McAfee ePolicy Orchestrator¶
About¶
McAfee ePolicy Orchestrator (ePO) is a centralized, scalable, extensible platform for security policy management and enforcement of enterprise networks and endpoints. This product provides users with comprehensive reporting and security software deployment capabilities.
Product Details¶
Vendor URL: McAfee ePolicy Orchestrator
Product Type: Endpoint
Product Tier: Tier I
Integration Method: Syslog
Integration URL: McAfee MVISION EDR
Log Guide: Sample Logs
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 90%
Data Label: MCAFEE_EPO
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
agent_guid | principal.asset.product_object_id |
app_protocol | network.application_protocol |
application_name | principal.application |
cmd_line | principal.process.command_line |
event_description | metadata.description |
event_id | metadata.product_event_type |
event_id | security_result.threat_id |
event_type | metadata.event_type |
file_name | target.file.full_path |
file_name | target.process.file.full_path |
file_size | target.process.file.size |
is_alert | event.idm.is_alert |
is_significant | event.idm.is_significant |
key_name | target.registry.registry_key |
machine_name | principal.hostname |
machine_user_name | principal.user.user_display_name |
machine_user_name | principal.user.user_display_name |
md5 | target.process.file.md5 |
normalized_ip_address | principal.ip |
normalized_mac_address | principal.mac |
parent_process_name | principal.process.parent_process.file.full_path |
policy_name | security_result.rule_name |
process_id | principal.process.pid |
process_name | principal.process.file.full_path |
product_name | metadata.product_name |
prog_name | target.process.file.full_path |
prog_name | principal.process.file.full_path |
rule_name | security_result.rule_name |
s_description | security_result.description |
s_label1 | security_result.rule_labels |
s_rule_id | security_result.rule_id |
s_rule_name | security_result.rule_name |
security_action | security_result.action |
security_category | security_result.category |
security_category_details | security_result.category_details |
security_summary | security_result.summary |
sha1 | target.process.file.sha1 |
sha256 | target.process.file.sha256 |
source_device_sn | principal.resource.id |
source_ip | target.ip |
source_parent_process_id | principal.process.parent_process.pid |
source_port | src.port |
source_process_cmd | principal.process.command_line |
source_process_id | principal.process.pid |
source_product_name | principal.resource.name |
source_url | target.url |
source_user_domain | principal.administrative_domain |
source_user_name | principal.user.user_display_name |
sourcedesc | principal.process.command_line_history |
spn | principal.application |
sys_host | observer.hostname |
sys_ip | observer.ip |
target_file_name | target.process.file.full_path |
target_file_size | target.file.size |
target_hash | target.process.file.md5 |
target_ip | target.ip |
target_name | target.process.file.full_path |
target_parent_file_name | target.process.parent_process.file.full_path |
target_port | target.port |
target_process_name | target.process.file.names |
target_protocol | network.ip_protocol |
target_url | target.url |
target_user_name | target.user.user_display_name |
targetdesc | target.process.command_line_history |
threat_action_taken | security_result.action_details |
threat_name | security_result.threat_name |
threat_type | security_result.summary |
username | principal.user.user_display_name |
value | target.user.user_display_name |
value_data | target.process.file.full_path |
Product Event Types¶
Event | UDM Event Classification |
---|---|
[event_id] == "1027" | FILE_DELETION |
[event_id] == "1092" | PROCESS_OPEN |
[event_id] == "1095" | PROCESS_OPEN |
[event_id] == "1202" | SCAN_HOST |
[event_id] == "1203" | SCAN_HOST |
[event_id] == "18060" | PROCESS_UNCATEGORIZED |
[event_id] == "18600" | NETWORK_HTTP |
[event_id] == "203050" | STATUS_UNCATEGORIZED |
[event_id] == "20500" | STATUS_UNCATEGORIZED |
[event_id] == "20501" | STATUS_UNCATEGORIZED |
[event_id] == "20504" | STATUS_UNCATEGORIZED |
[event_id] == "20507" | STATUS_UNCATEGORIZED |
[event_id] == "20508" | STATUS_UNCATEGORIZED |
[event_id] == "34853" | SCAN_HOST |
[event_id] == "34854" | SCAN_HOST |
[event_id] == "34923" | STATUS_UNCATEGORIZED |
[event_id] == "35002" | NETWORK_CONNECTION |
[event_id] in ["202251", "202256", "202262", "202266", "202298"] | PROCESS_LAUNCH |
[event_id] in ["20719", "20720", "20835", "20994"] | PROCESS_LAUNCH |
[event_id] in ["20769", "20774"] | FILE_CREATION |
[event_id] in ["20770", "20775"] | FILE_DELETION |
[event_id] in ["20771", "20772", "20773", "20776", "20778"] | FILE_MODIFICATION |
[event_id] in ["20800", "20799"] | REGISTRY_MODIFICATION |
All other | GENERIC_EVENT |
Event | UDM Event Classification |
is_UpdateEvents != "" | STATUS_UNCATEGORIZED |
Log Sample¶
<29>1 2023-01-17T12:53:26.0Z ABCDEFGHIJKL01 EPOEvents - EventFwd [agentInfo@1234 tenantId="1" bpsId="1" tenantGUID="{123450AB-ABC3-1234-ABC4-1234569AB123}" tenantNodePath="1\2"] <?xml version="1.0"?> <UpdateEvents><MachineInfo><AgentGUID>{123450AB-ABC3-1234-ABC4-1234569AB123}</AgentGUID><MachineName>AB-ABC12D5</MachineName><RawMACAddress>12AB34CD56EF</RawMACAddress><IPAddress>10.10.1.1</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>100</TimeZoneBias><UserName>12345</UserName></MachineInfo><McAfeeCommonUpdater ProductName="McAfee Agent" ProductVersion="5.0.0" ProductFamily="TVD"><UpdateEvent><EventID>2412</EventID><Severity>4</Severity><GMTTime>2023-01-17T12:48:25</GMTTime><ProductID>EPOAGENT3000</ProductID><Locale>0409</Locale><Error>0</Error><Type>Deployment</Type><Version>N/A</Version><InitiatorID>EPOAGENT3000</InitiatorID><InitiatorType>DeploymentTask</InitiatorType><SiteName>TrellixHttp</SiteName><Description>N/A</Description></UpdateEvent></McAfeeCommonUpdater></UpdateEvents>
Sample Parsing¶
metadata.event_type = "STATUS_UNCATEGORIZED"
metadata.product_name = "McAfee Agent"
metadata.product_event_type = "2412"
metadata.description = "Deployment"
principal.hostname = "AB-ABC12D5"
principal.user.user_display_name = "12345"
principal.ip = "10.10.1.1"
principal.mac = "12:AB:34:CD:56:EF"
principal.asset.hostname = "AB-ABC12D5"
principal.asset.ip = "10.10.1.1"
principal.asset.mac = "12:AB:34:CD:56:EF"
observer.hostname = "ABCDEFGHIJKL01"
security_result.severity = "MEDIUM"
security_result.rule_id = "0"
security_result.threat_id = "2412"
Parser Alerting¶
This product currently does not have any Parser-based Alerting