IBM Security QRadar

 View Only
  • 1.  mcAfee ePO Payload

    Posted Tue January 18, 2022 03:16 AM
    Hello QRadar Experts,

    I integrated mcafee ePO v 5.10 with QRadar using the TLS syslog, but i noticed that the events are not parsed/mapped.

    I drilled into some of the events, and the payload appears as shown below.


    Kindly assist if you have resolved this issue.


    ------------------------------
    benlinux
    ------------------------------


  • 2.  RE: mcAfee ePO Payload

    Posted Mon January 24, 2022 06:25 AM
    Hello,
    I will appreciate if someone can assist with this.

    Thanks



    ------------------------------
    benlinux
    ------------------------------



  • 3.  RE: mcAfee ePO Payload

    Posted Tue February 22, 2022 03:43 AM
    Hello experts,

    Has anyone successfully integrated McAfee ePO with QRadar using the TLS Syslog..??

    I am having issues with the payload getting to QRadar, the payload appears unreadable and hence the events are neither parsed nor mapped.

    Kindly assist.

    ------------------------------
    benlinux
    ------------------------------



  • 4.  RE: mcAfee ePO Payload

    Posted Thu February 24, 2022 02:03 AM
    Hi,
    IBM didn't make correct DSM parser for McAfee ePO -  it has wrong format and the regex the used are wrong, You have to do custom parsing. Try to parse (Override settings) on Event ID 
    Regex  <EventID>(.*?)<EventID> Capture group $1
    Most of the events will be parsed. Some events does not have QID mapped. I didn't find those event ID in McAfee documentations.
    And when You get correct event name all other info must be parsed as well .

    Regards

    Vedran


    ------------------------------
    Vedran Goricki
    ------------------------------



  • 5.  RE: mcAfee ePO Payload

    Posted Thu February 24, 2022 04:45 AM
    Hello Vedran,

    Thank you for your responding, but it seems you missed my question.
    The payload is unreadable, as shown below. I can't parsed a payload that is not readable.

    Regards,

    ------------------------------
    benlinux
    ------------------------------



  • 6.  RE: mcAfee ePO Payload

    Posted Thu February 24, 2022 05:03 AM

    Hi

    Check what version of the McAfee DSM you have on QR

    rpm -qa | grep -i mcafee

    Check the latest version on IBM fix central if the new version is on fix central update

    Install Content pak for McAfee ePO

    I have installed on QR McAfee ePO log source with default setting – no custom certs and it works

    Sorry didn't see the picture and this is the first time i have seen that in McAfee ePO log is some thing like &quote;

    If nothing helps open the case with IBM
    Regards
    Vedran



    ------------------------------
    Vedran Goricki
    ------------------------------



  • 7.  RE: mcAfee ePO Payload

    Posted Thu February 24, 2022 05:23 AM
    Hello Vedran,

    Thank you for your response. I have upgraded the mcafee epo dsm with the latest rpm file from IBM Fix entral. 
    But Vedran, this cannot be the issue, the first thing is to get the payload in the right format, the parsing and mapping happen only if the payload makes sense to QR,

    I have opened a case, and I think the SE is misinterpreting my issue. I am running ePO 5.10, and the supported procotol for this version is TLS syslog. We were using JDBC, but this is not supported in v 5.10.

    Also, I have engaged McAfee Support team, and the SE said the issue is most likely from QR, and no further fine-tuning is needed from ePO side. The below tech note from McAfee states that the event can be unreadable if the SIEM platform does not have a matching cipher suite.

    https://kc.mcafee.com/corporate/index?page=content&id=KB91194


    Regards,

    ------------------------------
    benlinux
    ------------------------------