McAfee Advanced Threat Defense¶
About¶
McAfee Advanced Threat Defense enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection.
Product Details¶
Vendor URL: McAfee ATD
Product Type: dectection
Product Tier: Tier II
Integration Method: Syslog
Integration URL: McAfee ATD - Integration
Log Guide: McAfee ATD - Log mapping
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: MCAFEE_ATD
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| MsgId | metadata.product_event_type |
| User | target.user.user_display_nam |
| Client | target.ip |
| Client | target.asset.ip |
| Category | security_result.category_details |
| Description | security_result.description |
| Result | security_result.action |
| Description | security_result.action_details |
| Type | extensions.auth.auth_details |
| metadata.event_type | |
| observer.hostname |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Login | USER_LOGIN |
| all others | GENERIC_EVENT |
Log Sample¶
<181>Jul 7 14:10:12 hostname1 ATD2ESM[981]:
{
"Type": "Audit",
"MsgId": "L-LG-04-0",
"Result": "Success",
"User": "username1",
"Category": "User",
"Client": "10.10.0.1",
"Action": "Session Login",
"Description": "Successful user login - username1"
}
Sample Parsing¶
metadata.event_timestamp = "2022-07-07T14:10:12Z"
metadata.event_type = "USER_LOGIN"
metadata.product_event_type = "L-LG-04-0"
metadata.ingested_timestamp = "2022-07-07T21:13:33.422193Z"
target.user.user_display_name = "username1"
target.ip = "10.10.0.1"
target.asset.ip = "10.10.0.1"
observer.hostname = "hostname1"
security_result.category_details = "User"
security_result.description = "Successful user login - username1"
security_result.action = "ALLOW"
security_result.action_details = "Session Login Success"
extensions.auth.auth_details = "Audit"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon