On December 12, Fortinet reported on a heap-based buffer overflow...
QRadar Supports MacAfee EPO and Symantec SEP But not all of it.
1. SEP has full support for Antivirus, HIPS and Sonar functions, when using SEP as Device Control the Data is incoming as Misc. event and not as Device Control event.Meaning all of the Data Coming from SEP regarding Device Control Does Not parse in the system.
2. McAfee ePO same as SEP full support for antivirus software , just connect to EPO Database and you are done , But when using ePO Device Control aka DLP , the event are saved on a different view on the ePO database.
When using regular connection, in this scenario we aren’t even connected to the data loss prevention events.
I don’t have the answers why QRadar SIEM system does not monitor those alerts but I have the how.
I have done this only on MacAfee, but I guess it’s the same logic in SEP just need to look for the right Table.
SEP:
The event are incoming as Misc. event and we can parse them according using Extract proprietary.
OR
We can use universal DSM to connect with SEP database, look for the correct table, connect and parse.
MacAfee
Configuring regular MacAfee ePO connector – Link
Just Change Table name and compare filed accordingly
Add a Universal DSM with JDBC\MSDE
Connect to Macafee database which hold the ePO
table name: dbo.DLP_EventView
compare filed: EventRowID
Use this parser – Link
Use those QIDs to maps the events.:
25250440 Device Plug
25250441 Device Unplug
74000033 Connection To Device Blocked
25250115 Access Protection rule vilation detected and blocked
XML McAfee : Copy or just Download
<device-extension xmlns=”event_parsing/device_extension”>
<!– Do not remove the “allEventNames” value –>
<pattern id=”allEventNames” xmlns=””><![CDATA[(.*)]]></pattern>
<!– Everything below this line can be modified –>
<pattern id=”EventName” xmlns=””><![CDATA[EventType\:\s\”(\d{1,9})\”]]></pattern>
<pattern id=”DeviceTime” xmlns=””><![CDATA[LocalTime\:\s\”(\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})]]></pattern>
<pattern id=”UserName” xmlns=””><![CDATA[UserName.+\w+\\(.+?)\”]]></pattern>
<match-group order=”1″ description=”Log Source Extension” xmlns=””>
<matcher field=”EventName” order=”1″ pattern-id=”EventName” capture-group=”1″ enable-substitutions=”false”/>
<matcher field=”DeviceTime” order=”1″ pattern-id=”DeviceTime” capture-group=”1″ />
<matcher field=”UserName” order=”1″ pattern-id=”UserName” capture-group=”1″ />
<event-match-multiple pattern-id=”allEventNames” capture-group-index=”1″ device-event-category=”unknown” send-identity=”OverrideAndNeverSend” />
</match-group>
</device-extension>
if you have any problems you are welcome to e-mail us at: [email protected]
On December 12, Fortinet reported on a heap-based buffer overflow...
לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...
This video link has expired. Please contact Michelle at [email protected]...