Getting Started with ESM

Question 1

Why you need to do rule updates on your SIEM?

Answer 1

This is because Trellix team is always developing new signatures to identify threats on network traffic

Question 2

After you do a rule update on your SIEM you need to do a Rollout. How can you do this?

Answer 2

• Clic on Policy editor
• Clic on Operations
• Clic on Rollout
• Check Rollout policy to all devices now
• Clic OK

Question 3

Trellix ESM allows you to configure which two types of user accounts?

Answer 3

• System Administrators
• General Users

Question 4

To what refers the process of Keying on ESM?

Answer 4

It is the process to exchange ssh keys between devices when adding devices like ACE, ERC, ELM and so on to the ESM. This procedure allows to protect comunication between each device.

Question 5

What is the “tail -f /var/log/message” command useful when working with Trellix components directly from the shell?

Answer 5

It allows to observe the current activity on the device.

Question 6

What you need to do after an update process on any of the Trellix components?

Answer 6

• You need to key the device again
• Write out device data sources
• Rollout policies to all devices

Question 7

Yo have been asked to do a write out of the devices data sources on your SIEM. How can you do this?

Answer 7

This is applied on ERC you go to Data Sources, and then uncheck and check again any data source that has the Parsing option enabled, this enables the Write button on the bottom of the window.

Question 8

What is aggregation concept refers to on ESM?

Answer 8

Is the ability to group multiple events on a single event with a event count.