 McAfee, Inc. To order, or for further information, please contact McAfee Education at: 1-866-210-2715. NA, LTAM, and APAC: education@mcafee.com EMEA: proserv@mcafee.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information