McAfee MVISION EDR¶
About¶
Reduce the time to detect and respond to threats. MVISION EDR helps security analysts quickly prioritize threats and minimize potential disruption. Guided investigation automatically asks and answers questions while gathering, summarizing, and visualizing evidence from multiple sources—reducing the need for more SOC resources. Cloud-based deployment and analytics enables your skilled security analysts to focus on strategic defense, instead of tool maintenance. Benefit from implementing the right solution for you.
Product Details¶
Vendor URL: McAfee MVISION EDR
Product Type: EDR
Product Tier: Tier I
Integration Method: Syslog
Integration URL: McAfee MVISION EDR
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 80-100%
Data Label: MCAFEE_MVISION_CASB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| event.listName | security_result.rule_name |
| event.policyId | security_result.rule_id |
| event.reason | security_result.category_details |
| event.siteName | observer.application |
| event.threatId | security_result.threat_id |
| event.threatName | security_result.threat_name |
| id | principal.resource.id |
| l7protocol | metadata.product_event_type |
| origin | principal.application |
| query.clientIp | principal.ip |
| query.dnsIp | network.dns.authority.name |
| query.domain | network.dns.questions.name |
| query.queryType | network.dns.questions.type |
| query.resolved.response | network.dns.answers.name |
| query.uuid | network.dns.additional.data |
| threat.detectionTags | security_result.detection_fields.value |
| threat.interpreterFileAttrs.md5 | target.file.md5 |
| threat.interpreterFileAttrs.path | target.file.full_path |
| threat.interpreterFileAttrs.sha2256 | target.file.sha256 |
| threat.maGuid | principal.asset_id |
| threat.rank | security_result.priority_details |
| threat.score | security_result.confidence_details |
| threat.severity | security_result.severity_details |
| threat.threatAttrs.md5 | security_result.about.file.md5 |
| threat.threatAttrs.nam | security_result.threat_name |
| threat.threatAttrs.path | security_result.about.file.full_path |
| threat.threatAttrs.sha256 | security_result.about.file.sha256 |
| threat.threatId | security_result.threat_id |
| threat.threatType | security_result.category_details |
| type | metadata.product_event_type |
| user | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification | Security Category |
|---|---|---|
| DNS | NETWORK_DNS | |
| threat-detection | GENERIC_EVENT | SOFTWARE_MALICIOUS |
Log Sample¶
<177>Aug 27 20:56:56 sysloghost [INFO]{"id": "7", "configId": "1040", "l7Protocol": "DNS", "query": {"time": "2021-08-27T20:50:47Z", "clientIp": "10.1.1.1", "dnsIp": "10.10.10.2", "domain": "domain", "uuid": "uuid", "queryType": "A", "deviceId": "N/A", "deviceName": "Not Available", "resolved": [{"type": "A", "response": "192.168.1.1", "asn": "asn", "asname": "N/A"}, {"type": "A", "response": "192.168.1.2", "asn": "asn", "asname": "N/A"}, {"type": "A", "response": "192.168.1.3", "asn": "asn", "asname": "N/A"}, {"type": "A", "response": "192.168.1.4", "asn": "asn", "asname": "N/A"}], "deviceOwnerId": "Not Available"}, "event": {"detectionTime": "2021-08-27T20:50:47Z", "detectionType": "inline", "siteId": "siteid", "siteName": "site", "policyId": "3040", "policyName": "SNV", "listId": "14281", "listName": "TLD Block List", "trigger": "domain", "categoryId": "4", "categoryName": "Other", "confidenceId": "2", "confidenceName": "Known", "actionId": "19282", "actionName": "actionname", "description": "None", "correlatedSinkholeEvents": [], "reason": "Customer Domain Intelligence", "onRamp": "No", "threatId": 1000, "severityId": 0, "threatName": "Customer Lists", "severityLevel": "Unclassified", "onrampType": "", "internalClientIP": "N/A", "clientRequestId": "", "policyEvaluationSource": "dns", "encryptedInternalClientIP": "", "encryptedInternalClientName": "", "scId": "N/A", "scName": "N/A", "applicationId": "-1", "applicationName": "Not Available", "riskId": "-1", "riskName": "Not Available", "catalogId": "-1", "observedAupCategories": [98], "aupCategories": [{"id": "98", "name": "Web Advertisements"}], "sublocationId": "-1", "sublocationName": "N/A", "eventType": "security", "clientAgents": ["N/A"]}}
Sample Parsing¶
metadata.event_timestamp = "2021-08-27T20:56:56Z"
metadata.event_type = "NETWORK_DNS"
metadata.vendor_name = "McAfee"
metadata.product_name = "MVISION EDR"
metadata.product_event_type = "DNS"
metadata.ingested_timestamp = "2021-08-27T20:58:20.340417Z"
principal.ip = "10.1.1.1"
observer.hostname = "sysloghost"
observer.application = "site"
security_result.category_details = "Customer Domain Intelligence"
security_result.threat_name = "Customer Lists"
security_result.rule_name = "TLD Block List"
security_result.rule_id = "3040"
security_result.threat_id = "1000"
network.application_protocol = "DNS"
network.dns.questions.name = "domain"
network.dns.questions.type = 1
network.dns.answers.name = "192.168.1.1"
network.dns.answers.name = "192.168.1.2"
network.dns.answers.name = "192.168.1.3"
network.dns.answers.name = "192.168.1.4"
authority.name = "10.10.10.2"
network.dns.additional.data = "uuid"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon