Visão Geral

Este curso proporciona um conhecimento profundo sobre a concepção, configuração, configuração, fluxo de comunicação, e gestão de fontes de dados dos aparelhos SIEM.

Através de uma mistura de laboratórios práticos e palestras interativas, aprenderá como implementar eficazmente os aparelhos num ambiente empresarial complexo.

Objetivo

Após concluir o curso Curso SIEM McAfee, você será capaz de aprender:

• Configurar o McAfee Enterprise Log Manager.
• Instalar e configurar o McAfee Enterprise Security Manager.
• Trabalhar com o receptor.
• Trabalhar com o motor de correlação avançado.
• Adicionar fontes de dados.
• Trabalhar com o editor de políticas.

Publico Alvo

• Administradores de sistema e de rede
• Pessoal de Segurança
• Auditores, e/ou Consultores preocupados com a Segurança de Redes e Sistemas

Informações Gerais

Carga Horária: 32h

• Se noturno este curso é ministrado de Segunda-feira à sexta-feira, das 19h às 23h
• Se aos sábados este curso é ministrado das 9h às 18h
• Se in-company por favor fazer contato para mais detalhes.

Formato de entrega:

• 100% on-line ao vivo, via Microsoft Teams na presença de um instrutor/consultor ativo no mercado.
• Nota: não é curso gravado.

Lab:

• Laboratório + Exercícios práticos  

Materiais

Conteúdo Programatico

SIEM Overview

1. The Big Picture
2. McAfee® Enterprise Log Manager (ELM)
3. What is SIEM?
4. McAfee® Advanced Correlation Engine (ACE)
5. Large Centralized Deployment Example
6. Risk Correlation
7. McAfee® Event Receiver (ERC)
8. Elusive Security Events
9. McAfee® Application Data Monitor (ADM)
10. Application Data Monitor (ADM)
11. McAfee® Database Event Monitor (DEM)
12. Advanced Correlation Engine (ACE)
13. Event Aggregation
14. Log Management and Retention
15. Event Analysis and Workflow
16. Follow Testing Procedures
17. First-Time ESM Setup
18. FIPS Compliant Mode
19. Do Validation Testing
20. McAfee SIEM Architecture – “Combo Boxes”
21. Configure the Device Properties
22. Event Normalization
23. Add the Devices to the System
24. Event Correlation
25. Receiver (ERC)
26. Enterprise Security Manager(ESM)
27. Ensure end-user communications
28. How SIEM is Used
29. Apply Software Updates
30. Security Information Management
31. SIEM Components Overview
32. Large Distributed Deployment Example
33. Database Event Monitor (DEM)

ESM and Receiver Overview

1. ESM Settings – File Maintenance
2. ESM – Add User
3. Practice 2: SIEM Users and Groups
4. McAfee Enterprise Security Manager
5. ESM – Profile Management
6. ESM – Login Security
7. McAfee Receiver
8. ESM – Watchlists
9. ESM – System Logs
10. ESM – Add Privileges
11. ESM – Users and Groups
12. ESM – Add Group
13. ESM – Reports
14. Receiver HA

ESMI Views

1. McAfee ESMI
2. Key Dashboards
3. The Data Problem
4. Configure User-specific ESM Settings

Filtering, Watchlists, and Variables

1. Syntax for contains and regex
2. String Normalization
3. String Normalization File
4. Practice 4: Watchlists
5. Points to consider when using contains or regex:
6. Watchlists and Variables

Receiver Data Source Configuration

1. Data Source Profiles
2. Data Sources – WMI Event Logs
3. Data Source Grouping
4. Time Delta Page
5. Real Time Data Enrichment
6. Data Sources – Syslog
7. Receiver Data Sources
8. Data Sources – WMI
9. Practice 5: Data Sources
10. Data Sources – Auto Learn
11. Importing and Exporting Data Sources
12. Child Data Sources
13. Discovered Assets
14. Data Sources – Correlation Engine
15. Data Sources – Generic Net Flow
16. McAfee ePO
17. Data Source Time Problems

