Skip to content

McAfee Enterprise Security Manager

McAfee ESM

About

McAfee® Enterprise Security Manager,the core of the McAfee SIEM solution, delivers performance, actionable intelligence, and solution integration at the speed and scale required for security organizations. It allows you to quickly prioritize, investigate, and respond to hidden threats and meet compliance requirements.

Product Details

Vendor URL: McAfee ESM

Product Type: SIEM

Product Tier: Tier I

Integration Method: Syslog

Parser Details

Log Format: Syslog

Expected Normalization Rate: 100%

Data Label: MCAFEE_ESM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Mcafee metadata.vendor_name
Enterprise Security Manager metadata.product_name
srcip principal.ip
srcip principal.asset.ip
application principal.application
srcport principal.port
srczone principal.cloud.availability_zone
dstip target.ip
dstip target.asset.ip
dstport target.port
dstzone target.cloud.availability_zone
observer.hostname
rule_name security_result.rule_name
event security_result.summary
protocol network.ip_protocol
netsessid network.session_id

Product Event Types

Event UDM Event Classification
Login NETWORK_CONNECTION
all others GENERIC_EVENT

Log Sample

<133>Jul 14 13:24:51 hostname1 auditd: date="2022-07-14 17:24:51 +0000",fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,hostname=hostname1.domain,event="session drop",netsessid=a958762d05163,srcip=10.10.0.1,srcport=2263,srczone=zone1,protocol=6,dstip=10.10.0.2,dstport=3070,dstzone=internal,rule_name=rule_name1,cache_hit=0,start_time="2022-07-14 17:24:51 +0000",application=tcp

Sample Parsing

metadata.event_timestamp = "2022-07-14T13:24:51Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Mcafee"
metadata.product_name = "Enterprise Security Manager"   
principal.ip = "10.10.0.1"
principal.port = 2263
principal.application = "tcp"
principal.cloud.availability_zone = "zone1"
principal.asset.ip = "10.10.0.1"
target.ip = "10.10.0.2"
target.port = 3070
target.cloud.availability_zone = "internal"
target.asset.ip = "10.10.0.2"
observer.hostname = "hostname1"
security_result.rule_name = "rulename1"
security_result.summary = "session drop"
network.ip_protocol = "TCP"
network.session_id = "a958762d05163"

Parser Alerting

This product currently does not have any Parser-based Alerting