cancel
Showing results for 
Search instead for 
Did you mean: 

Getting logs into SIEM from a custom data source

Jump to solution

Hi All,

I am very new to Mcafee's SIEM solution. I am trying to find out the complexity involved in getting security and activity logs out of Office 365 and put it into SIEM.

Microsoft has recently announced an API which can be used to get the activity logs out of Office 365.

Now in terms of getting this data into SIEM, how do I get started? Can someone outline out the high level steps involved and point to some resources to get started down this path?

thanks,

Nitin

1 Solution

Accepted Solutions

Re: Getting logs into SIEM from a custom data source

Jump to solution

How to Write an ESM Custom Parser and Troubleshoot a Data Source Product Documentation ID:  PD24926 Last Modified:  1/24/2014

If you have the mappings are could obtain them the above article can show you how to write the parser into the siem

5 Replies
jdell
Level 7
Report Inappropriate Content
Message 2 of 6

Re: Getting logs into SIEM from a custom data source

Jump to solution

McAfee SIEM does not have a way to easily add support for a custom API data source. I would look into something like logstash, which supports many types of collection methods including HTTP/S and then log data could be forwarded via syslog to McAfee SIEM. Once you are collecting the logs, you will need to create custom regex to parse the data. This process will not be easy, but can be done with a little work.

The best way to solve this though is to get the integration built into McAfee SIEM. as per this webpage:

https://blogs.office.com/2015/04/21/announcing-the-new-office-365-management-activity-api-for-securi...

There are already a bunch of partners. I would think a feature request would probably be the best place to start.

Cheers,

Jeff

Re: Getting logs into SIEM from a custom data source

Jump to solution

How to Write an ESM Custom Parser and Troubleshoot a Data Source Product Documentation ID:  PD24926 Last Modified:  1/24/2014

If you have the mappings are could obtain them the above article can show you how to write the parser into the siem

Re: Getting logs into SIEM from a custom data source

Jump to solution

JDell, cbayless, thank you both for the replies. I will look into the options provided. The document linked here is very helpful!

Re: Getting logs into SIEM from a custom data source

Jump to solution

Did you get this to work with McAfee SIEM? It appears the SaaS Email Protection was EOL.

yagoal
Level 7
Report Inappropriate Content
Message 6 of 6

Re: Getting logs into SIEM from a custom data source

Jump to solution

checkout skyformation.com . we are deploying for our customers their cloud services connectors middleware for the last few months and with good results. Their solution monitors the entire audit events across cloud services they support (check their website because I am not sure which currently supported) and send into the customer ESM over syslog in CEF. They do a lot of the data classification effort as well before sending the data to ESM.

We used to develop our own office 365 connectors for our customers using powershell and the Office 365 management API, but too frequent API changes from the cloud service providers made it not worthwhile to keep this route.