Data Center Security

 View Only

  • 1.  McAfee SIEM integration

    Posted Nov 10, 2015 08:15 AM

    Is it possible to integrate Symantec Data Center Security Monitoring Edition 6.5 with McAfee Enterprise Security Manager 9.4.x? I have found information about support for Critical Systems Protection 5.2, see link.

    http://www.mcafee.com/kr/resources/data-sheets/ds-siem-supported-devices.pdf

    BR.

    Andreas

     



  • 2.  RE: McAfee SIEM integration

    Posted Nov 10, 2015 08:41 AM

    I'm sure it's possible.  The SIEM needs to pull the information from the database (as opposed to DCS pushing it) using supplied SQL connectors.  I would try it and see if it works.  I'm very sure it will.

    There's a built-in, read-only, SQL account named scsp_plugin you can use to pull the data from the database.

     

    Cheers!

    Will



  • 3.  RE: McAfee SIEM integration

    Posted Nov 10, 2015 03:59 PM

    To add, use the same SQL query that it uses for Critical System Protection, it will work.

    Or, you can use this query:

    select * from CSPEVENT where EVENT_ID > [the last event ID that was pulled]

    or

    select * from CSPEVENT_VW where EVENT_ID > [the last event ID that was pulled]

     

    The CSPEVENT_VW view will get you a little more data, as I think it pulls data from a couple of tables, but in my testing, querying the the CSPEVENT table works just fine.