cancel
Showing results for 
Search instead for 
Did you mean: 

Content and Parsing Updates

This is more feedback for McAfee rather than an actual question - Is there a way to get more detailed information about what was changed in the parsing updates? The PDF just provides signature ID's that need to be looked up manually in the slow Flash interface and I cannot tell what is new and what changed. 

Also, who is making the decisions regarding what to parse from Windows events? The latest content updates include a signature ID for ADFS Extranet Lockouts ( 43-432012100 ) - I got excited when I saw this as it was an event that did not previously parse. However, the vast majority of the actual event fields are missing.  the Claims Provider, User Id, Forwarded IP, Endpoint, Lockout info and a bunch of other information is not parsed. Can anyone from McAfee provide a reason behind this? 

If someone from McAfee is listening - please parse every. field. from. a. windows. event. they are there for a reason.

2 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Content and Parsing Updates

The Big problem is That McAfee Dosn't let us Parse the Windows Evnts like Syslog - ASP
I have a lot of fields i would wish to pull out of the Packet but i can't do anything for it.

But it's not the only problem in McAfee ESM
It's Slow, Very S-l-o-w, And prety Muvh bugs..

And the big Reason = Low User Experience !

I think i'm going to Migrate to "Qradar" I heard there the best.

Best regrads.

Re: Content and Parsing Updates

I don't believe that customers should be writing parsers for something like Windows logs. I can see customers writing parsers for things like custom applications or maybe even rare event sources, but not something basic like Windows events.

I agree though, at the very least we should be given the ability the parse these events ourselves. At this point in the game with the types of attack being seen out there - including those outlined by McAfee's own reports - the SIEM is becoming a security risk itself rather than a tool used to mitigate risks.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community