McAfee Enterprise Security Manager. Data Source Configuration Guide. Bit9 Parity Suite. Data Source: February 4, Bit9 Parity Suite Page 1 of 8

Similar documents
Arbor Networks Pravail

McAfee Enterprise Security Manager. Data Source Configuration Guide. Data Source: Verdasys Digital Guardian October 1, 2014

Barracuda Networks Spam Firewall

Dell (SonicWALL) SonicOS

McAfee Next Generation Firewall (Stonesoft)

McAfee Enterprise Security Manager. Data Source Configuration Guide. Data Source: Microsoft Windows Event Log - WMI.

Common Event Format: Event Interoperability Standard

Common Event Format. Imperva SecureSphere January 3, 2018

ForeScout CounterACT. Core Extensions Module: CEF Plugin. Configuration Guide. Version 2.7

CounterACT CEF Plugin

Common Event Format Configuration Guide. Barracuda Networks Barracuda Web Application Firewall Date: Wednesday, February 01, 2017


Common Event Format Configuration Guide. NIKSUN NetDetector-NetVCR Date: Wednesday, May 30, 2012

This document describes Firepower module s system/ traffic events and various method of sending these events to an external logging server.

Integrate Palo Alto Traps. EventTracker v8.x and above


Cisco Unified Customer Voice Portal

HPE Security ArcSight User Behavior Analytics

2016 SIEM Content and Parsing Updates

ForeScout Extended Module for Bromium Secure Platform

VARONIS APP FOR SPLUNK. User Guide

ActiveTrust Cloud Threats API

McAfee Enterprise Security Manager. Authentication Content Pack Documentation

<Partner Name> RSA NETWITNESS Logs Implementation Guide. BluVector Cortex 3.1. <Partner Product>

Setting Up the Sensor

Integration With Third Party SIEM Solutions NetIQ Secure Configuration Manager. October 2016

MA0-104.Passguide PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0

HP Insight Remote Support Advanced HP StorageWorks P4000 Storage System

HPE Security ArcSight Connectors

<Partner Name> <Partner Product> NETWITNESS Logs Implementation Guide. Imperva Counter Breach 11.5

Configuring System Message Logs

Configuring Cisco Performance Monitor

VOL Volition Managed Ethernet Switch. User Guide. Innovation

HPE Security ArcSight Connectors

Configuring System Message Logs

Adding Tokens in Flex Report

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

Configuring System Message Logs

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:

Adding Tokens in Flex Report

Logging Configuration

HPE Security ArcSight Connectors

RSA NetWitness Logs. Trend Micro OfficeScan and Control Manager. Event Source Log Configuration Guide. Last Modified: Thursday, November 30, 2017

RSA NetWitness Logs. Airtight Management Console. Event Source Log Configuration Guide. Last Modified: Thursday, May 04, 2017


HPE Security ArcSight Connectors

Configuring System Message Logs

Mission Guide: GUI Windows

Configuring the Cisco TelePresence System

HPE Security ArcSight Connectors

Mission Guide: Amazon S3

Control Wireless Networks

vsphere Host Profiles Update 1 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Monitoring SQL Servers. Microsoft: SQL Server Enhanced PowerPack version 101

Network Admission Control

SIEM Solution Integration With Control Manager

Release Notes ArcSight SmartConnector

External Alerting for Intrusion Events

Integration with ArcSight. Guardium Version 7.0

Configuring Cache Services Using the Web Cache Communication Protocol

ForeScout CounterACT. Plugin. Configuration Guide. Version 1.2

Chapter 3 Command List

Configuring Logging. Information About Logging CHAPTER

HPE Security ArcSight Connectors


HPE Security ArcSight Common Event Format

Configuring System Message Logging

vsphere Host Profiles 17 APR 2018 VMware vsphere 6.7 VMware ESXi 6.7 vcenter Server 6.7

Configuring the Cisco NAM 2220 Appliance

VPN Console: Monitoring Menu


Asset and network modeling in HP ArcSight ESM and Express

Avi Networks Technical Reference (16.3)

AuditConfigurationArchiveandSoftwareManagementChanges (Network Audit)

Recording user activity on a SIMATIC Controller using a SIEM System. SIMATIC Controller S H, S7-410E SIMATIC PCS 7

