I have an integration between McAfee ESM (SIEM) that produces Alerts. 95% of alerts are received by the XSOAR including the "Summary" which is essentially the Alert Packet. Every few days some alerts are received that do not contain the summary. So essentially the time-stamp and the Alert Name appears yet there are no Summary details. The context data has been analysed and does not show any details.
I have two questions;
Thanks in advance.
Cortex XSOAR #McafeeESM
Hi @michaelsysec242, you'll need to check the data coming into the mapper to verify where the issue is. Screenshot below shows the raw vs mapped fields.
1. Select the source of the alerts, this would McAfee ESM for you.
2. Look at the raw data that is being sent from the API call. Ensure you can see the missing data here. If missing here its an API issue with McAfee's API.
3. If the missing data is found above, map it to a field.
Thanks for your message. The incidents that do not contain the required "Summary" is not a mapping issue. Even after ingestion the Context Data doesn't contain any event details, just time stamps. As I mentioned before these are the same alerts that most of the time provide a static set of fields that do not change. @jfernandes1 is it recommended to speak with McAfee or PAN CSP regarding this issue ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!