Skip to main content
McAfee Enterprise MVISION Cloud

Export Anomalies, Threats, Incidents and the Audit Log to a SIEM

You can export anomalies, threats, incidents, and the Audit Log from MVISION Cloud to your third-party SIEM systems using Syslog export. This export is handled through the MVISION Cloud Connector. Use this feature to export data to another system for further analysis or to drive data protection rules.

By default, Cloud Connector fetches incidents from MVISION Cloud every four hours. You can customize this interval in the logprocessor.local.properties file using the property siem.frequency=. The value is in milliseconds. For assistance setting this property, contact MVISION Cloud Support

NOTE: If tokenization for MVISION Cloud Secure data is enabled, there may be situations where your data will not be detokenized before it is sent to your SIEM. Data can be detokenized automatically only when the user name associated with the user in Active Directory matches the user name used in the monitored CSP. 

Configure a SIEM Syslog Service

For SIEM configuration, see About EC Configuration

Export Format Details

Dates

All internal dates use the following format: YYYY-MM-DDTHH:MM:SS.SSSZ

For example, 2017-02-09T22:25:00.000Z

Key Value Pairs

Escaped characters:

If the value uses any of the following characters, the entire string will be quoted, and and internal quotes will be doubled:

  • comma: ,
  • equal: =
  • quote: " becomes""
  • space

For example, saying=he said, "hi" becomes "he said, ""hi""".

Log Event Extended Format (LEEF)

For the full definition, see Log Event Extended Format (LEEF) Guide

Escaped characters:

  • caret: ^ becomes <caret>
  • pipe: | becomes <pipe>
  • tab: <tab> becomes <tab>  (The real tab is exchanged for the string <tab>.)

Common Event Format

For the full definition, see the ArcSight Common Event Format Guide.  

Escaped characters:

  • backslash: \ becomes \\
  • equal: = becomes \=
  • pipe: | becomes \|
  • Was this article helpful?