McAfee Network Security Platform connector for Microsoft Sentinel
The McAfee® Network Security Platform data connector provides the capability to ingest McAfee® Network Security Platform events into Microsoft Sentinel.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
Connector attribute | Description |
---|---|
Log Analytics table(s) | Syslog (McAfeeNSPEvent) |
Data collection rules support | Workspace transform DCR |
Supported by | Microsoft Corporation |
Query samples
Top 10 Sources
McAfeeNSPEvent
| summarize count() by tostring(DvcHostname)
| top 10 by count_
Vendor installation instructions
Note
This data connector depends on a parser based on a Kusto Function to work as expected McAfeeNSPEvent which is deployed with the Microsoft Sentinel Solution.
Note
This data connector has been developed using McAfee® Network Security Platform version: 10.1.x
Install and onboard the agent for Linux or Windows
Install the agent on the Server where the McAfee® Network Security Platform logs are forwarded.
Logs from McAfee® Network Security Platform Server deployed on Linux or Windows servers are collected by Linux or Windows agents.
Configure McAfee® Network Security Platform event forwarding
Follow the configuration steps below to get McAfee® Network Security Platform logs into Microsoft Sentinel.
While creating a profile, to make sure that events are formatted correctly, enter the following text in the Message text box:
<SyslogAlertForwarderNSP>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID |ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE |SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_CATEGORY |DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|
Next steps
For more information, go to the related solution in the Azure Marketplace.