Skip to content

McAfee ePolicy Orchestrator

McAfee ePolicy Orchestrator

About

McAfee ePolicy Orchestrator (ePO) is a centralized, scalable, extensible platform for security policy management and enforcement of enterprise networks and endpoints. This product provides users with comprehensive reporting and security software deployment capabilities.

Product Details

Vendor URL: McAfee ePolicy Orchestrator

Product Type: Endpoint

Product Tier: Tier I

Integration Method: Syslog

Integration URL: McAfee MVISION EDR

Log Guide: Sample Logs

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 90%

Data Label: MCAFEE_EPO

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
agent_guid principal.asset.product_object_id
app_protocol network.application_protocol
application_name principal.application
cmd_line principal.process.command_line
event_description metadata.description
event_id metadata.product_event_type
event_id security_result.threat_id
event_type metadata.event_type
file_name target.file.full_path
file_name target.process.file.full_path
file_size target.process.file.size
is_alert event.idm.is_alert
is_significant event.idm.is_significant
key_name target.registry.registry_key
machine_name principal.hostname
machine_user_name principal.user.user_display_name
machine_user_name principal.user.user_display_name
md5 target.process.file.md5
normalized_ip_address principal.ip
normalized_mac_address principal.mac
parent_process_name principal.process.parent_process.file.full_path
policy_name security_result.rule_name
process_id principal.process.pid
process_name principal.process.file.full_path
product_name metadata.product_name
prog_name target.process.file.full_path
prog_name principal.process.file.full_path
rule_name security_result.rule_name
s_description security_result.description
s_label1 security_result.rule_labels
s_rule_id security_result.rule_id
s_rule_name security_result.rule_name
security_action security_result.action
security_category security_result.category
security_category_details security_result.category_details
security_summary security_result.summary
sha1 target.process.file.sha1
sha256 target.process.file.sha256
source_device_sn principal.resource.id
source_ip target.ip
source_parent_process_id principal.process.parent_process.pid
source_port src.port
source_process_cmd principal.process.command_line
source_process_id principal.process.pid
source_product_name principal.resource.name
source_url target.url
source_user_domain principal.administrative_domain
source_user_name principal.user.user_display_name
sourcedesc principal.process.command_line_history
spn principal.application
sys_host observer.hostname
sys_ip observer.ip
target_file_name target.process.file.full_path
target_file_size target.file.size
target_hash target.process.file.md5
target_ip target.ip
target_name target.process.file.full_path
target_parent_file_name target.process.parent_process.file.full_path
target_port target.port
target_process_name target.process.file.names
target_protocol network.ip_protocol
target_url target.url
target_user_name target.user.user_display_name
targetdesc target.process.command_line_history
threat_action_taken security_result.action_details
threat_name security_result.threat_name
threat_type security_result.summary
username principal.user.user_display_name
value target.user.user_display_name
value_data target.process.file.full_path

Product Event Types

Event UDM Event Classification
[event_id] == "1027" FILE_DELETION
[event_id] == "1092" PROCESS_OPEN
[event_id] == "1095" PROCESS_OPEN
[event_id] == "1202" SCAN_HOST
[event_id] == "1203" SCAN_HOST
[event_id] == "18060" PROCESS_UNCATEGORIZED
[event_id] == "18600" NETWORK_HTTP
[event_id] == "203050" STATUS_UNCATEGORIZED
[event_id] == "20500" STATUS_UNCATEGORIZED
[event_id] == "20501" STATUS_UNCATEGORIZED
[event_id] == "20504" STATUS_UNCATEGORIZED
[event_id] == "20507" STATUS_UNCATEGORIZED
[event_id] == "20508" STATUS_UNCATEGORIZED
[event_id] == "34853" SCAN_HOST
[event_id] == "34854" SCAN_HOST
[event_id] == "34923" STATUS_UNCATEGORIZED
[event_id] == "35002" NETWORK_CONNECTION
[event_id] in ["202251", "202256", "202262", "202266", "202298"] PROCESS_LAUNCH
[event_id] in ["20719", "20720", "20835", "20994"] PROCESS_LAUNCH
[event_id] in ["20769", "20774"] FILE_CREATION
[event_id] in ["20770", "20775"] FILE_DELETION
[event_id] in ["20771", "20772", "20773", "20776", "20778"] FILE_MODIFICATION
[event_id] in ["20800", "20799"] REGISTRY_MODIFICATION
All other GENERIC_EVENT
Event UDM Event Classification
is_UpdateEvents != "" STATUS_UNCATEGORIZED

Log Sample

<29>1 2023-01-17T12:53:26.0Z ABCDEFGHIJKL01 EPOEvents - EventFwd [agentInfo@1234 tenantId="1" bpsId="1" tenantGUID="{123450AB-ABC3-1234-ABC4-1234569AB123}" tenantNodePath="1\2"] <?xml version="1.0"?>  <UpdateEvents><MachineInfo><AgentGUID>{123450AB-ABC3-1234-ABC4-1234569AB123}</AgentGUID><MachineName>AB-ABC12D5</MachineName><RawMACAddress>12AB34CD56EF</RawMACAddress><IPAddress>10.10.1.1</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>100</TimeZoneBias><UserName>12345</UserName></MachineInfo><McAfeeCommonUpdater ProductName="McAfee Agent" ProductVersion="5.0.0" ProductFamily="TVD"><UpdateEvent><EventID>2412</EventID><Severity>4</Severity><GMTTime>2023-01-17T12:48:25</GMTTime><ProductID>EPOAGENT3000</ProductID><Locale>0409</Locale><Error>0</Error><Type>Deployment</Type><Version>N/A</Version><InitiatorID>EPOAGENT3000</InitiatorID><InitiatorType>DeploymentTask</InitiatorType><SiteName>TrellixHttp</SiteName><Description>N/A</Description></UpdateEvent></McAfeeCommonUpdater></UpdateEvents>  

Sample Parsing

metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.product_name = "McAfee Agent"
metadata.product_event_type = "2412"
metadata.description = "Deployment"
principal.hostname = "AB-ABC12D5"
principal.user.user_display_name = "12345"
principal.ip = "10.10.1.1"
principal.mac = "12:AB:34:CD:56:EF"
principal.asset.hostname = "AB-ABC12D5"
principal.asset.ip = "10.10.1.1"
principal.asset.mac = "12:AB:34:CD:56:EF"
observer.hostname = "ABCDEFGHIJKL01"
security_result.severity = "MEDIUM"
security_result.rule_id = "0"
security_result.threat_id = "2412"

Parser Alerting

This product currently does not have any Parser-based Alerting