Download McAfee ESM

MISP-STIX-ESMThis Script will download MISP events in STIX format. McAfee ESM will be configured to pull STIX files from the folder location via SCP and run automated triage processes.Component DescriptionMcAfee Enterprise Security Manager (ESM) is a security information and event management (SIEM) solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats. threat sharing platform is free and open source software helping information sharing of threat and cyber security indicators. the Latest ReleaseExtract the release .zip fileMISP platform installation (Link) (tested with MISP 2.4.121)Requests (Link)PyMISP library installation (Link)git clone PyMISP/python setup.py installConfigurationMISP receives intelligence feeds from multiple sources. The provided script will export tagged events as STIX files and McAfee ESM will pull these STIX files for automated investigations.misp_stix.pyThe misp_stix.py script will export tagged events as STIX files to a given location.Enter the MISP IP/URL, API key, MISP Tag to look for and the location where the STIX files should be stored (line 12 - 15).ESM ConfigurationLog into the McAfee ESM platform and open ESM properties.Go to the Cyber Threat Feeds and add a new feed. In the source enter the IP, username, password and path to the folder that contains the STIX files that got previous downloaded through the misp_stix.py script.Define the frequency, watchlist and backtrace options to automate triage steps.McAfee ESM will pull new STIX file and check if any events have been seen in the past related to the artifacts.

These can be augmented with other products from the McAfee Security Operations portfolio, including McAfee Behavioral Analytics (MBA), McAfee Investigator (MI), McAfee Active Response, McAfee Advanced Threat Defense (ATD) and McAfee Database Activity Monitoring (DAM). McAfee targets the public-sector and critical infrastructure sectors, healthcare, and higher education. The McAfee SIEM components are sold with perpetual licenses (MI is subscription-based) and the pricing models vary by type of component, and whether they are delivered as physical (EPS) or virtual (core count) appliances.With the release of version 11 in 2018, McAfee introduced a modern SIEM architecture. It also recently introduced MBA as a stand-alone UEBA/security analytics offering that integrates with McAfee ESM and third-party SIEMs.Key values/differentiators:McAfee has implemented a modern SIEM architecture that leverages big data technologies, such as Kafka and Elasticsearch. The open nature of the data tier allows organizations looking to feed data into or out of ESM to have flexible options.User behavior capabilities are available through several options. In addition to basic user monitoring via a content pack for ESM, McAfee offers MBA as a UEBA/analytics offering, plus support for numerous third-party UEBA integrations.Application support is strong across databases, ERP solutions, OT and IoT, either leveraging native capabilities or enhanced through the use of its ADM and DAM solutions.MI (an add-on subscription product in the Security Operations product portfolio) provides guided incident investigation support for analysts, including context/evidence collection and recommended actions.To Take Under Advisement:McAfee’s visibility with end users has decreased year over year as it increasingly competes against other SIEM vendors. In the MSE and smaller enterprise space, McAfee’s visibility in deals where SIEM solutions are considered for co-management by third-party service providers has decreased.McAfee’s underlying architecture and focus on its ESM, MI and Active Response products is more appropriate for large enterprises with mature security monitoring and response operations than for those without. Midsize and smaller enterprises interested in McAfee should carefully evaluate how the solution will fit their requirements.McAfee users providing feedback for product capability and support put the vendor in the middle of those evaluated, indicating room for improvement in features and support.Who uses it:

Service providers, hospitals, and financial institutions to enhance IT security operations, gather logs, detect malware, and monitor traffic. Integrators and MSSPs use it for log storage, audit purposes, and to serve as a Security Operations Center (SOC). Companies utilize Trellix ESM to manage endpoint security and detect cyber threats.Service and SupportCustomer service and support of Trellix ESM are mixed. Some users report prompt and helpful assistance, while others experience delays and lack of knowledge from support staff. Recent changes with McAfee have led to inconsistencies. Technical support is available during working hours, and some users engage with support outside regular hours. Issues with accessing support through chat and online portal are noted. Ticket handling varies, and some users face difficulties in resolving problems promptly.DeploymentUsers generally find Trellix ESM's initial setup straightforward and uncomplicated. Some mention a degree of complexity, particularly with integration and hybrid deployments. Implementation typically takes a week or less, although it can vary depending on specific requirements and configurations. Multiple engineers and technicians are often involved in the process, with roles spanning from deployments to ongoing maintenance. The setup can be influenced by hardware availability, licensing, and node quantity.ScalabilityMost find the scalability of Trellix ESM satisfactory, allowing for both horizontal and vertical expansion. Users appreciate its ability to adapt to network changes and various deployment sizes. However, some note issues with scalability specific to McAfee ESM. On-premises and cloud deployments cater to both large enterprises and medium-sized businesses. Ratings for scalability range between seven to ten out of ten, reflecting positive experiences with managing user and data expansion.StabilityMany users find Trellix ESM very stable, rating it highly, with some giving it a perfect ten. They report no significant issues, especially within data centers. Others have had occasional shutdown problems caused by power interruptions. Some rate stability lower, noting that it has degraded over time. Despite mixed experiences, stability is mostly considered positive.

Audit data, or EventLog Analyzer version 11.12 with column integrity monitoring to support GDPR.Key values/differentiators:The vendor’s focus is on cloud environments, with native and seamless integration with several IaaS/PaaS offerings (e.g., AWS and Azure), as well as some SaaS cloud applications (e.g., Salesforce).There is a focus on Microsoft environments with native and seamless integration with Windows infrastructures. Autodiscovery features for Windows systems and Microsoft SQL/IIS devices allow for faster deployment in Windows-centric environments.The ability to capture information is strong as a variety of capture methods are supported and automatic parsing of fields from new data sources is supported. The native ability to monitor hypervisor activities specifically is well-supported.To Take Under Advisement:ManageEngine has low visibility in the SIEM market with Gartner clients, and particular attention should be paid to reference checking for environments and use cases similar to those of your organization.Not all modules integrate seamlessly with ManageEngine Log360. For example, although ManageEngine Cloud Security Plus and ManageEngine O365 Manager Plus can be accessed via a unified interface, they are deployed separately and used as separate products.The lack of native advanced analytics and inability to bolt on a UEBA module on ManageEngine Log360 limits its applicability for use cases on insider threats and advanced threat detection.Who uses it: any size enterpriseHow it is deployed: options for subscription cloud service, virtual appliance, physical serverseWEEK score: 4.6/5.0McAfeeValue proposition for potential buyers: Enterprises with mature security monitoring and operations capabilities, and those with OT/IoT use cases, should consider McAfee. Its SIEM capabilities are delivered via an all-in-one device or discrete components. McAfee Enterprise Security Manager (ESM) is the core element of the platform. McAfee Event Receiver (ERC) is for collection and correlation of data. McAfee Enterprise Log Search (ELS) is for Elastic-based log search. McAfee Enterprise Log Manager (ELM) is for long-term log management and storage. McAfee Advanced Correlation Engine (ACE) is for dedicated correlation, including risk and behavior-based correlation, and statistical and baseline anomaly detection.Additional SIEM options include McAfee Application Data Monitor (ADM) for application monitoring, McAfee Direct Attached Storage (DAS) for additional capacity, and McAfee Global Threat Intelligence (GTI) for IP reputation.