McAfee ePolicy Orchestrator¶
About¶
McAfee ePolicy Orchestrator (ePO) is a centralized, scalable, extensible platform for security policy management and enforcement of enterprise networks and endpoints. This product provides users with comprehensive reporting and security software deployment capabilities.
Product Details¶
Vendor URL: McAfee ePolicy Orchestrator
Product Type: Endpoint
Product Tier: Tier I
Integration Method: Syslog
Integration URL: McAfee MVISION EDR
Log Guide: Sample Logs
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 90%
Data Label: MCAFEE_EPO
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| agent_guid | principal.asset.product_object_id |
| app_protocol | network.application_protocol |
| application_name | principal.application |
| cmd_line | principal.process.command_line |
| event_description | metadata.description |
| event_id | metadata.product_event_type |
| event_id | security_result.threat_id |
| event_type | metadata.event_type |
| file_name | target.file.full_path |
| file_name | target.process.file.full_path |
| file_size | target.process.file.size |
| is_alert | event.idm.is_alert |
| is_significant | event.idm.is_significant |
| key_name | target.registry.registry_key |
| machine_name | principal.hostname |
| machine_user_name | principal.user.user_display_name |
| machine_user_name | principal.user.user_display_name |
| md5 | target.process.file.md5 |
| normalized_ip_address | principal.ip |
| normalized_mac_address | principal.mac |
| parent_process_name | principal.process.parent_process.file.full_path |
| policy_name | security_result.rule_name |
| process_id | principal.process.pid |
| process_name | principal.process.file.full_path |
| product_name | metadata.product_name |
| prog_name | target.process.file.full_path |
| prog_name | principal.process.file.full_path |
| rule_name | security_result.rule_name |
| s_description | security_result.description |
| s_label1 | security_result.rule_labels |
| s_rule_id | security_result.rule_id |
| s_rule_name | security_result.rule_name |
| security_action | security_result.action |
| security_category | security_result.category |
| security_category_details | security_result.category_details |
| security_summary | security_result.summary |
| sha1 | target.process.file.sha1 |
| sha256 | target.process.file.sha256 |
| source_device_sn | principal.resource.id |
| source_ip | target.ip |
| source_parent_process_id | principal.process.parent_process.pid |
| source_port | src.port |
| source_process_cmd | principal.process.command_line |
| source_process_id | principal.process.pid |
| source_product_name | principal.resource.name |
| source_url | target.url |
| source_user_domain | principal.administrative_domain |
| source_user_name | principal.user.user_display_name |
| sourcedesc | principal.process.command_line_history |
| spn | principal.application |
| sys_host | observer.hostname |
| sys_ip | observer.ip |
| target_file_name | target.process.file.full_path |
| target_file_size | target.file.size |
| target_hash | target.process.file.md5 |
| target_ip | target.ip |
| target_name | target.process.file.full_path |
| target_parent_file_name | target.process.parent_process.file.full_path |
| target_port | target.port |
| target_process_name | target.process.file.names |
| target_protocol | network.ip_protocol |
| target_url | target.url |
| target_user_name | target.user.user_display_name |
| targetdesc | target.process.command_line_history |
| threat_action_taken | security_result.action_details |
| threat_name | security_result.threat_name |
| threat_type | security_result.summary |
| username | principal.user.user_display_name |
| value | target.user.user_display_name |
| value_data | target.process.file.full_path |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| [event_id] == "1027" | FILE_DELETION |
| [event_id] == "1092" | PROCESS_OPEN |
| [event_id] == "1095" | PROCESS_OPEN |
| [event_id] == "1202" | SCAN_HOST |
| [event_id] == "1203" | SCAN_HOST |
| [event_id] == "18060" | PROCESS_UNCATEGORIZED |
| [event_id] == "18600" | NETWORK_HTTP |
| [event_id] == "203050" | STATUS_UNCATEGORIZED |
| [event_id] == "20500" | STATUS_UNCATEGORIZED |
| [event_id] == "20501" | STATUS_UNCATEGORIZED |
| [event_id] == "20504" | STATUS_UNCATEGORIZED |
| [event_id] == "20507" | STATUS_UNCATEGORIZED |
| [event_id] == "20508" | STATUS_UNCATEGORIZED |
| [event_id] == "34853" | SCAN_HOST |
| [event_id] == "34854" | SCAN_HOST |
| [event_id] == "34923" | STATUS_UNCATEGORIZED |
| [event_id] == "35002" | NETWORK_CONNECTION |
| [event_id] in ["202251", "202256", "202262", "202266", "202298"] | PROCESS_LAUNCH |
| [event_id] in ["20719", "20720", "20835", "20994"] | PROCESS_LAUNCH |
| [event_id] in ["20769", "20774"] | FILE_CREATION |
| [event_id] in ["20770", "20775"] | FILE_DELETION |
| [event_id] in ["20771", "20772", "20773", "20776", "20778"] | FILE_MODIFICATION |
| [event_id] in ["20800", "20799"] | REGISTRY_MODIFICATION |
| All other | GENERIC_EVENT |
| Event | UDM Event Classification |
| is_UpdateEvents != "" | STATUS_UNCATEGORIZED |
Log Sample¶
<29>1 2023-01-17T12:53:26.0Z ABCDEFGHIJKL01 EPOEvents - EventFwd [agentInfo@1234 tenantId="1" bpsId="1" tenantGUID="{123450AB-ABC3-1234-ABC4-1234569AB123}" tenantNodePath="1\2"] <?xml version="1.0"?> <UpdateEvents><MachineInfo><AgentGUID>{123450AB-ABC3-1234-ABC4-1234569AB123}</AgentGUID><MachineName>AB-ABC12D5</MachineName><RawMACAddress>12AB34CD56EF</RawMACAddress><IPAddress>10.10.1.1</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>100</TimeZoneBias><UserName>12345</UserName></MachineInfo><McAfeeCommonUpdater ProductName="McAfee Agent" ProductVersion="5.0.0" ProductFamily="TVD"><UpdateEvent><EventID>2412</EventID><Severity>4</Severity><GMTTime>2023-01-17T12:48:25</GMTTime><ProductID>EPOAGENT3000</ProductID><Locale>0409</Locale><Error>0</Error><Type>Deployment</Type><Version>N/A</Version><InitiatorID>EPOAGENT3000</InitiatorID><InitiatorType>DeploymentTask</InitiatorType><SiteName>TrellixHttp</SiteName><Description>N/A</Description></UpdateEvent></McAfeeCommonUpdater></UpdateEvents>
Sample Parsing¶
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.product_name = "McAfee Agent"
metadata.product_event_type = "2412"
metadata.description = "Deployment"
principal.hostname = "AB-ABC12D5"
principal.user.user_display_name = "12345"
principal.ip = "10.10.1.1"
principal.mac = "12:AB:34:CD:56:EF"
principal.asset.hostname = "AB-ABC12D5"
principal.asset.ip = "10.10.1.1"
principal.asset.mac = "12:AB:34:CD:56:EF"
observer.hostname = "ABCDEFGHIJKL01"
security_result.severity = "MEDIUM"
security_result.rule_id = "0"
security_result.threat_id = "2412"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon