Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

McAfee Network Security Platform (formerly McAfee IntruShield)

McAfee Network Security Platform (formerly known as McAfee IntruShield)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type McAfee Intrushield
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Configuration

Syslog

FortiSIEM handles custom syslog messages from McAfee Intrushield.

  1. Log in to McAfee Intrushield Manager.
  2. Create a customer syslog format with these fields:
    • AttackName
    • AttackTime
    • AttackSeverity
    • SourceIp
    • SourcePort
    • DestinationIp
    • DestinationPort
    • AlertId
    • AlertType
    • AttackId
    • AttackSignature
    • AttackConfidence
    • AdminDomain
    • SensorName:ASCDCIPS01
    • Interface
    • Category
    • SubCategory
    • Direction
    • ResultStatus
    • DetectionMechanism
    • ApplicationProtocol
    • NetworkProtocol
    • Relevance
  3. Set the message format as a sequence of Attribute:Value pairs as in this example.
    AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$,
    DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$,
    AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$,
    Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$,
    DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
  4. Set FortiSIEM as the syslog recipient.

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,
SourcePort:N/A,DestinationIp:192.0.2.252,DestinationPort:N/A,AlertId:5260607647261334188,AlertType:Signature,AttackId:

0x00009300,AttackSignature:N/A,
AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound,
ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol:

N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee Network Security Platform (formerly McAfee IntruShield)

McAfee Network Security Platform (formerly known as McAfee IntruShield)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type McAfee Intrushield
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Configuration

Syslog

FortiSIEM handles custom syslog messages from McAfee Intrushield.

  1. Log in to McAfee Intrushield Manager.
  2. Create a customer syslog format with these fields:
    • AttackName
    • AttackTime
    • AttackSeverity
    • SourceIp
    • SourcePort
    • DestinationIp
    • DestinationPort
    • AlertId
    • AlertType
    • AttackId
    • AttackSignature
    • AttackConfidence
    • AdminDomain
    • SensorName:ASCDCIPS01
    • Interface
    • Category
    • SubCategory
    • Direction
    • ResultStatus
    • DetectionMechanism
    • ApplicationProtocol
    • NetworkProtocol
    • Relevance
  3. Set the message format as a sequence of Attribute:Value pairs as in this example.
    AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$,
    DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$,
    AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$,
    Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$,
    DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
  4. Set FortiSIEM as the syslog recipient.

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,
SourcePort:N/A,DestinationIp:192.0.2.252,DestinationPort:N/A,AlertId:5260607647261334188,AlertType:Signature,AttackId:

0x00009300,AttackSignature:N/A,
AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound,
ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol:

N/A,Relevance:N/A,HostIsolationEndTime:N/A