Forum Discussion

hamzajeljeli's avatar
hamzajeljeli
Copper Contributor
Nov 04, 2020

Reading Logs from Mcafee ESM to Azure Sentinel

Hello there !   I want to know if there is any possibility to import all the previous logs (and new logs also) from Mcafee ESM and integrate them to Azure Sentinel. I don't know if the Azure Sentin...
data collection
Log Data
GaryBushey's avatar
GaryBushey
Bronze Contributor
Nov 04, 2020

hamzajeljeli The Azure Sentinel CEF will not be able to do anything, it just takes the information from McAfee and forwards the data along.   You would need to go into the McAfee product and see if it can send old logs to the CEF connector.

 

Keep in mind the Timestamp column in the CommonSecurityLog is when the data was RECEIVED, it may not be the same as when the data was created in the McAfee product.

  • hamzajeljeli's avatar
    hamzajeljeli
    Copper Contributor
    Nov 04, 2020

    GaryBushey Hello there, well after deeper investigations, i guess the CEF Connector might be a solution. At Mcafee ESM side, we can configure https://docs.mcafee.com/bundle/enterprise-security-manager-10.2.0-product-guide-unmanaged/page/GUID-FDA1E3DE-6CCB-452B-99F3-7CAFE1038F3C.html to a Linux Server (I found that CEF is an option) , and link the CEF Connector to read informations from the Linux Server.

     

    I wasn't aware actually about the Timestamp column, but i'll try to find a workaround for it.

Resources