McAfee MAP-3300-SWG Product Guide - Page 271
Device Event Mapping to ArcSight Data Fields, Table 271
UPC - 731944547008
View all McAfee MAP-3300-SWG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 271 highlights
Overview of System features Logging, Alerting and SNMP Device Event Mapping to ArcSight Data Fields Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then mapped to an ArcSight data field. The following table lists the mappings from ArcSight data fields to the supported vendor-specific event definitions. Table 271 Email and Web Security Appliance v5.6 Connector Field Mappings McAfee-Specific Event Definition ArcSight Event Data Field The Action taken for the event: act ESERVICES:REPLACE - Replace with an alert WEBSHIELD:REFUSEORIGINAL - Refuse the email WEBSHIELD:ACCEPTANDDROP - Accept the email and then drop it ESERVICES:ALLOWTHRU - Allow the email through WEBSHIELD:DENYCONNECTION - Refuse the email and deny the connection for a period of time Protocol app A descriptive message for the event msg Host responsible for scanning dvc Destination IP address of the connection (if dst available) Destination hostname of the connection (if available) dhost Originating IP address of the host making the src connection Originating hostname of the host making the connection shost The sender of the email suser A list of recipient email addresses duser Whether inbound (0) or outbound(1) as defined deviceDirection by the administrator for the policy Name of active policy sourceServiceName Filename in which the detection occurred filePath A unique id assigned to each mail message fileId Size of the message in bytes fsize Time of the event, in milliseconds since epoch rt URL which caused the event to be generated request Reason ID for event. See 'msg' field for textual description flexNumber1 'reason-id' flexNumber1Label The definition of this field depends on the value of cs1 the field 'cs5': If cs5 is 'AV' or 'PA' or 'PU': The name of the detected virus/packer/PuP. If cs5 is 'AS': The spam rules that triggered the event If cs5 is 'DL': The file that triggered the DLP rule If cs5 is 'FF': The file rule that triggered the event If cs5 is 'PX': The content rule that triggered the event McAfee Email and Web Security Appliances 5.6.0 Product Guide 271