McAfee ESM

Overview

Nevelex Labs Security Flow provides a McAfee Enterprise Security Manager plugin to use the security information and event management (SIEM) platform as an input source for the flows and as a sink for logging messages in the flows.

Functionality

The Nevelex Labs Enterprise Security Manager (ESM) Plugin exposes and automates McAfee ESM alarm processing. The ESM Plugin provides an Alarm-Query node to query ESM for unacknowledged alarm events, an Alarm-Action node to acknowledge, unacknowledge, or delete alarms, a logger node to send log events into the SIEM, and a Detail-Query node for sending a detailed query to ESM based on the defined node configuration.

Instance Configuration Parameters

Property

Description

Instance Name

Name for the ESM instance.

Unique ID

Unique name for the ESM Instance. This is used to identify the ESM instance within the flows.

Server

IP or hostname of the ESM instance.

ESM Receiver Port

Port number where ESM is configured to receive syslog events.

ESM User Name

Valid user name for the ESM server.

ESM Password

Valid password for the user name on the ESM server.

ESM Password Confirmation

Confirm valid password for the user name on the ESM server.

Flow Nodes

Node to retrieve unacknowledged alarms from McAfee ESM according to the specified node configuration.

This node queries ESM at regular intervals for events associated with unacknowledged alarms. An optional filter can be used to select specific alarms by severity, alarm name, or assignee. The query interval can be configured to any number of seconds, minutes, or hours. This node can be configured to automatically acknowledge the retrieved alarms by enabling the Acknowledge Alarms Automatically checkbox.

Property

Description

Name

The display name of the node within the flows.

Unique ID

ID name for the specific ESM Instance. This ID is used to uniquely identify this plugin instance within the flow nodes.

Repeat

Defines the repeat interval used to pull unacknowledged alerts from the McAfee ESM.

Alarm Time Range Filter

Drop down list of time range used to filter alerts generated from within the ESM.

Search Filter

An optional set of search filter parameters used to additionaly limit the alarms returned from the ESM.

alarmName – The alarm’s name.
severity – The alarm’s numeric severity value. Allows for the selection more than just the equality operator.
assignee – The alarm’s assignee.

Acknowledge Alarms Automatically

Puts all returned alarms into the Acknowledged state.

Aggregetion

This node supports five modes for aggregating incidents.

None: Never aggregate any incidents (default).
Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.

Node to acknowledge, unacknowledge, or delete alarms in McAfee ESM which have been retrieved via the NL-ESM-Alarm-Query node previously in the flow.

Generally, this node should only be used in a flow after a NL-ESM-Alarm-Query node to acknowledge, unacknowledge, or delete the alert. If the NL-ESM-Alarm-Query node was configured to automatically acknowledge alerts, this node is not needed to acknowledge the alert. The alert Id must be in the message at msg.payload.esm.[uniqueId].response.alarmId.

Property

Description

Name

The display name of the node within the flows.

DXL Fabric

The Fabric ID as shown on the Active Instances page.

Unique ID

ID name for the specific ESM Instance. This ID is used to uniquely identify this plugin instance within the flow nodes.

Action

Alarm update action to perform.

Acknowledge – Update the alarm to the acknowledged state.
Delete – Delete the alarm.
Unacknowledge – Update the alarm to the unacknowledged state.

Communication node to send syslog style messages to the ESM receiver.

When a flow message arrives at this node, the message is forwarded via syslog style messaging to the McAfee Enterprise Security Manager receiver. This node can be use to log the messages traversing the flows or log the messages traversing the DXL fabric.

Property

Description

Name

The display name of the node within the flows.

DXL Fabric

The Fabric ID as shown on the Active Instances page.

Unique Id

ID name for the specific ESM Instance. This ID is used to uniquely identify this plugin instance within the flow nodes.

This node performs an ESM detailed query using the defined node configuration. Security Flow allows one detailed query at a time to McAfee ESM to prevent overwhelming ESM resources. Other query requests are queued for later processing in the order received. Queries time out after one hour of waiting for completion. Changing this node's Result Fields configuration when a query is running will result in unexpected field maps in the output.

Property

Description

Name

The display name of the node within the flows.

Unique ID

ID name for the specific ESM Instance. This ID is used to uniquely identify this plugin instance within the flow nodes.

Query Type

The type of detailed query to execute. Typically, this value should be left as EVENT.

Time Range

Filters only for data within the specified time range.

Filters

Defines fields and their associated values for filtering the data. The seeded set of fields names are those typically available for use by the EVENT Query Type. Filters may be left as an empty list.

Result Fields

The set of fields to return. The seeded set of fields names are those typically available for use by the EVENT Query Type. There must be at least one field specified. Do not use both Rule.msg and Rule_NDSNormSigID.msg in the same request.

Size Limit

The maximum number of results to return.

Sort Field

Select to sort by LastTime or FirstTime.

Sort Order

The ordering of the results using the Sort Field.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the apivoid object.

NL-ESM-Alarm-Query Success

The italicized, green text is the message generated for each alert retrieved.

