Skip to content

McAfee Advanced Threat Defense

McAfee ATD


McAfee Advanced Threat Defense enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection.

Product Details

Vendor URL: McAfee ATD

Product Type: dectection

Product Tier: Tier II

Integration Method: Syslog

Integration URL: McAfee ATD - Integration

Log Guide: McAfee ATD - Log mapping

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: MCAFEE_ATD

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
MsgId metadata.product_event_type
User target.user.user_display_nam
Client target.ip
Client target.asset.ip
Category security_result.category_details
Description security_result.description
Result security_result.action
Description security_result.action_details
Type extensions.auth.auth_details

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT

Log Sample

<181>Jul  7 14:10:12 hostname1 ATD2ESM[981]: 
  "Type": "Audit",
  "MsgId": "L-LG-04-0",
  "Result": "Success",
  "User": "username1",
  "Category": "User",
  "Client": "",
  "Action": "Session Login",
  "Description": "Successful user login - username1"

Sample Parsing

metadata.event_timestamp = "2022-07-07T14:10:12Z"
metadata.event_type = "USER_LOGIN"
metadata.product_event_type = "L-LG-04-0"
metadata.ingested_timestamp = "2022-07-07T21:13:33.422193Z"
target.user.user_display_name = "username1"
target.ip = ""
target.asset.ip = ""
observer.hostname = "hostname1"
security_result.category_details = "User"
security_result.description = "Successful user login - username1"
security_result.action = "ALLOW"
security_result.action_details = "Session Login Success"
extensions.auth.auth_details = "Audit"

Parser Alerting

This product currently does not have any Parser-based Alerting


Coming Soon