Configuring alert events for McAfee Network Security Platform 6.x - 7.x

To collect alert notification events from McAfee Network Security Platform, administrators must configure a syslog forwarder to send events to IBM QRadar

1. Log in to the McAfee Network Security Platform Manager user interface.
2. On the Network Security Manager dashboard, click Configure.
3. Expand the Resource Tree and then click IPS Settings node.
4. Click the Alert Notification tab.
5. On the Alert Notification menu, click the Syslog tab.
6. Configure the following parameters to forward alert notification events:

   Table 1. McAfee Network Security Platform 6.x - 7.x alert notification parameters

   Parameter	Description
   Enable Syslog Notification	Select Yes to enable syslog notifications for McAfee Network Security Platform. You must enable this option to forward events to QRadar.
   Admin Domain	Select any of the following options: Current - Select this check box to send syslog notifications for alerts in the current domain. This option is selected by default. Children - Select this check box to send syslog notifications for alerts in any child domains within the current domain.
   Server Name or IP Address	The IP address of your QRadar Console or Event Collector. This field supports both IPv4 and IPv6 addresses.
   UDP Port	Type 514 as the UDP port for syslog events.
   Facility	Select a syslog facility value.
   Severity Mapping	Select a value to map the informational, low, medium, and high alert notification levels to a syslog severity. The options include the following levels: Emergency - The system is down or unusable. Alert - The system requires immediate user input or intervention. Critical - The system should be corrected for a critical condition. Error - The system has non-urgent failures. Warning - The system has a warning message that indicates an imminent error. Notice - The system has notifications, no immediate action required. Informational - Normal operating messages.
   Send Notification If	Select the following check boxes: The attack definition has this notification option explicitly enabled The following notification filter is matched, and From the list, select Severity Informational and later.
   Notify on IPS Quarantine Alert	Select No as the notify on IPS quarantine option.
   Message Preference	Select the Customized option.

7. From the Message Preference field, click Edit to add a custom message filter.
8. To ensure that alert notifications are formatted correctly, type the following message string:

   |$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_SIGNATURE$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_SENSOR_NAME$|$IV_INTERFACE$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$|$IV_DESTINATION_IP$|$IV_DESTINATION_PORT$|$IV_DIRECTION$|$IV_SUB_CATEGORY$

   Note: The custom message string must be entered as a single line without carriage returns or spaces. McAfee Network Security Platform expects the format of the custom message to contain a dollar sign ($) as a delimiter before and after each alert element. If you are missing a dollar sign for an element, then the alert event might not be formatted properly.

   You might require a text editor to properly format the custom message string as a single line.

9. Click Save.

   As alert events are generated by McAfee Network Security Platform, they are forwarded to the syslog destination you specified. The log source is automatically discovered after enough events are forwarded by the McAfee Network Security Platform appliance. It typically takes a minimum of 25 events to automatically discover a log source.