McAfee IntruShield
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | Used For |
---|---|---|---|
Syslog |
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting | Value |
---|---|
Name | <set name> |
Device Type | McAfee Intrushield |
Access Protocol | See Access Credentials |
Port | See Access Credentials |
Password config | See Password Configuration |
Configuration
Syslog
FortiSIEM handles custom syslog messages from McAfee Intrushield.
- Log in to McAfee Intrushield Manager.
- Create a customer syslog format with these fields:
- AttackName
- AttackTime
- AttackSeverity
- SourceIp
- SourcePort
- DestinationIp
- DestinationPort
- AlertId
- AlertType
- AttackId
- AttackSignature
- AttackConfidence
- AdminDomain
- SensorName:ASCDCIPS01
- Interface
- Category
- SubCategory
- Direction
- ResultStatus
- DetectionMechanism
- ApplicationProtocol
- NetworkProtocol
- Relevance
-
Set the message format as a sequence of
Attribute:Value
pairs as in this example.AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$, DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$, AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$, Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$, DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
- Set FortiSIEM as the syslog recipient.
Sample Parsed Syslog Message
Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236, SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId:5260607647261334188,AlertType:Signature,AttackId:
0x00009300,AttackSignature:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol:
N/A,Relevance:N/A,HostIsolationEndTime:N/A