Skip to content

McAfee DLP

McAfee DLP

About

Total Protection for DLP helps ensure compliance and protects sensitive data wherever it lives—on endpoints, on the network, in storage systems, or in the cloud.

Product Details

Vendor URL: McAfee DLP

Product Type: DLP

Product Tier: Tier II

Integration Method: Syslog

Integration URL: N/A

Log Guide: N/A

Parser Details

Log Format: Syslog

Expected Normalization Rate: 95%

Data Label: MCAFEE_DLP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
"McAfee" metadata.vendor_name
product metadata.product_name
eventType metadata.product_event_type
eventName metadata.description
hostname principal.hostname
logonName principal.user.userid
sourceApplication principal.application
sourcePath target.file.full_path
totalContentSizeKB target.file.size
filenames security_result.threat_name
action security_result.action
sender network.email.from
allRecipients network.email.to
emailSubject network.email.subject

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
email EMAIL_UNCATEGORIZED
file FILE_UNCATEGORIZED
all other events GENERIC_EVENT

Log Sample

<14>1 2022-04-20T23:24:18Z hostname McAfee-DLPe - - - dateTime=2022-04-20 23:09:28|hostname=hostName|company=Company|product=DLP Endpoint Windows|version=11.9.0.81|eventOriginalGUID={111111-2222-3333-4444-555555555}|eventType=19134|eventName=cloud desktop sync|isDlpIncidentReported=0|sev=0|action=no action|logonName=domain\userName|sourceApplication=onedrive.exe|cloudService=onedrive(business)|totalFilesCount=1|totalContentSizeKB=0|filenames=3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz|sourcePath=c:\users\userName\onedrive - \documents\dotnetapps\lsat\$tf\6\3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz|filesSizeKB=0·

Sample Parsing

metadata.event_timestamp = "2022-04-20T23:28:52.541576Z"
metadata.event_type = "FILE_UNCATEGORIZED"
metadata.vendor_name = "McAfee"
metadata.product_name = "DLP Endpoint Windows"
metadata.product_event_type = "19134"
metadata.description = "cloud desktop sync"
metadata.ingested_timestamp = "2022-04-20T23:28:52.541576Z"
principal.hostname = "hostname"
principal.user.userid = "domain\Username"
principal.application = "onedrive.exe"
target.file.full_path = "c:\users\username\onedrive - \documents\dotnetapps\lsat\$tf\6\3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz"
security_result.threat_name = "3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz"
security_result.action = "ALLOW"

Parser Alerting

N/A

Rules

Coming Soon