Aggregation

1. Flow Aggregation – Custom
2. How Aggregation Works
3. Port Values
4. Start at Level Aggregation
5. Flow Aggregation Levels
6. Flow Aggregation
7. Practice 6: Aggregation
8. Level Aggregation
9. Modify Event Aggregation Settings
10. Aggregation Overview
11. Flow Aggregation – Ports

 Policy Editor

1. Practice 2: Using the Syslog Parser – Part 2
2. Advanced Syslog Parser Rules
3. Copy packet
4. The Inheritance Icons
5. Severity
6. Rollout Policy Correlation
7. Field Assignment Tab
8. Severity Weights
9. Policy Rollout
10. Tools Menu
11. Practice 1: Using the Syslog Parser – Part 1
12. Data Source Rules – Auto Learned
13. Rules Display Pane
14. Policy Editor Overview
15. Rule Properties – Settings
16. Policy Change History
17. Rule Inheritance
18. Operations Menu
19. Policy Status
20. Action
21. To copy a policy, follow the steps
22. Export a Policy
23. Parsing Tab
24. Import a Policy
25. Normalization Categories

Correlation

1. Event Correlation Engine
2. Optimized Risk Management
3. Practice 2: Adding an ACE Appliance
4. Criteria
5. Scanning Single Server (Distributed Dictionary Attack)
6. Practice 8.1: Correlation Rules
7. Practice 8.3: Historical Correlation
8. System penetration scenario
9. Rollout Correlation Policy
10. Rollout Correlation Policy

Notifications and Reporting

1. Alarm Settings – Actions
2. New Report Layout
3. Email Report Recipients
4. HA Failure
5. Deviation from Baseline
6. Field Match
7. Alarm Settings – Escalation
8. Device Status Change
9. Practice 9.1: Creating Alarms
10. Remove a Syslog Recipient
11. View Running Reports
12. FIPS Failure
13. Specified Event Rate
14. Device Failure
15. Alarms Log
16. Practice 9.2: Reporting
17. Syslog Report Recipients
18. View Report Files
19. Section 5
20. Designing Report Layout
21. Alarm Settings Additional Notes
22. Export views and reports
23. SNMP Reports Recipients
24. Email Report Groups
25. Report Conditions
26. Document Properties
27. Query Wizard
28. Triggered Alarms View
29. Alarm Settings – Devices
30. SMS Report Recipients
31. Internal Event Match
32. Additional Alarm Options
33. UCF Report Filter
34. Event Delta
35. Add a Syslog Recipient
36. Section 6
37. Alarm Details

Working with ELM

1. Configuring the ELM for Storage
2. ELM Overview

Troubleshooting and System Management

1. Device Status Alerts
2. Reasons for Flags
3. How to manually set the time if no NTP server is available
4. ESM Login Screen Does Not Come Up on Linux Browser
5. How to ensure that the update file is not corrupt
6. How to access the terminal via the GUI
7. ESM and ESMI Troubleshooting
8. Beeping during initial startup
9. How to initiate a callhome
10. How to export the ESMI login history
11. Manual rules updates
12. Hardware Issues
13. Unable to download rules from the McAfee servers
14. The NGCP password for the ESMI desktop has been lost
15. User can log in to ESMI but they have no rights
16. How to determine if you are getting data from your data source
17. Troubleshooting Upgrade to Version 9.5.0
18. Unable to SSH or login to the ESM
19. Device Status Window
20. Update and Upgrade Issues
21. Software Upgrade Process
22. Operating System and Browser- specific Issues
23. McAfee Technical Support
24. Export/Download Troubleshooting When Using Windows 7
25. McAfee SIEM Sizing Overview
26. Login – unable to get the certificate using Firefox using IPv6 address
27. How to obtain the serial number from a device
28. ESM Settings – Database