Skip to main content
McAfee Enterprise MVISION Cloud

MVISION Cloud Connector SIEM Integration Formats

NOTE: See all the options for Group Name, and Category ID under CEF format. These are applicable for all three formats.

NOTE: Any previous reference to UBEA is now referred to as User and Entity Behavior Analytics (UEBA). 

Text in BLUE is UEBA based. 

Text in GREEN is Static (non UEBA). 

CEF Format

Use these Key-Value pairs for MVISION Cloud 3.7 and later. 

 

Key-Value Shadow Anomaly Sanctioned Anomaly DLP policy violation Threat Config Audit Audit Log
Time VMName <14>Mar 14 00:41:54 EC-test00.app.qa.sjc.shn <14>Mar 16 21:40:39 EC-test00.app.qa.sjc.shn  <14>Mar 14 00:37:24 EC-test00.app.qa.sjc.shn <14>Mar 15 21:23:24 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn 
Format CEF:0 CEF:0 CEF:0 CEF:0 CEF:0 CEF:0
Device Vendor McAfee Enterprise McAfee Enterprise McAfee Enterprise McAfee Enterprise McAfee Enterprise McAfee Enterprise
Device Product MVISION Cloud MVISION Cloud MVISION Cloud MVISION Cloud MVISION Cloud MVISION Cloud
Device Version Anomalies.5.2.2.0 Anomalies.5.2.2.0 Anomalies.5.2.2.0 Anomalies.5.2.2.0 Anomalies.5.2.2.0 Dashboard Audit Logs.5.2.2.0
Device Event Class ID Data Transfer Data Download Dlp Suspicious Superhuman Audit  1002
Name  Alert.Data Alert.Data Alert.Policy Threat.CompromisedAccount Alert.Policy User information edited
Severity 3 3 3 9 9 10
Created on time start=Feb 16 2017 23:06:11.000 UTC start=Jan 22 2017 21:44:10.000 UTC  start=Feb 10 2017 00:59:52.000 UTC start=Feb 23 2017 07:48:25.000 UTC start=Feb 23 2017 07:48:25.000 UTC start=Feb 23 2017 07:48:25.000 UTC
Time Modified timeModified=Mar 10 2017 02:09:26.000 UTC  timeModified=Jan 22 2017 21:44:08.957 UTC timeModified=Feb 10 2017 01:01:55.951 UTC timeModified=Feb 23 2017 07:54:07.510 UTC timeModified=Mar 07 2017 03:04:34.186 UTC  
Status status=NEW  status=OPENED  status=NEW status=OPENED  status=NEW   
Service Name serviceNames=[Western Digital - My Cloud]  serviceNames=[Box] serviceNames=[Box] serviceNames=[Box,Salesforce]  serviceNames=[Amazon Web Services]   
Incident Id incidentId=SHW-46404749  incidentId=ANO-139539 incidentId=DLP-95674 incidentId=THR-12484 incidentId=AUD-22963  
Incident Risk Severity incidentRiskSeverity=High  incidentRiskSeverity=high  incidentRiskSeverity=high incidentRiskSeverity=high  incidentRiskSeverity=medium   
Incident Severity (value) 6 9 10 0    
User Name suser=Unknown suser=test15@shn.com  suser=testdlpa1@reallymymail.com suser=threatmodelling_nll_0_1487836279_18063@shn.com suser=N/A  suser=audittest@shn.com
Activity Names activityNames=Denied  activityNames=-1         
Responses responses=Denied  responses=Preview,Preview  responses=Allowed      
Anomaly value informationAnomalyValue=6 informationAnomalyValue=NA         
Countries   informationCountries=[SE, US]         
Email Domain   informationEmailDomain=shn.com        
Is Part Of Threat   informationIsPartOfThreat=false         
Threat Category   informationtThreatCategory=Compromised Accounts         
Threshold Value informationThresholdValue=4  informationThresholdValue=-1         
Threshold Duration   informationThresholdDuration=hourly         
Source Ips   informationSourceIps=[81.224.95.152, 74.217.98.19]        dvc=53.23.104.13
Policy ID     informationPolicyId=45507   informationPolicyId=2904   
Policy Name     informationPolicyName=File Type Violation   informationPolicyName=VPC Flow Logs Enabled   
Remediator Name     information RemediatorName=John Doe      
User Action informationUserAction=Denied          
Collaboration Shared Link     informationCollaborationSharedLink=false       
Content Hierarchy     informationContentItemHierarchy=All Files      
Content Item Id     informationContentItemId=199908982144      
Content Item Name     informationContentItemName=ssssn-document-sd1.docx      
Content Item Size     informationContentItemSize=134489      
External Collaborators   informationExternalCollaborators  = SkyhighECinformationExternalCollaborators        
Content Item Type     informationContentItemType=file   informationContentItemType=config_entity  
Total Match Count     informationTotalMatchCount=1      
Device IP   informationDeviceIp = SkyhighECinformationDeviceIP        
Actor ID Type actorIdType = SkyhighECactorIdType actorIdType = SkyhighECactorIdType actorIdType = SkyhighECactorIdType actorIdType = SkyhighECactorIdType actorIdType = SkyhighECactorIdType  
Event Category ID           auditEventTypeEventCategoryId=100
Event Category Name           auditEventTypeEventCategoryName=MVISION Cloud Admin
Event Type ID           auditEventTypeEventTypeId=1002
Event Type Name           auditEventTypeEventTypeName=Cloud Config synced to EC
Sub Type ID           auditEventTypeSubTypeId=0
Event Info           eventInfo=User role change
Insertion ID           insertionId=25832906
Object Name           objectName=User thirurao.ecqatiam@gmail.com
Tenant ID           tenantId=98435
Timestamp           timestamp=Oct 07 2020 17:49:45.000 UTC
User First Name           userInfoFirstName=thiruraoecqatiam
User Last Name           userInfoLastName=iam
User ID           userInfoUserId=85410

 

LEEF Format

 

Key-Value Shadow Anomaly Sanctioned Anomaly DLP policy violation Threat Config Audit Audit Logs
Time VMName <14>Mar 14 16:18:01 EC-test00.app.qa.sjc.shn <14>Mar 16 21:53:53 EC-test00.app.qa.sjc.shn  <14>Mar 14 16:13:59 EC-test00.app.qa.sjc.shn <14>Mar 15 22:58:00 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn  <14>Mar 16 18:03:52 EC-test00.app.qa.sjc.shn
LEEF: Version LEEF:1.0 LEEF:1.0 LEEF:1.0 LEEF:1.0 LEEF:1.0 LEEF:1.0
Vendor McAfee Enterprise McAfee Enterprise McAfee Enterprise McAfee Enterprise McAfee Enterprise McAfee Enterprise
Product name MVISION Cloud MVISION Cloud MVISION Cloud MVISION Cloud MVISION Cloud MVISION Cloud
Product version 5.2.2.0 5.2.2.0 5.2.2.0 5.2.2.0 5.2.2.0 5.2.2.0
Event ID Anomaly Anomaly Incident Anomaly Incident AppAudit
IncidentType.CategoryID cat=Alert.Data cat=Alert.Access     cat=Alert.Policy cat=Threat.PrivilegeAccess cat=Alert.Audit cat=User.Activity
Created on time format (specific to LEEF) devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz devTimeFormat=MMM dd yyyy HH:mm:ss.SSS zzz
Created on time devTime=Feb 16 2017 23:06:11.000 UTC devTime=Jan 22 2017 21:44:10.000 UTC     devTime=Feb 10 2017 00:59:52.000 UTC devTime=Feb 23 2017 07:48:25.000 UTC devTime=Mar 01 2017 06:12:09.574 UTC     devTime=Oct 07 2020 17:49:45.000 UTC
User Name usrName=Steve Robertson usrName=test15@shn.com   usrName=testdlpa1@reallymymail.com usrName=threatmodelling_nll_0_148783..._18063@shn.com userName=N/A  usrName=audittest@shn.com
Incident Severity # (L/M/H) sev=6 sev=9    sev=10 sev=0 sev=7     
Activity Name activityName=Denied activityName=-1        

Actor Id Type

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

 
Incident Id incidentId=SHW-46404749  incidentId=ANO-139539 incidentId=DLP-95674 incidentId=THR-12484 incidentId=AUD-22963  
Incident Severity riskSeverity=High riskSeverity=high  riskSeverity=high riskSeverity=high riskSeverity=medium   
Service Name serviceNames=[Western Digital - My Cloud] serviceNames=[Box] serviceNames=[Box] serviceNames=[Box,Salesforce] serviceNames=[Amazon Web Services]   
Status status=NEW status=OPENED  status=NEW status=OPENED status=NEW   
Updated on time updatedOn=Mar 10 2017 02:09:26.000 UTC updatedOn=Jan 22 2017 21:44:08.957 UTC updatedOn=Feb 10 2017 01:01:55.951 UTC updatedOn=Feb 23 2017 07:54:07.510 UTC updatedOn=Mar 07 2017 03:04:34.186 UTCTC  
Incident Group Name RepeatOffender Superhuman Dlp Misuse SecurityMonitoring  
Response response=Denied  response=Preview,Preview  response=Allowed       
Anomaly value anomalyValue=6 anomalyValue=NA         
Countries   countries=[SE, US]         
Email Domain   emailDomain=shn.com        
Is Part Of Threat   isPartOfThreat=false         
Threat Category   threatCategory=Compromised Accounts         
Threshold Duration   thresholdDuration=hourly         
Threshold thresholdValue=4 thresholdValue=-1         
Source IPs   src=81.224.95.152        src=81.224.95.152 
Additional Source Info   additionalSrcInfo=[81.224.95.152, 74.217.98.19]        additionalSrcInfo=[81.224.95.152, 74.217.98.19] 
Activity Count   informationActivityCount=1        
Anomaly Category   informationAnomalyCategory=Aceess Anomalies        
Anomaly Cause   informationAnomalyCause=IMPOSSIBLE TRAVEL        
Cities   informationCities=[Tokyo, Seattle]        
Mitre Tactics   informationMitreTactic= [Initial Access]        
Mitre Technique   informationMitreTechnique= [Valid Accounts]        
Service and Accounts IDs   informationServicesAndAccountIds={​​​​"Office365":"","AzureAD":""}​​​​        
Source IP Orgs   informationSourceIpOrgs=[ISP internet]        
Significantly Updated Time   significantlyUpdatedAt=Dec 04
2020 02:17:05.840 UTC
       
Policy ID     policyId=45507   policyId=2904   
Policy Name     policyName=File Type Violation   policyName=VPC Flow Logs Enabled   
Remediator Name     remediatorName=John Doe      
User Action userAction=Denied          
Collaboration Shared Link     collaborationSharedLink=false      
Content Hierarchy     contentItemHierarchy=All Files      
Content Item Id     contentItemId=199908982144      
Content Item Name     contentItemName=ssssn-document-sd1.docx      
Content Item Size     contentItemSize=134489      
Content Name     contentItemName=ecLDAPwithSSL_info.docx   contentItemName=vpc-fa73f193   
Content Type     contentItemType=file   contentItemType=config_entity  
Account Id (specific to Config Audit)         accountId=674413271627   
Config Type (specific to Config Audit)         configType=VPC   
Total Match Count     totalMatchCount=1      
             
Group ID          

groupID=98435

Event Category ID          

auditEventTypeEventCategoryId=260

Event Category Name          

auditEventTypeEventCategoryName=Cloud Connector

Event Type ID          

auditEventTypeEventTypeId=2610

Event Type Name          

auditEventTypeEventTypeName=Cloud Config synced to EC

Sub Type ID          

auditEventTypeSubTypeId=0

Event Info          

eventInfo=Config Version: 86d0912ae91b4d148c6a47aa4b65a0b184e84ab4

Insertion ID          

insertionId=25832906

Object Name          

t98435-79475939.do.myshn.net

Timestamp          

timestamp=Oct 07 2020 17:49:45.000 UTC

User First Name          

userInfoFirstName=User

User Last Name          

userInfoLastName=Demo

User ID          

userInfoUserId=85410

User Login Event          

isLoginEvent=false

 

MVISION Cloud Key Value Format

 

Key-Value Shadow Anomaly Sanctioned Anomaly DLP policy violation Threat Config Audit Audit Logs
Time VMName <14>Mar 14 17:04:35 EC-test00.app.qa.sjc.shn <14>Mar 16 21:59:49 EC-test00.app.qa.sjc.shn  <14>Mar 14 17:00:16 EC-test00.app.qa.sjc.shn <14>Mar 15 23:13:55 EC-test00.app.qa.sjc.shn <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn  <14>Mar 16 19:04:41 EC-test00.app.qa.sjc.shn 
Created on time createdOn="Feb 16 2017 23:06:11.000 UTC" createdOn="Jan 22 2017 21:44:10.000 UTC" createdOn="Feb 10 2017 00:59:52.000 UTC" createdOn="Feb 23 2017 07:48:25.000 UTC" createdOn="Mar 01 2017 06:12:09.574 UTC" createdTime="Oct 07 2020 17:49:45.000 UTC",
Updated on time updatedOn="Mar 10 2017 02:09:26.000 UTC" updatedOn=Jan 22 2017 21:44:08.957 UTC updatedOn="Feb 10 2017 01:01:55.951 UTC" updatedOn="Feb 23 2017 07:54:07.510 UTC" updatedOn=Mar 07 2017 03:04:34.186 UTCTC  
Status status=NEW status=OPENED  status=NEW status=OPENED status=NEW   
Service Name serviceNames="[Western Digital - My Cloud]" serviceNames=[Box] serviceNames=[Box] serviceNames="[Box,Salesforce]" serviceNames=[Amazon Web Services]   
Incident Id incidentId=SHW-46404749  incidentId=ANO-139539 incidentId=DLP-95674 incidentId=THR-12484 incidentId=AUD-22963  
Incident Group Name incidentGroup=Alert.Data.RepeatOffender incidentGroup=Alert.Access.Superhuman incidentGroup=Alert.Policy.Dlp incidentGroup=Threat.PrivilegeAccess.Misuse incidentGroup=Alert.Audit.SecurityMonitoring  
Incident Severity # (L/M/H) riskScore=6.0 riskScore=9.0 riskScore=10.0 riskScore=0.25 riskScore=7.0  
Incident Severity riskSeverity=High riskSeverity=high  riskSeverity=high riskSeverity=high riskSeverity=medium   
User Name userDisplayName=Unknown userDisplayName=test15@shn.com userDisplayName=testdlpa1@reallymymail.com userDisplayName=threatmodelling_nll_..._18063@shn.com userDisplayName=N/A  
Activity Name activityName=Denied activityName=-1        
Response response=Denied response=Preview,Preview  response=Allowed      
Anomaly value anomalyValue=6 anomalyValue=NA         
Countries   countries=[SE, US]         
Email Domain   emailDomain=shn.com        
Is Part Of Threat   isPartOfThreat=false         
Threat Category   threatCategory=Compromised Accounts         
Threshold Duration   thresholdDuration=hourly         
Threshold thresholdValue=4 thresholdValue=-1         
Source IPs   sourceIps=[81.224.95.152, 74.217.98.19]        clientIpAddress =53.23.104.13
Policy ID     policyId=45507   policyId=2904   
Policy Name     policyName="File Type Violation"   policyName=VPC Flow Logs Enabled   
Remediator Name     remediatorName=John Doe      
User Action userAction=Denied          
Collaboration Shared Link     collaborationSharedLink=false      
Content Hierarchy     contentItemHierarchy="All Files"      
Content Item Id     contentItemId=199908982144      
Content Item Name     contentItemName=ssssn-document-sd1.docx      
Content Item Size     contentItemSize=134489      
Content Name     contentItemName=ecLDAPwithSSL_info.docx   contentItemName=vpc-fa73f193   
Content Type     contentItemType=file   contentItemType=config_entity  
Account Id (specific to Config Audit)         accountId=674413271627  
Config Type (specific to Config Audit)         configType=VPC   
Total Match Count     totalMatchCount=1      

Actor Id Type

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

actorIdType=USER

 

Actor Id

actorId=“user name”

actorId=“user name”

actorId=“user name”

actorId=“user name”

actorId=“N/A”

 

Incident Risk Score

IncidentRiskScore=5

IncidentRiskScore=5

IncidentRiskScore=5

IncidentRiskScore=5

IncidentRiskScore=5

 
Event Category ID           auditEventTypeEventCategoryId=100
Event Category Name           auditEventTypeEventCategoryName=MVISION Cloud Admin
Event Type ID           auditEventTypeEventTypeId=1002
Event Type Name          

auditEventTypeEventTypeName=Cloud Config synced to EC

Sub Type ID           auditEventTypeSubTypeId=0
Event Info           eventInfo=User role change
Insertion ID           insertionId=25832906
Object Name           objectName=User thirurao.ecqatiam@gmail.com
Tenant ID           tenantId=98435
Timestamp           timestamp=Oct 07 2020 17:49:45.000 UTC
User Email           userInfoEmail=audittest@shn.com
User First Name          

userInfoFirstName=User

User Last Name          

userInfoLastName=Demo

User ID           userInfoUserId=85410
  • Was this article helpful?