Skip to content
/ MCP_Qradar Public

Conversion Scripts to ingest McAfee Cloud Proxy logs into IBM Qradar. This requires pulling the websaas CSV files from the McAfee CSR Server to be converted into an ingestible format

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pect0ral/MCP_Qradar

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
convert_mcp_logs.sh
convert_mcp_logs.sh
 
 
mcp_convert_threaded.py
mcp_convert_threaded.py
 
 

Repository files navigation

MCP_Qradar

Conversion Scripts to ingest McAfee Cloud Proxy logs into IBM Qradar. This requires pulling the websaas CSV files from the McAfee CSR Server to be converted into an ingestible format

This is an initial push of this, it is confirmed working but you need to know what you're looking for. There's comments in line in the scripts below.

The Overview

There's two scripts, a python script and a shell script. The shell script is used as a cron / scheduled task (say, create a cron to run it every 15 minutes). It look for new files that came in, dispatch them to conversion jobs and output a file for each into an output directory for retrieval by Qradar.

The python script is a threaded conversion script that pulls in the WebSaas CSV files from McAfee CSR server which report all of the connection log data from McAfee Cloud Proxy. The conversion makes them a valid log stream that, on the Qradar Side, can be ingested by a log source configured with the McAfee Web Gateway DSM Type upsing a File protocol, such as SFTP.

Details

Architecture

The scripts, as-is, assume you have a linux host with a local user, mcafee who lives in /home/mcafee. This linux host and user act as a middle man between McAfee CSR and Qradar. That user's home directory should contain 4 additional subdirectories, in, out and tmp.

  • Incoming files go into in
  • Outgoing files go into out
  • Files being converted go into tmp
  • Our scripts go into a directory named bin

The Windows CSR Server will need to push the CSV logs into this Linux Server, targetting our in directory ( eg. /home/mcafee/in ) listed above. You can use Posh-SSH for this, See: https://www.powershellgallery.com/packages/Posh-SSH/2.1

A cron on the linux server for every 15 minutes should be configured to run the shell script contained here from the user's bin directory (eg. /home/mcafee/bin/ )

All files that are being converted will temporarily be put into the tmp directory while the conversion is happening, and the finalized converted file will be moved to the out directory.

On the Qradar Side, setup a log source using the McAfee Web Gateway DSM, with SFTP File Protocol and point it to your /home/mcafee/out directory looking for *\.log

Testing

I suggest reading the heavily commented scripts to understand their mechanics and test them. You can run the python script directly (python 2.7 for now)

Make hwatever edits you want to suit it to your environment.

About

Conversion Scripts to ingest McAfee Cloud Proxy logs into IBM Qradar. This requires pulling the websaas CSV files from the McAfee CSR Server to be converted into an ingestible format

Topics

mcafee mcafee-web-gateway qradar qradar-connector ibm-qradar mcafee-csr-server mcafee-cloud-proxy conversion-scripts mcp-qradar websaas-csv-files

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages