Reading Logs from Mcafee ESM to Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1852646%22%20slang%3D%22en-US%22%3EReading%20Logs%20from%20Mcafee%20ESM%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1852646%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20know%20if%20there%20is%20any%20possibility%20to%20import%20all%20the%20previous%20logs%20(and%20new%20logs%20also)%20from%20%3CSTRONG%3EMcafee%20ESM%3C%2FSTRONG%3E%20and%20integrate%20them%20to%20%3CSTRONG%3EAzure%20Sentinel%3C%2FSTRONG%3E.%20I%20don't%20know%20if%20the%20Azure%20Sentinel%20CEF%20Connector%20can%20do%20the%20job%20or%20no%2C%20or%2C%20if%20there%20is%20any%20other%20tool%20or%20recommandation%20that%20i%20can%20test.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1852646%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eimport%20data%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Elogs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMcafee%20ESM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1853043%22%20slang%3D%22en-US%22%3ERe%3A%20Reading%20Logs%20from%20Mcafee%20ESM%20to%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1853043%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F857077%22%20target%3D%22_blank%22%3E%40hamzajeljeli%3C%2FA%3E%26nbsp%3BThe%20Azure%20Sentinel%20CEF%20will%20not%20be%20able%20to%20do%20anything%2C%20it%20just%20takes%20the%20information%20from%20McAfee%20and%20forwards%20the%20data%20along.%26nbsp%3B%20%26nbsp%3BYou%20would%20need%20to%20go%20into%20the%20McAfee%20product%20and%20see%20if%20it%20can%20send%20old%20logs%20to%20the%20CEF%20connector.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeep%20in%20mind%20the%20Timestamp%20column%20in%20the%20CommonSecurityLog%20is%20when%20the%20data%20was%20RECEIVED%2C%20it%20may%20not%20be%20the%20same%20as%20when%20the%20data%20was%20created%20in%20the%20McAfee%20product.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello there !

 

I want to know if there is any possibility to import all the previous logs (and new logs also) from Mcafee ESM and integrate them to Azure Sentinel. I don't know if the Azure Sentinel CEF Connector can do the job or no, or, if there is any other tool or recommandation that i can test.

 

Thank you.

2 Replies

@hamzajeljeli The Azure Sentinel CEF will not be able to do anything, it just takes the information from McAfee and forwards the data along.   You would need to go into the McAfee product and see if it can send old logs to the CEF connector.

 

Keep in mind the Timestamp column in the CommonSecurityLog is when the data was RECEIVED, it may not be the same as when the data was created in the McAfee product.

@Gary Bushey Hello there, well after deeper investigations, i guess the CEF Connector might be a solution. At Mcafee ESM side, we can configure Event Forwarding to a Linux Server (I found that CEF is an option) , and link the CEF Connector to read informations from the Linux Server.

 

I wasn't aware actually about the Timestamp column, but i'll try to find a workaround for it.

www.000webhost.com