Mappings: McAfee Endpoint Security Custom Parser
Input | Value |
---|---|
Vendor | McAfee |
Product | Endpoint Security Parser |
Log Format | JSON |
Event ID Regex Pattern | _default_ |
Output | Value |
---|---|
Vendor | McAfee |
Product | Endpoint Security |
Record Type | Endpoint |
Cloud SIEM Schema Field | Original Record Key | Notes |
---|---|---|
action | SoftwareInfo.Event.CommonFields.ThreatActionTaken | |
baseImage | SoftwareInfo.Event.CommonFields.SourceProcessName | |
commandLine | SoftwareInfo.Event.CustomFields.SourceDescription | |
description | SoftwareInfo.Event | |
device_hostname | MachineInfo.MachineName | |
device_ip | MachineInfo.IPAddress | |
device_mac | MachineInfo.RawMACAddress | |
file_basename | SoftwareInfo.Event.CommonFields.TargetFileName | |
normalizedSeverity | SoftwareInfo.Event.Severity | |
severity | SoftwareInfo.Event.Severity | |
success | SoftwareInfo.Event.CommonFields.ThreatActionTaken | This is a lookup field. More info to come in the catalog later... |
threat_category | SoftwareInfo.Event.CommonFields.ThreatCategory | |
threat_name | SoftwareInfo.Event.CommonFields.ThreatName | |
threat_ruleType | None | The static text malware is populated in this schema field. |
timestamp | syslog_timestamp | We expect the orginal record value of syslog_timestamp is in the format yyyy-MM-dd'T'HH:mm:ss.S'Z' |
user_username | MachineInfo.UserName |