McAfee Enterprise Security Manager¶
About¶
McAfee® Enterprise Security Manager,the core of the McAfee SIEM solution, delivers performance, actionable intelligence, and solution integration at the speed and scale required for security organizations. It allows you to quickly prioritize, investigate, and respond to hidden threats and meet compliance requirements.
Product Details¶
Vendor URL: McAfee ESM
Product Type: SIEM
Product Tier: Tier I
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: MCAFEE_ESM
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
Mcafee | metadata.vendor_name |
Enterprise Security Manager | metadata.product_name |
srcip | principal.ip |
srcip | principal.asset.ip |
application | principal.application |
srcport | principal.port |
srczone | principal.cloud.availability_zone |
dstip | target.ip |
dstip | target.asset.ip |
dstport | target.port |
dstzone | target.cloud.availability_zone |
observer.hostname | |
rule_name | security_result.rule_name |
event | security_result.summary |
protocol | network.ip_protocol |
netsessid | network.session_id |
Product Event Types¶
Event | UDM Event Classification |
---|---|
Login | NETWORK_CONNECTION |
all others | GENERIC_EVENT |
Log Sample¶
<133>Jul 14 13:24:51 hostname1 auditd: date="2022-07-14 17:24:51 +0000",fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,hostname=hostname1.domain,event="session drop",netsessid=a958762d05163,srcip=10.10.0.1,srcport=2263,srczone=zone1,protocol=6,dstip=10.10.0.2,dstport=3070,dstzone=internal,rule_name=rule_name1,cache_hit=0,start_time="2022-07-14 17:24:51 +0000",application=tcp
Sample Parsing¶
metadata.event_timestamp = "2022-07-14T13:24:51Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Mcafee"
metadata.product_name = "Enterprise Security Manager"
principal.ip = "10.10.0.1"
principal.port = 2263
principal.application = "tcp"
principal.cloud.availability_zone = "zone1"
principal.asset.ip = "10.10.0.1"
target.ip = "10.10.0.2"
target.port = 3070
target.cloud.availability_zone = "internal"
target.asset.ip = "10.10.0.2"
observer.hostname = "hostname1"
security_result.rule_name = "rulename1"
security_result.summary = "session drop"
network.ip_protocol = "TCP"
network.session_id = "a958762d05163"
Parser Alerting¶
This product currently does not have any Parser-based Alerting