McAfee SIEM Review & Alternatives

McAfee is well-known as a producer of anti-virus software. However, the company had to evolve and introduce new IT protection systems in order to stay in the market. The McAfee SIEM solution isn’t a single product. The main element in the McAfee SIEM family is called McAfee Enterprise Security Manager.

The full list of the McAfee SIEM components is:

  • McAfee Enterprise Security Manager
  • McAfee Event Receiver
  • McAfee Advanced Correlation Engine
  • McAfee Enterprise Log Manager
  • McAfee Enterprise Log Search
  • McAfee Application Data Monitor
  • McAfee Direct Attached Storage
  • McAfee Global Threat Intelligence

These different modules channel input data from several sources through to the Enterprise Security Manager.

What does SIEM do?

SIEM stands for Security Information and Event Management. It is a combination of two threat detection strategies. Host-based Intrusion Detection Systems (HIDSs) look through log files for signs of anomalous activity. Security Information Management (SIM) is a HIDS. Network-based Intrusion Detection Systems (NIDSs) watch network traffic to look for intrusions. Security Event Management (SEM) is a NIDS strategy. SIEM is the combination of SIM and SEM.

The advantage of SEM is that it works on live data. However, network monitors only operate on one point of the network and watch all passing traffic. If the contents of each traveling packet are encrypted, all the SEM system has to work on is the packet header data. SEM isn’t able to compare events in different locations on the network and on separate devices.

SIM is able to see patterns of activity across devices. However, SIM methodologies produce better results with more source data. As the input information for SIM is written to logs, the best SIM results come with the passage of time. A big problem of SIM is that it detects intrusion in retrospect – it isn’t immediate.

SIEM combines the strengths of SIM and SEM. Even SIEM, with its varied techniques, isn’t able to block intrusion. This is the second line of defense and is intended to flush out malicious activities that have managed to slip past edge and boundary defenses.

About McAfee

McAfee was created in 1987 as McAfee Associates. The company became Intel Security Group in 2014 and then McAfee, LLC in 2017. McAfee was the first producer of commercial antivirus software and gained early successes, making the business an attractive takeover target. Eccentric founder, John McAfee withdrew from the company in 1994, selling all of his shares. After a series of takeovers, the company was bought by Intel in 2014. McAfee was then spun out back into an independent company in 2017 with Intel still maintaining a large shareholding.

As hacker activities become more sophisticated, the traditional antivirus model became unable to fully protect an IT system. The concept of “intrusion” in an IT system involves a hacker gaining entry into a network and establishing a long-term occupation, which is termed an “Advanced Persistent Threat (APT).”

McAfee has invested in machine learning software that uses AI techniques to identify anomalous activity without needing to refer to a database of activity signatures.

McAfee Enterprise Security Manager

The McAfee Enterprise Security Manager (ESM) is the main module of McAfee SIEM, includes the main console for the system, and ties together all of the data feeds that logs collectors and traffic monitors supply.

The main view of the console focuses on events but device views are also accessible. The console of the ESM allows access to search and analytical facilities.

McAfee SIEM modules

While the Enterprise Security Manager is the core of the SIEM system, a lot of the data processing work is performed outside of that unit.

McAfee Event Receiver

The McAfee Event Receiver is a split system for log collection. An agent resides on each monitored device. It is able to store collected data locally in case the network is unavailable. The central collection system communicates with all agents to receive data from them.

The central controller acts as a log server. It reformats received data into a standard layout, enabling all records to be stored together.  Related events are marked so that they can be grouped by analytical searches in the future. This is called a log correlation.

McAfee Advanced Correlation Engine

The Advanced Correlation Engine (ACE) builds on the work of the Event Receiver. It searches through past log records to see whether newly filed log messages pertaining to an event that is already in progress and has been identified by earlier messages.

The ACE marks new records so that they can be tied together with older log messages. The identified message group doesn’t link similar records; rather it uses a rule system that spots indicators of the same event that manifests itself through different actions in different locations.

McAfee Enterprise Log Manager

The Enterprise Log Manager (ELM) is a log file manager and its purpose is to provide the mandatory log file management facilities required by security standards. It creates log files for incoming log messages both as a source of data for the Security Event Manager and for data security standards reporting.

While standards require raw logs to be saved and be accessible, the Security Event Manager is only interested in certain records that highlight unusual activities, so some log messages will be duplicated and stored in different formats. ELM can be configured to use either local or remote storage facilities. The ELM is an optional module in the SIEM system. The Enterprise Security Manager is able to function without the presence of the Enterprise Log Manager.  

McAfee Enterprise Log Search

McAfee Enterprise Log Search (ELS) is based on Elasticsearch. It is a component of the McAfee SIEM system but it is also able to work as a standalone utility. This search facility can operate on the files composed by McAfee Advanced Correlation Engine and the Enterprise Log Manager too examine records of events and identify possible intrusion or data theft. The ELS is integrated into the console of the Enterprise Security Manager and is intended for ad-hoc queries and analysis.

McAfee Application Data Monitor

The Application Data Monitor (ADM) provides the SEM part of SIEM. This tool operates on live data and watches all traffic around the network. The monitor is able to look into emails and PDFs, searching for embedded Trojans and dangerous programs.

The monitor operates at the application layer, so it is able to spot attacks that hackers split across packets, hoping to fool traditional network monitors. The service operates on a SPAN port, duplicating data flows rather than sitting inline. This removes the danger of introducing lag on the network.

