Document toolboxDocument toolbox

ips.mcafee

Introduction

The tags beginning with ips.mcafee identify events generated by McAfee.

Valid tags and data tables 

The full tag must have at least 3 levels. The first two are fixed as ips.mcafee. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

McAfee Network Security Manager

ips.mcafee.nsm

ips.mcafee.nsm

ips.mcafee.nsm.audit

ips.mcafee.nsm.audit

ips.mcafee.nsm.events

ips.mcafee.nsm.events

ips.mcafee.nsm.fault

ips.mcafee.nsm.fault

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

ips.mcafee.nsm

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

subtype

str

 

vtype

 

IV_ALERT_ID

str

 

 

 

IV_ALERT_TYPE

str

 

 

 

IV_ATTACK_TIME

timestamp

parsedate(substring(IV_ATTACK_TIME_str, 0, 19), +".000", dateformat("YYYY-MM-DD HH:mm:ss.SSS", substring(IV_ATTACK_TIME_str, 20)))

IV_ATTACK_TIME_str

 

IV_ATTACK_NAME

str

 

 

 

IV_ATTACK_ID

str

 

 

 

IV_ATTACK_SEVERITY

str

 

 

 

IV_ATTACK_SIGNATURE

str

 

 

 

IV_ATTACK_CONFIDENCE

str

 

 

 

IV_ADMIN_DOMAIN

str

 

 

 

IV_SENSOR_NAME

str

 

 

 

IV_INTERFACE

str

 

 

 

IV_SOURCE_IP

ip4

 

 

 

IV_SOURCE_PORT

str

 

 

 

IV_DESTINATION_IP

ip4

 

 

 

IV_DESTINATION_PORT

str

 

 

 

IV_CATEGORY

str

 

 

 

IV_SUB_CATEGORY

str

 

 

 

IV_DIRECTION

str

 

 

 

IV_RESULT_STATUS

str

 

 

 

IV_DETECTION_MECHANISM

str

 

 

 

IV_APPLICATION_PROTOCOL

str

 

 

 

IV_NETWORK_PROTOCOL

str

 

 

 

message

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

ips.mcafee.nsm.audit

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

IV_AUDIT_ACTION

str

 

IV_AUDIT_RESULT

str

 

IV_AUDIT_TIME

str

 

IV_AUDIT_MESSAGE

str

 

IV_AUDIT_USER

str

 

IV_AUDIT_CATEGORY

str

 

IV_AUDIT_DOMAIN

str

 

IV_AUDIT_DETAIL_COMMENT

str

 

IV_AUDIT_DETAIL_DELTA

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

ips.mcafee.nsm.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

IV_ALERT_ID

str

 

 

 

IV_ALERT_TYPE

str

 

 

 

IV_ATTACK_TIME

timestamp

parsedate(substring(IV_ATTACK_TIME_str, 0, 19), +".000", dateformat("YYYY-MM-DD HH:mm:ss.SSS", substring(IV_ATTACK_TIME_str, 20)))

IV_ATTACK_TIME_str

 

IV_ATTACK_NAME

str

 

 

 

IV_ATTACK_ID

str

 

 

 

IV_ATTACK_SEVERITY

str

 

 

 

IV_ATTACK_SIGNATURE

str

 

 

 

IV_ATTACK_CONFIDENCE

str

 

 

 

IV_ADMIN_DOMAIN

str

 

 

 

IV_SENSOR_NAME

str

 

 

 

IV_INTERFACE

str

 

 

 

IV_SOURCE_IP

ip4

 

 

 

IV_SOURCE_PORT

str

 

 

 

IV_DESTINATION_IP

ip4

 

 

 

IV_DESTINATION_PORT

str

 

 

 

IV_CATEGORY

str

 

 

 

IV_SUB_CATEGORY

str

 

 

 

IV_DIRECTION

str

 

 

 

IV_RESULT_STATUS

str

 

 

 

IV_DETECTION_MECHANISM

str

 

 

 

IV_APPLICATION_PROTOCOL

str

 

 

 

IV_NETWORK_PROTOCOL

str

 

 

 

message

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

ips.mcafee.nsm.fault

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

IV_ACK_INFORMATION

str

 

IV_ADDITIONAL_TEXT

str

 

IV_ADMIN_DOMAIN

str

 

IV_DESCRIPTION

str

 

IV_DEVICE_NAME

str

 

IV_FAULT_COMPONENT

str

 

IV_FAULT_LEVEL

str

 

IV_FAULT_NAME

str

 

IV_FAULT_SOURCE

str

 

IV_FAULT_TIME

str

 

IV_FAULT_TYPE

str

 

IV_MEMBER_DEVICE_NAME

str

 

IV_OWNER_ID

str

 

IV_SEVERITY

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓

Â