McAfee MVISION Cloud (formerly known as Skyhigh Networks Cloud Security Platform)
The JSA DSM for McAfee MVISION Cloud collects logs from a McAfee MVISION Cloud Platform.
McAfee MVISION Cloud is formerly known as Skyhigh Networks Cloud Security Platform.
The following table identifies the specifications for the McAfee MVISION Cloud DSM:
Specification |
Value |
---|---|
Manufacturer |
McAfee |
DSM name |
McAfee MVISION Cloud |
RPM file name |
DSM-SkyhighNetworksCloudSecurityPlatform-JSA_versionbuild_ number.noarch.rpm |
Supported versions |
2.4 and 3.3 |
Protocol |
Syslog |
Event format |
LEEF |
Recorded event types |
Privilege Access, Insider Threat, Compromised Account, Access, Admin, Data, Policy, and Audit |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
To integrate McAfee MVISION Cloud with JSA, complete the following steps:
-
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA Console:
-
Skyhigh Networks Cloud Security Platform DSM RPM
-
DSMCommon RPM
-
Configure your McAfee MVISION Cloud device to send syslog events to JSA.
If JSA does not automatically detect the log source, add a McAfee MVISION Cloud log source on the JSA Console. The following table describes the parameters that require specific values for McAfee MVISION Cloud event collection:
Table 2: McAfee MVISION Cloud Log Source Parameters Parameter
Value
Log Source type
McAfee MVISION Cloud
Protocol Configuration
Syslog
Log Source Identifier
The IP address or host name of the McAfee MVISION Cloud that sends events to JSA.
Configuring McAfee MVISION Cloud to Communicate with JSA
Log in to the McAfee Enterprise Connector administration interface.
Select Enterprise Integration > SIEM Integration.
Configure the following SIEM SYSLOG SERVICE parameters:
Parameter
Value
SIEM server
ON
Format
Log Event Extended Format (LEEF)
Syslog Protocol
TCP
Syslog Server
<JSA IP or hostname>
Syslog Port
514
Send to SIEM
new anomalies only
4. Click Save.
McAfee MVISION Cloud Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
McAfee MVISION Cloud Sample Message When You Use the Syslog Protocol
The following sample event message shows that a CAP incident occurred.
<14>Dec 21 18:00:47 mcafee.mvision.test LEEF:1.0|McAfee|MVISION Cloud|4.0.2.1-SNAPSHOT| Incident | cat= Alert.Policy.CloudAccess devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTime= Sep 18 2018 03:28:08.000 UTC usrName= user@user.example.com sev=10 activityName=[Created] actorIdType=USER incidentId=35227 riskSeverity=high collaborationSharedLink=false contentItemHierarchy=Confidential.docx contentItemId=AAAAAAAA1 contentItemName=Confidential.docx informationContentItemParent=Confidential.docx FileSize=29344 contentItemType=FILE externalCollaborators=[] policyId=1 policyName=Enterprise DLP totalMatchCount=0 instanceId=4008 instanceName=Default response=[Deleted] serviceNames=[Slack] status=new updatedOn=Sep 25 2018 09:19:51.480 UTC
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
Incident |
Event Category |
Alert.Policy.CloudAccess |
Username |
user@user.example.com |
Device Time |
Sep 18 2018 03:28:08.000 UTC (extracted from the date and time fields) |