NetWitness NextGen and Palo Alto Networks Integration Guide. NetWitness Corporation

RSA NetWitness Logs. Sophos Enterprise Console Last Modified: Friday, July 21, Event Source Log Configuration Guide

ForeScout CounterACT. Assessment Engine. Configuration Guide. Version 1.0

Working With Configuration Files

User Guide Addendum Release 2.4 February, 2005

SmartConnector Configuration Guide for

Platform Settings for Classic Devices

ForeScout Extended Module for ArcSight

Appendix B Policies and Filters

Flow-Based per Port-Channel Load Balancing

Configure Controller and AP Settings

Using StartUp Stick for CDU Mass Configuration Part Number: KIT-SUS-01

McAfee Security Connected Integrating epo and MFECC

Peplink SD Switch User Manual. Published on October 25th, 2018

Micro Focus Security ArcSight Connectors. SmartConnector for Microsoft IIS Multiple Site File. Configuration Guide

Configuring Antivirus Devices

Domain Setup Guide. NetBrain Integrated Edition 7.1. All-in-One Appliance

Save All or Save Costs? Big Data Universe 2018 Peter Czanik / Balabit

Getting Started with the VG248

USM Anywhere AlienApps Guide

For Trace and Log Central to work, you must resolve DNS lookup for all nodes in the cluster on the client machine.

ForeScout CounterACT. Configuration Guide. Version 1.4

Demos.Dell.com Guide: SupportAssist for Servers or with OpenManage Essentials

Virtualization Support in Dell Management Console v1.0

Meridian 6.4. Quick Configuration Guide DVTEL INC. 65 Challenger Road. Ridgefield Park, NJ 07660

Transcription:

McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Bit9 Parity Suite February 4, 2015 Bit9 Parity Suite Page 1 of 8

Important Note: The information contained in this document is confidential and proprietary. Please do not redistribute without permission. Bit9 Parity Suite Page 2 of 8

Table of Contents 1 Introduction 4 2 Prerequisites 4 3 Specific Data Source Configuration Details 5 3.1 Bit9 Parity Suite Configuration 5 3.2 McAfee Event Receiver Configuration 5 4 Data Source Event to McAfee Field Mappings 6 4.1 Basic (RFC 3164) Log Format 6 4.2 Basic (RFC 3164) Log Sample 6 4.3 Basic (RFC 3164) Mappings 6 4.4 CEF (ArcSight) Log Format 7 4.5 CEF (ArcSight) Log Sample 7 4.6 CEF (ArcSight) Mappings 7 5 Appendix A - Generic Syslog Configuration Details 8 6 Appendix B - Troubleshooting 8 Bit9 Parity Suite Page 3 of 8

1 Introduction This guide details how to configure Bit9 Parity Suite to send syslog data in the proper format to the McAfee Event Receiver. 2 Prerequisites McAfee Enterprise Security Manager Version 9.1.0 and above for Basic (RFC 3164) logs. McAfee Enterprise Security Manager Version 9.2.0 and above for CEF (ArcSight) formatted logs. In order to configure the Bit9 Parity Suite Syslog service, appropriate administrative level access is required to perform the necessary changes documented below. Bit9 Parity Suite Page 4 of 8

3 Specific Data Source Configuration Details 3.1 Bit9 Parity Suite Configuration 1. Navigate to the System Configuration page in the user interface. 2. Select Server Status from the Configuration Options list. 3. Click the Edit button at the bottom to make changes. 4. Make sure that the Syslog enabled check box is checked. 5. Enter the IP address of your McAfee Event Receiver in the Syslog address field. 6. Set the Syslog port to 514 (Default port for syslog). 7. Set Syslog format either to Basic (RFC 3164) for standard syslog formatted logs, or to CEF (ArcSight) for ArcSight CEF formatted logs. 8. Click Update to save changes and exit. 3.2 McAfee Event Receiver Configuration After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Event Receiver in the ESM hierarchy. 1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties. 3. From the Receiver Properties listing, select Data Sources. 4. Select Add Data Source. OR 1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the Add Data Source icon. Data Source Screen Settings 1. Data Source Vendor Bit9 2. Data Source Model Bit9 Parity Suite (ASP) for Basic (RFC 3164) logs, or Bit9 Parity Suite CEF (ASP) for ArcSight CEF formatted logs. 3. Data Format Default 4. Data Retrieval SYSLOG (Default) 5. Enabled: Parsing/Logging/SNMP Trap Parsing 6. Name Name of data source 7. IP Address/Hostname The IP address and host name associated with the data source device. 8. Syslog Relay None 9. Mask 32 10. Require Syslog TLS Enable to require the Receiver to communicate over TLS. 11. Support Generic Syslogs Do nothing 12. Time Zone Time zone of data being sent. Note Refer to Appendix A for details on the Data Source Screen options Bit9 Parity Suite Page 5 of 8

