Installation
For a complete list of installation best practices, see SIEM Foundations.
Review system requirements prior to installing McAfee Enterprise Security Manager:
Refer to the relevant installation guide for instructions:
- McAfee Enterprise Security Manager 11.3.x Installation Guide
- Initial Basic Installation and Configuration Best Practices
Refer to the relevant hardware guide for information about how to rack and cable your SIEM device:
For information about virtual machines (VMs), see Installing VMs.
SIEM software is pre-installed on your SIEM hardware. If you need to reimage, you can retrieve any necessary ISO files from the Product Downloads page using your grant number.
Upgrade
Refer to the relevant installation guide for instructions to upgrade McAfee Enterprise Security Manager:
For information about the new version, including special upgrade steps and what version you need to be on to upgrade to the recent update, please refer to these release notes:
Additional resources:
- McAfee Enterprise Security Manager upgrade YouTube video
- If you encounter issues with the upgrade, please contact support.
- If your SIEM is in a dark environment, review manual rules update instructions
Setup & Configuration
For a complete list of setup and configuration related content, visit the McAfee Support Community.
Refer to the relevant product guide for instructions on how to set up and configure your devices:
- McAfee Enterprise Security Manager 11.3.x Product Guide
- McAfee Enterprise Security Manager 11.3.x Installation Guide
- McAfee Enterprise Security Manager 11.3.x Hardware Guide
- All of the above documents are also available at docs.mcafee.com
Additional resources:
- Refer to the Data Source Configuration Guide to learn how to set up supported data sources.
- If your McAfee Enterprise Security Manager is in a dark environment, review the manual rules update instructions.
- Refer to Working with Alarms for instructions on how to set up alarms.
- After the SIEM is up and running, it’s important to filter out low-volume events so you may receive optimal performance. Refer to this guide for more information.
- If you need to add a data source feed that McAfee does not support, please log a product enhancement request as per KB60021 or write your own customer rules to process the new data sources. See Writing Custom Parsing Rules for more details.
Troubleshooting & Help
Refer to the following articles for the latest information about known issues:
Below are frequently used troubleshooting articles:
- Troubleshooting data sources not producing events
- Performance issues
- Reports not working
- Upgrades failing
- Unable to log in
Tools & Best Practices
Below is a list of useful tools and best practices:
The following resources are available to help customers:
- Knowledge Base — Find documents in the Knowledge Center about installation, migration, upgrades, backup, restore, best practices, configuration, reporting, troubleshooting, known issues, threat prevention and removal, vulnerability responses, and End-of-Life notices.
- Support Notification Service (SNS) — Subscribe to the SNS to receive vital communications on topics, including product releases, content updates, critical incidents, security bulletins, pro tips, and End-of-Life dates.
- Community — Collaborate with other customers and McAfee employees in the SIEM Community.
Root Certificate Expiration
The McAfee product line uses TLS for secure communication. Two certificates validate McAfee TLS chains, including a primary expiring in 2038 and a secondary expiring on May 30, 2020. If either certificate, or both, are present in your environment, TLS will function correctly prior to May 30, 2020. After May 30, 2020, only the primary certificate will be valid. Out of an abundance of caution McAfee is informing customers of this impending event.
Generally, certificates are auto-updated through operation systems and customers will not be impacted. However, in environments where automatic management of root certificates is disabled and the primary certificate has not been manually deployed, customers will potentially be impacted. KB92937 provides information on how to verify and install the primary certificate.
Failure to have a valid certificate will cause product issues including reduced detection efficacy.
The primary certificate that needs to be validated is in a customer's environment as below:
Subject : CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Thumbprint : 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Expiration : 2038-01-18
Subscribe to KB92937 to receive updates.