"payload": {
{
  "_msgid": "[uuid]",
  "payload": {
    "esm": {
      "[uniqueId]": {
        "response": {
          "events": [
            {
              "destIp": "::",
              "details": {
                "app": "",
                "host": "NevLabFlow",
                "note": "",
                "vlan": 0,
                "cases": [],
                "iocId": 0,
                "ipsId": {
                  "id": 144116287604261120
                },
                "sigId": "65-2168365044",
                "srcIp": "192.168.37.50",
                "destIp": "::",
                "domain": "",
                "flowId": 0,
                "normId": 4026531840,
                "object": "",
                "srcMac": "00:00:00:00:00:00",
                "alertId": 16782,
                "command": "",
                "destMac": "00:00:00:00:00:00",
                "iocName": "",
                "sigDesc": "",
                "sigText": "",
                "srcGuid": "",
                "srcPort": "0",
                "srcUser": "",
                "srcZone": "",
                "subtype": "alert",
                "trusted": 2,
                "agg1Name": "",
                "agg2Name": "",
                "agg3Name": "",
                "destGuid": "",
                "destPort": "0",
                "destUser": "",
                "destZone": "",
                "duration": "00:00:00.000",
                "lastTime": "06/20/2018 20:03:47",
                "normDesc": "Indicates events that have not been categorized.",
                "protocol": "n/a",
                "reviewed": "F",
                "ruleName": ": {\"Ip Range\":\"192.168.1.1..50\"}",
                "sequence": 0,
                "severity": 25,
                "agg1Value": "0.00000000000000E+000",
                "agg2Value": "0.00000000000000E+000",
                "agg3Value": "0.00000000000000E+000",
                "archiveId": "393535",
                "firstTime": "06/20/2018 20:03:47",
                "sessionId": 0,
                "srcAsnGeo": "",
                "destAsnGeo": "",
                "deviceName": "Local Receiver-ELM - machine-name Parent Device - client - 192.168.37.50",
                "deviceTime": "06/20/2018 15:04:02",
                "eventCount": 1,
                "asnGeoSrcId": 0,
                "customTypes": [
                  {
                    "fieldId": 4,
                    "fieldName": "HostID",
                    "formatedValue": "NevLabFlow",
                    "unformattedValue": "10910794157216093084",
                    "definedFieldNumber": 4
                  }
                ],
                "normMessage": "Uncategorized",
                "asnGeoDestId": 0,
                "remedyCaseId": 0,
                "srcInterface": "",
                "destInterface": "",
                "flowSessionId": 0,
                "remedyAnalyst": "",
                "srcInterfaceId": 0,
                "destInterfaceId": 0,
                "remedyTicketTime": null,
                "srcNetworkDevice": "",
                "destNetworkDevice": "",
                "srcNetworkDeviceId": 0,
                "destNetworkDeviceId": 0
              },
              "eventId": "144116287604261120|16782",
              "lastTime": "06/20/2018 20:03:47",
              "protocol": "n/a",
              "severity": 25,
              "sourceIp": "192.168.37.50",
              "eventCount": 1,
              "ruleMessage": ": {\"Ip Range\":\"192.168.1.1..50\"}",
              "eventSubType": "alert"
            }
          ],
          "alarmId": 110
        }
      }
    },
    "event": {
      "destIp": "::",
      "details": {
        "app": "",
        "host": "NevLabFlow",
        "note": "",
        "vlan": 0,
        "cases": [],
        "iocId": 0,
        "ipsId": {
          "id": 144116287604261120
        },
        "sigId": "65-2168365044",
        "srcIp": "192.168.37.50",
        "destIp": "::",
        "domain": "",
        "flowId": 0,
        "normId": 4026531840,
        "object": "",
        "srcMac": "00:00:00:00:00:00",
        "alertId": 16782,
        "command": "",
        "destMac": "00:00:00:00:00:00",
        "iocName": "",
        "sigDesc": "",
        "sigText": "",
        "srcGuid": "",
        "srcPort": "0",
        "srcUser": "",
        "srcZone": "",
        "subtype": "alert",
        "trusted": 2,
        "agg1Name": "",
        "agg2Name": "",
        "agg3Name": "",
        "destGuid": "",
        "destPort": "0",
        "destUser": "",
        "destZone": "",
        "duration": "00:00:00.000",
        "lastTime": "06/20/2018 20:03:47",
        "normDesc": "Indicates events that have not been categorized.",
        "protocol": "n/a",
        "reviewed": "F",
        "ruleName": ": {\"Ip Range\":\"192.168.1.1..50\"}",
        "sequence": 0,
        "severity": 25,
        "agg1Value": "0.00000000000000E+000",
        "agg2Value": "0.00000000000000E+000",
        "agg3Value": "0.00000000000000E+000",
        "archiveId": "393535",
        "firstTime": "06/20/2018 20:03:47",
        "sessionId": 0,
        "srcAsnGeo": "",
        "destAsnGeo": "",
        "deviceName": "Local Receiver-ELM - nevelex-desktop28 Parent Device - client - 192.168.37.50",
        "deviceTime": "06/20/2018 15:04:02",
        "eventCount": 1,
        "asnGeoSrcId": 0,
        "customTypes": [
          {
            "fieldId": 4,
            "fieldName": "HostID",
            "formatedValue": "NevLabFlow",
            "unformattedValue": "10910794157216093084",
            "definedFieldNumber": 4
          }
        ],
        "normMessage": "Uncategorized",
        "asnGeoDestId": 0,
        "remedyCaseId": 0,
        "srcInterface": "",
        "destInterface": "",
        "flowSessionId": 0,
        "remedyAnalyst": "",
        "srcInterfaceId": 0,
        "destInterfaceId": 0,
        "remedyTicketTime": null,
        "srcNetworkDevice": "",
        "destNetworkDevice": "",
        "srcNetworkDeviceId": 0,
        "destNetworkDeviceId": 0
      },
      "eventId": "144116287604261120|16782",
      "lastTime": "06/20/2018 20:03:47",
      "protocol": "n/a",
      "severity": 25,
      "sourceIp": "192.168.37.50",
      "eventCount": 1,
      "ruleMessage": ": {\"Ip Range\":\"192.168.1.1..50\"}",
      "eventSubType": "alert"
    },
    "multipleEvents": false
  }
}

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

Contact Us

EULA