4 Data Source Event to McAfee Field Mappings 4.1 Basic (RFC 3164) Log Format The expected format for this device is as follows: <date time> <device name> <message> 4.2 Basic (RFC 3164) Log Sample This is a sample log from a <Product Name> device: <123>1 2001-01-01T01:01:01Z example.name.com Parity - - - Bit9 ParityServer event: text="computer from '192.0.2.1' changed its name from 'hostname1' to 'hostname2'." event_type="computer Management" event_subtype="computer modified" hostname="hostname2" username="examplename" date="1/01/2001 01:01:01 PM" 4.3 Basic (RFC 3164) Mappings The table below shows the mappings between the data source and McAfee ESM fields. Log Fields McAfee ESM Fields hostname event_type ip_address Destination IP Source MAC Destination MAC CLI hostname Name, hash username Destination Username process file_name policy Description Hostname Application Source IP Destination IP Source MAC Destination MAC Command Domain Object Source_Username Destination_Username Target_Process_Name Destination_Filename Policy_Name Message_Text Bit9 Parity Suite Page 6 of 8

4.4 CEF (ArcSight) Log Format The expected CEF format for this device is as follows: <priority> <date> <hostname> CEF:<version> <device vendor> <device product> <device version> <signature ID> <name> <severity> <custom field label=label> <custom field value=value> 4.5 CEF (ArcSight) Log Sample This is a sample CEF log from a Bit9 Parity Suite device: <123>Jan 01 01:01:01 hostname CEF:0 Bit9 Parity x.x.x 1234 New file on network 4 externalid=123456 cat=value rt=jan 01 01:01:01 UTC filepath=c:\\example.net fname=example.net filehash=a1b2c3d4e5f6 fileid=123456 dproc=c:\\example.exe dst=192.0.2.1 dhost=hostname duser=username dvchost=hostname msg=server discovered new file example.net cs1label=roothash cs1=hash cs2label=installerfilename cs2=filename cs3label=policy cs3=policy 4.6 CEF (ArcSight) Mappings The table below shows the mappings between the data source and McAfee ESM fields. Log Fields McAfee ESM Fields dhost installerfilename src dst spt dpt smac dmac proto cnt fname Policy spriv suser duser externalid act Hostname Application Source IP Destination IP Source Port Destination Port Source MAC Destination MAC Protocol Event Count Filename Object_Type Object Source_Username Destination_Username End_Page Event Subtype Bit9 Parity Suite Page 7 of 8

5 Appendix A - Generic Syslog Configuration Details Once you select the option to add a data source, you are taken to the Add Data Source menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail. 1. Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism. 2. Data Source Vendor List of all supported vendors. 3. Data Source Model List of supported products for a vendor. 4. Data Format Data Format is the format the data is in. Options are Default, CEF, and MEF. Note If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details. 5. Data Retrieval Data Retrieval allows you to select how the Receiver is going to collect the data. Default is over syslog. 6. Enabled: Parsing/Logging/SNMP Trap Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select Parsing. 7. Name This is the name that will appear in the Logical Device Groupings tree and the filter lists. 8. IP Address/Hostname The IP address and host name associated with the data source device. 9. Syslog Relay Syslog Relay allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG. 10. Mask Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted. 11. Require Syslog TLS Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog Generic Syslog allows users to select Parse generic syslog or Log unknown syslog event. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule. 13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly. 14. Interface Opens the receiver interface settings to associate ports with streams of information. 15. Advanced Opens advanced settings for the data source. 6 Appendix B - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If you see errors saying events are being discarded because the Last Time value is more than one hour in the future, or the values are incorrect, you may need to adjust the Time Zone setting. Bit9 Parity Suite Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback