This is more feedback for McAfee rather than an actual question - Is there a way to get more detailed information about what was changed in the parsing updates? The PDF just provides signature ID's that need to be looked up manually in the slow Flash interface and I cannot tell what is new and what changed.
Also, who is making the decisions regarding what to parse from Windows events? The latest content updates include a signature ID for ADFS Extranet Lockouts ( 43-432012100 ) - I got excited when I saw this as it was an event that did not previously parse. However, the vast majority of the actual event fields are missing. the Claims Provider, User Id, Forwarded IP, Endpoint, Lockout info and a bunch of other information is not parsed. Can anyone from McAfee provide a reason behind this?
If someone from McAfee is listening - please parse every. field. from. a. windows. event. they are there for a reason.
I don't believe that customers should be writing parsers for something like Windows logs. I can see customers writing parsers for things like custom applications or maybe even rare event sources, but not something basic like Windows events.
I agree though, at the very least we should be given the ability the parse these events ourselves. At this point in the game with the types of attack being seen out there - including those outlined by McAfee's own reports - the SIEM is becoming a security risk itself rather than a tool used to mitigate risks.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.