Mappings: McAfee Endpoint Security Custom Parser
| Input | Value |
|---|---|
| Vendor | McAfee |
| Product | Endpoint Security Parser |
| Log Format | JSON |
| Event ID Regex Pattern | _default_ |
| Output | Value |
|---|---|
| Vendor | McAfee |
| Product | Endpoint Security |
| Record Type | Endpoint |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | SoftwareInfo.Event.CommonFields.ThreatActionTaken | |
| baseImage | SoftwareInfo.Event.CommonFields.SourceProcessName | |
| commandLine | SoftwareInfo.Event.CustomFields.SourceDescription | |
| description | SoftwareInfo.Event | |
| device_hostname | MachineInfo.MachineName | |
| device_ip | MachineInfo.IPAddress | |
| device_mac | MachineInfo.RawMACAddress | |
| file_basename | SoftwareInfo.Event.CommonFields.TargetFileName | |
| normalizedSeverity | SoftwareInfo.Event.Severity | |
| severity | SoftwareInfo.Event.Severity | |
| success | SoftwareInfo.Event.CommonFields.ThreatActionTaken | This is a lookup field. More info to come in the catalog later... |
| threat_category | SoftwareInfo.Event.CommonFields.ThreatCategory | |
| threat_name | SoftwareInfo.Event.CommonFields.ThreatName | |
| threat_ruleType | None | The static text malware is populated in this schema field. |
| timestamp | syslog_timestamp | We expect the orginal record value of syslog_timestamp is in the format yyyy-MM-dd'T'HH:mm:ss.S'Z' |
| user_username | MachineInfo.UserName |