Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

McAfee Integration not sending Summary of alerts to XSOAR for ingestion.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

McAfee Integration not sending Summary of alerts to XSOAR for ingestion.

L3 Networker

I have an integration between McAfee ESM (SIEM) that produces Alerts. 95% of alerts are received by the XSOAR including the "Summary" which is essentially the Alert Packet. Every few days some alerts are received that do not contain the summary. So essentially the time-stamp and the Alert Name appears yet there are no Summary details. The context data has been analysed and does not show any details. 

  • The Integration has is updated to the latest version. 
  • The McAfee ESM is of a recent version. 
  • This is a relatively new phenomenon yet no explanation has been found.
  • A new integration has been defined with a new Instance in order to attempt to fix this problem, unfortunately without results. 
  • A playbook for Unclassified events has been set to attempt to retrieve the summary for every anomalous alert through the Instance. Which also doesn't work 100% of the time. 
  • The XSOAR is community edition.

I have two questions;

  1. Does anyone have a solution or workaround for this problem ? 
  2. Is there a way to ensure 100% Alert transfer for this usually static use case ?

Thanks in advance. 

Cortex XSOAR  #McafeeESM

 

PCSAE
2 REPLIES 2

L5 Sessionator

Hi @michaelsysec242, you'll need to check the data coming into the mapper to verify where the issue is. Screenshot below shows the raw vs mapped fields. 

Screen Shot 2022-10-24 at 1.28.44 pm.png

1. Select the source of the alerts, this would McAfee ESM for you.

2. Look at the raw data that is being sent from the API call. Ensure you can see the missing data here. If missing here its an API issue with McAfee's API.

3. If the missing data is found above, map it to a field. 

 

 

 

 

 

 

 

 

Thanks for your message. The incidents that do not contain the required "Summary" is not a mapping issue. Even after ingestion the Context Data doesn't contain any event details, just time stamps. As I mentioned before these are the same alerts that most of the time provide a static set of fields that do not change. @jfernandes1 is it recommended to speak with McAfee or PAN CSP regarding this issue ?

PCSAE
  • 1506 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!