How receivers work with SDEE

The Security Device Event Exchange (SDEE) format describes how to represent events generated by various types of security devices. The SDEE specification indicates that SDEE events are transported using the HTTP or HTTPS protocols. HTTP servers using SDEE to provide event information to clients are called SDEE providers; initiators of the HTTP requests are called SDEE clients.

Cisco has defined some extensions to the SDEE standard, calling it the CIDEE standard. The McAfee Event Receiver can act as an SDEE client requesting CIDEE data generated by Cisco intrusion prevention systems.

SDEE uses the pull model, which means the McAfee Event Receiver periodically contacts the SDEE provider and requests events generated since the time of the last event was requested. Each time the McAfee Event Receiver requests events from the SDEE provider, the system processes and stores those events into the McAfee Event Receiver event database, ready McAfee ESM retrieval.

Add SDEE providers to Receivers as data sources by selecting Cisco as the vendor and iOS IPS (SDEE) as the data source model.

The McAfee Event Receiver extracts the following from SDEE/CIDEE events:

  • Source and destination IP addresses
  • Source and destination ports
  • Protocol
  • Event time
  • Event count (CIDEE provides a form of event aggregation, which the McAfee Event Receiver honors)
  • Signature ID and sub-ID
  • McAfee ESM event ID is calculated from the SDEE signature ID and the CIDEE subsignature ID using the following formula: ESMI ID = (SDEE ID * 1000) + CIDEE sub-ID

    If the SDEE signature ID is 2000 and the CIDEE subsignature ID is 123, the McAfee ESM event ID would be 2000123.

  • VLan
  • Severity
  • Event description
  • Packet contents (if available).

When the McAfee Event Receiver connects to the SDEE provider for the first time, the system uses the current date and time as a starting point for requesting events. Future connections request all events since the last successful pull.