Jaa


[Deprecated] McAfee Network Security Platform connector for Microsoft Sentinel

Important

Log collection from many appliances and devices is now supported by the Common Event Format (CEF) via AMA, Syslog via AMA, or Custom Logs via AMA data connector in Microsoft Sentinel. For more information, see Find your Microsoft Sentinel data connector.

The McAfee® Network Security Platform data connector provides the capability to ingest McAfee® Network Security Platform events into Microsoft Sentinel. Refer to McAfee® Network Security Platform for more information.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) Syslog (McAfeeNSPEvent)
Data collection rules support Workspace transform DCR
Supported by Microsoft Corporation

Query samples

Top 10 Sources

McAfeeNSPEvent

| summarize count() by tostring(DvcHostname)

| top 10 by count_

Vendor installation instructions

Note

This data connector depends on a parser based on a Kusto Function to work as expected McAfeeNSPEvent which is deployed with the Microsoft Sentinel Solution.

Note

This data connector has been developed using McAfee® Network Security Platform version: 10.1.x

  1. Install and onboard the agent for Linux or Windows

Install the agent on the Server where the McAfee® Network Security Platform logs are forwarded.

Logs from McAfee® Network Security Platform Server deployed on Linux or Windows servers are collected by Linux or Windows agents.

  1. Configure McAfee® Network Security Platform event forwarding

Follow the configuration steps below to get McAfee® Network Security Platform logs into Microsoft Sentinel.

  1. Follow these instructions to forward alerts from the Manager to a syslog server.
  2. Add a syslog notification profile, more details here. This is mandatory. While creating profile, to make sure that events are formatted correctly, enter the following text in the Message text box: :|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID |ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE |SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_CATEGORY |DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|

Next steps

For more information, go to the related solution in the Azure Marketplace.