As well as looking for incoming attack attempts, the ADM searches outgoing traffic for data loss events and unauthorized communications. All discoveries are audited in compliance with data protection standards.

McAfee Direct Attached Storage

McAfee Direct Attached Storage serves the Enterprise Security Manager and the Enterprise Log Manager, providing a RAID controller, mirrored cache, and IO multi-pathing.

McAfee Global Threat Intelligence for ESM

The Global Threat Intelligence (GTI) feed is a core McAfee service that supports all of its security products. The GTI is made available in a format suitable for the Enterprise Security Manager.

McAfee SIEM configuration options

The McAfee Enterprise Security Manager is available in two formats. The first is a flexible cloud-based service, called ESM Cloud. This is probably the more accessible option that most customers will opt for.

There is a free trial for ESM Cloud.  The trial is in the form of downloadable software that runs on a VM on-premises rather than access the actual cloud service. The regular on-premises version of the Enterprise Security Manager is an appliance. Potential customers who want to assess this system should also download the virtual appliance version offered as a trial for ESM Cloud.


The console of the ESM is accessed through a standard web browser whither it is being deployed as a cloud service or as an appliance. The screens of the service occupy the full width of the browser window and don’t reserve space for a menu. The menu slides in from the left on-demand at the press of a button in the title bar of each screen.

McAfee ESM SIEM Solution

The main screen of the system shows a list of recent events. Other options that can be accessed off the main menu include a log file explorer and the Elasticsearch utility that operates on log files.

Without the menu in place, it is possible to see the left-panel of the main screen, which lists all monitored devices. A small flag on one of the entries in that list indicates that an event has been detected at that location or that action needs to be taken in order to check on the settings or resources for that device.

McAfee ESM

Clicking on the flagged device brings up a box of buttons that give access to facilities within the ESM that can resolve the alert that is being shown for that device.

Alternatives to McAfee SIEM

McAfee SIEM is one of the best SIEM products on the market. It integrates virus detection and blocks malware download attempts as well as looking for unauthorized human activity. The service includes data loss prevention and suspicious outbound communications. The threat intelligence feed supplied by McAfee’s central labs is one of the most highly regarded in the world.

You can read more about SIEM systems and the best services available on the market today in the best SIEM tools post. However, if you don’t want to read through another article about SIEM, you can see a brief description of other SIEM systems that are worth a try.

Here is our list of the 10 best McAfee SIEM alternatives:

  1. SolarWinds Security Event Manager (FREE TRIAL) This tool combines log sources and live data inputs to detect anomalies. The product is part of a suite of infrastructure monitoring tools produced by SolarWinds. This software installs on Windows Server. Download a 30-day free trial.
  2. ManageEngine EventLog Analyzer (FREE TRIAL) A partial SIEM offering SIM functions that can be partnered with the Log360 tool to get a feed of live network data in order to create a full SIEM. It installs on Windows and Linux. Start 30-day free trial.
  3. Datadog Security Monitoring  A cloud-based service that requires the installation of agents on site. The security monitoring log manager and SIEM that is a module of a system monitoring package with alerts.
  4. Fortinet FortiSIEM A comprehensive cloud-based SIEM system that requires agents to be installed on-site. It includes automated response actions to shut down detected malicious activity.
  5. CrowdStrike Falcon Insight A combination of a cloud-based SIEM and endpoint detection and response modules that are installed on each device. This system receives an intelligence feed to enhance threat hunting through log records and activity reports and the EDR units implement user and entity behavior analytics to spot anomalies and block zero-day attacks.
  6. Rapid7 InsightIDR A cloud-based security service that deploys agents on each protected endpoint. The agents ensure protection continuity should the network become unavailable. This service integrates an automated response mechanism.
  7. OSSEC A free open-source host-based intrusion detection system. It only covers the SIM part of SIEM but can be expended to cover live network data by bouncing a live feed through files. It installs on Windows, macOS, Linux, and Unix.
  8. LogRhythm NextGen SIEM Platform It takes live traffic statistics and log messages as input. It applies AI-based machine learning to reduce false positives. It has excellent user guides. This software package installs on Windows and Linux.
  9. AT&T Cybersecurity AlienVault Unified Security Management A highly regarded and comprehensive independently-developed security system that is now an asset of AT&T. It runs on Windows and macOS.
  10. Splunk Enterprise Security It combines network monitoring and log management to provide a SIEM tool with data analysis utilities. On-premises software installs on Windows and Linux.


How long are raw logs stored in McAfee SIEM?

The data retention period for raw log data in McAfee SIEM is up to you. The length of time that uncompressed logs are kept can be 365 days, 90 days, or 30 days and it is a big influence on the price that you pay for the service. 

How do you add a data source in McAfee SIEM?

In order to add a data source to the McAfee SIEM system, you need to open the dashboard for the Enterprise Security Manager (ESM). You need to set up an Event Receiver and then configure it. Access to this setup system is via a button in the dashboard that looks like a circular arrow pointing into its center. This is the Get Events and Flows icon and once you enter that system, the process of adding a data source and downloading a collector is guided.

How do you do a packet capture in McAfee SIEM?

McAfee SIEM doesn’t have a native tool for packet capture. Instead, you need to issue a tcpdump command in a terminal session and direct the output to a file.