Skip to content

McAfee MVISION EDR

McAfee MVISION EDR

About

Reduce the time to detect and respond to threats. MVISION EDR helps security analysts quickly prioritize threats and minimize potential disruption. Guided investigation automatically asks and answers questions while gathering, summarizing, and visualizing evidence from multiple sources—reducing the need for more SOC resources. Cloud-based deployment and analytics enables your skilled security analysts to focus on strategic defense, instead of tool maintenance. Benefit from implementing the right solution for you.

Product Details

Vendor URL: McAfee MVISION EDR

Product Type: EDR

Product Tier: Tier I

Integration Method: Syslog

Integration URL: McAfee MVISION EDR

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: 80-100%

Data Label: MCAFEE_MVISION_CASB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
event.listName security_result.rule_name
event.policyId security_result.rule_id
event.reason security_result.category_details
event.siteName observer.application
event.threatId security_result.threat_id
event.threatName security_result.threat_name
id principal.resource.id
l7protocol metadata.product_event_type
origin principal.application
query.clientIp principal.ip
query.dnsIp network.dns.authority.name
query.domain network.dns.questions.name
query.queryType network.dns.questions.type
query.resolved.response network.dns.answers.name
query.uuid network.dns.additional.data
threat.detectionTags security_result.detection_fields.value
threat.interpreterFileAttrs.md5 target.file.md5
threat.interpreterFileAttrs.path target.file.full_path
threat.interpreterFileAttrs.sha2256 target.file.sha256
threat.maGuid principal.asset_id
threat.rank security_result.priority_details
threat.score security_result.confidence_details
threat.severity security_result.severity_details
threat.threatAttrs.md5 security_result.about.file.md5
threat.threatAttrs.nam security_result.threat_name
threat.threatAttrs.path security_result.about.file.full_path
threat.threatAttrs.sha256 security_result.about.file.sha256
threat.threatId security_result.threat_id
threat.threatType security_result.category_details
type metadata.product_event_type
user principal.user.userid

Product Event Types

Event UDM Event Classification Security Category
DNS NETWORK_DNS
threat-detection GENERIC_EVENT SOFTWARE_MALICIOUS

Log Sample

<177>Aug 27 20:56:56 sysloghost [INFO]{"id": "7", "configId": "1040", "l7Protocol": "DNS", "query": {"time": "2021-08-27T20:50:47Z", "clientIp": "10.1.1.1", "dnsIp": "10.10.10.2", "domain": "domain", "uuid": "uuid", "queryType": "A", "deviceId": "N/A", "deviceName": "Not Available", "resolved": [{"type": "A", "response": "192.168.1.1", "asn": "asn", "asname": "N/A"}, {"type": "A", "response": "192.168.1.2", "asn": "asn", "asname": "N/A"}, {"type": "A", "response": "192.168.1.3", "asn": "asn", "asname": "N/A"}, {"type": "A", "response": "192.168.1.4", "asn": "asn", "asname": "N/A"}], "deviceOwnerId": "Not Available"}, "event": {"detectionTime": "2021-08-27T20:50:47Z", "detectionType": "inline", "siteId": "siteid", "siteName": "site", "policyId": "3040", "policyName": "SNV", "listId": "14281", "listName": "TLD Block List", "trigger": "domain", "categoryId": "4", "categoryName": "Other", "confidenceId": "2", "confidenceName": "Known", "actionId": "19282", "actionName": "actionname", "description": "None", "correlatedSinkholeEvents": [], "reason": "Customer Domain Intelligence", "onRamp": "No", "threatId": 1000, "severityId": 0, "threatName": "Customer Lists", "severityLevel": "Unclassified", "onrampType": "", "internalClientIP": "N/A", "clientRequestId": "", "policyEvaluationSource": "dns", "encryptedInternalClientIP": "", "encryptedInternalClientName": "", "scId": "N/A", "scName": "N/A", "applicationId": "-1", "applicationName": "Not Available", "riskId": "-1", "riskName": "Not Available", "catalogId": "-1", "observedAupCategories": [98], "aupCategories": [{"id": "98", "name": "Web Advertisements"}], "sublocationId": "-1", "sublocationName": "N/A", "eventType": "security", "clientAgents": ["N/A"]}}

Sample Parsing

metadata.event_timestamp = "2021-08-27T20:56:56Z"
metadata.event_type = "NETWORK_DNS"
metadata.vendor_name = "McAfee"
metadata.product_name = "MVISION EDR"
metadata.product_event_type = "DNS"
metadata.ingested_timestamp = "2021-08-27T20:58:20.340417Z"
principal.ip = "10.1.1.1"
observer.hostname = "sysloghost"
observer.application = "site"
security_result.category_details = "Customer Domain Intelligence"
security_result.threat_name = "Customer Lists"
security_result.rule_name = "TLD Block List"
security_result.rule_id = "3040"
security_result.threat_id = "1000"
network.application_protocol = "DNS"
network.dns.questions.name = "domain"
network.dns.questions.type = 1
network.dns.answers.name = "192.168.1.1"
network.dns.answers.name = "192.168.1.2"
network.dns.answers.name = "192.168.1.3"
network.dns.answers.name = "192.168.1.4"
authority.name  = "10.10.10.2"
network.dns.additional.data = "uuid"

Parser Alerting

This product currently does not have any Parser-based Alerting