McAfee DLP¶
About¶
Total Protection for DLP helps ensure compliance and protects sensitive data wherever it lives—on endpoints, on the network, in storage systems, or in the cloud.
Product Details¶
Vendor URL: McAfee DLP
Product Type: DLP
Product Tier: Tier II
Integration Method: Syslog
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 95%
Data Label: MCAFEE_DLP
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| "McAfee" | metadata.vendor_name |
| product | metadata.product_name |
| eventType | metadata.product_event_type |
| eventName | metadata.description |
| hostname | principal.hostname |
| logonName | principal.user.userid |
| sourceApplication | principal.application |
| sourcePath | target.file.full_path |
| xml_filename | target.file.names |
| totalContentSizeKB | target.file.size |
| xml_filesize | target.file.size |
| filenames | security_result.threat_name |
| action | security_result.action |
| sender | network.email.from |
| allRecipients | network.email.to |
| emailSubject | network.email.subject |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| EMAIL_UNCATEGORIZED | |||
| file | FILE_UNCATEGORIZED | ||
| all other events | GENERIC_EVENT |
Log Sample¶
<14>1 2022-04-20T23:24:18Z hostname McAfee-DLPe - - - dateTime=2022-04-20 23:09:28|hostname=hostName|company=Company|product=DLP Endpoint Windows|version=11.9.0.81|eventOriginalGUID={111111-2222-3333-4444-555555555}|eventType=19134|eventName=cloud desktop sync|isDlpIncidentReported=0|sev=0|action=no action|logonName=domain\userName|sourceApplication=onedrive.exe|cloudService=onedrive(business)|totalFilesCount=1|totalContentSizeKB=0|filenames=3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz|sourcePath=c:\users\userName\onedrive - \documents\dotnetapps\lsat\$tf\6\3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz|filesSizeKB=0·
Sample Parsing¶
metadata.event_timestamp = "2022-04-20T23:28:52.541576Z"
metadata.event_type = "FILE_UNCATEGORIZED"
metadata.vendor_name = "McAfee"
metadata.product_name = "DLP Endpoint Windows"
metadata.product_event_type = "19134"
metadata.description = "cloud desktop sync"
metadata.ingested_timestamp = "2022-04-20T23:28:52.541576Z"
principal.hostname = "hostname"
principal.user.userid = "domain\Username"
principal.application = "onedrive.exe"
target.file.full_path = "c:\users\username\onedrive - \documents\dotnetapps\lsat\$tf\6\3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz"
target.file.names = "OPPORTUNITY TRACKER.xls"
target.file.size = "28349"
security_result.threat_name = "3b081ce6-883f-4cc9-a6fc-d711b63c32c9.gz"
security_result.action = "ALLOW"
Parser Alerting¶
N/A
Rules¶
Coming Soon