🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

McAfee ePO

integrations endpoint ePO McAfee


The following instructions are for configuring McAfee ePolicy Orchestrator (ePO) for log ingestion into Taegis™ XDR.

Taegis™ XDR normalizes logs from the following ePO products:

Connectivity Requirements

Source Destination Port/Protocol
McAfee ePO Taegis™ XDR Collector (mgmt IP) TCP/6514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
McAfee ePO Y Y                   D Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the ePO Platform

Register a Syslog Server

Follow the instructions in the Trellix ePolicy Orchestrator - On-prem 5.10.0 Product Guide article Register syslog servers to configure log forwarding.

Field Required Value
Server Type Syslog Server
Server name Taegis™ XDR Collector (mgmt IP)
TCP port number 6514
Enable event forwarding Selected

Important

On-prem Syslog forwarding only supports the TCP protocol and requires Transport Layer Security (TLS). Follow the TLS Enabled Syslog instructions to enable TLS Syslog on the Taegis™ XDR Collector prior to enabling syslog forwarding from a McAfee EPO server, and see the Trellix Product Documentation for further information on creating a self-signed certificate.

Choose Events to be Forwarded

Follow the instructions in the Trellix Product Documentation to configure which events are forwarded to the Taegis™ XDR Collector.

Example Query Language Searches

To search for antivirus events from the last 24 hours:

FROM antivirus WHERE sensor_type = 'MCAFEE_EPO' and EARLIEST=-24h

To search for process events where the process was blocked:

FROM process WHERE sensor_type = 'MCAFEE_EPO' and was_blocked = true

To search for antivirus events associated with a specific host:

FROM antivirus WHERE sensor_type='MCAFEE_EPO' AND computer_name = 'foo'

To search for auth events where a service logs on as Administrator:

FROM auth WHERE sensor_type = 'MCAFEE_EPO' and logon_type = 'service' and target_user_name contains 'administrator'

Event Details

McAfee ePO Event Details

McAfee ePO Event Details

Sample logs

Endpoint Security:

    Mar 21 22:47:39 192.168.3.60 1 2023-03-21T22:47:39.0Z NSAT1MCEPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>HOSTNAME</MachineName><AgentGUID>{41gb1743-a17d-12eb-379b-000000000000}</AgentGUID><IPAddress>10.10.10.10</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>USERNAME</UserName><TimeZoneBias>360</TimeZoneBias><RawMACAddress>14b31f10c25c</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7.0.3468" ProductFamily="TVD"><CommonFields><Analyzer>ANALYZER</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.7.0.3468</AnalyzerVersion><AnalyzerHostName>ANALYZER_HOSTNAME</AnalyzerHostName><AnalyzerDATVersion></AnalyzerDATVersion><AnalyzerEngineVersion></AnalyzerEngineVersion></CommonFields><Event><EventID>1118</EventID><Severity>0</Severity><GMTTime>2023-03-21T22:32:40</GMTTime><CommonFields><AnalyzerDetectionMethod></AnalyzerDetectionMethod><ThreatName>_</ThreatName><ThreatType></ThreatType><ThreatCategory>ops.update.end</ThreatCategory><ThreatHandled>1</ThreatHandled><ThreatActionTaken>none</ThreatActionTaken><ThreatSeverity>6</ThreatSeverity></CommonFields></Event></SoftwareInfo></EPOEvent>

DLP Endpoint:

    Mar 21 22:18:29 10.200.5.94 Mar 21 22:18:29 198.210.15.151 1 2023-03-21T22:18:29.0Z GT2-AHPUB2 EPOEvents - EventFwd [agentInfo@4512 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><DLPAGENT><MachineInfo><AgentGUID>{04d4d952-4cbd-22ge-32ce-040e3c4137d5}</AgentGUID><MachineName>HOSTNAME</MachineName><RawMACAddress>0000000000000</RawMACAddress><IPAddress>10.0.0.10</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>500</TimeZoneBias><UserName></UserName></MachineInfo><EventList ProductFamily="Secure" ProductVersion="11.9.100.18" ProductName="McAfee DLP Endpoint"><Event><EventID>19336</EventID><Severity>0</Severity><GMTTime>2023-01-17T22:17:11</GMTTime><OPGData>T1BHoQUAAAAAAAADWQsAAO1c628buRHn5/4VQb4nyt2lbQKoPth6XNzYlqBH3PtkyJZsq5ElV5ITu0X/9/5mhlw+drlL+SzcAV0YklbkkDMcDufFkZvqZ/Wo7tRCvVLf1Eyt1UbN1Uot1d/Ua/WDeqve4fMVepbqCu1T9C7VDfc+qK26Vm/UBzz/rA7Un1RTHakJZpipNj63ePUx4wpPM4ze6pkHGLlAS4cxLtH+Cq8ndY9vx8AgmD/i9R5PB5jVQo403CumXB7x20j/A8Ur+Ckg6eTtUh3vugocctA/Qd43OI1iF/DvG9h3FDxv0eVPwAChoFNPiU/QJKVuoSdCwwQxu9/wHv/L83iU/h338DCvK4mljNCt/m4PMTc/Hl8ecx+FgHoO4b74rs8wFGhuPyMP4cZh8b3HMISZMVf/Fk84B35S1k5C0+iUL6/MDY4mNkt+agXKR5pk7Qc8WSKjAkrTPI9BxnQigYY7dbeM2ZKsL7F/VX9RMwf8T7B7xEOkK4Jr7RjMtM8gkzSfmQz8W2QoZbLINnoLjFEvoFL5JiktIR1jhiae6pLv5O0EeQrzOOV+M23L3hFd/oVhr3wLw70OsqhyniKK1oq7lHu30P+DVTQXpD9MEUM1zxuY9zYIC5+1ihnNAzyLw5t21wu8Xnug18fXx2Ge5CnTNkG9/O9fmVVVTRIdy4ZzrmoEHW8gkQtJZlIJMh3DFmk74h82bNrYLhkc+K6W+jfaNp8KUuhOygfco0z5nXbo/RAgOejXRpXIP+qDWo0bkbPUuLOb7h03HNZ8/Ss8kwPfJK7nM9hHniaPQ89p/4XL7WHLOQKfqbdv0Co0Ty6Rxc4NULZLxoVsJ2xvYmvyrD1Qn0JnFims0UtpbN8dI6tYzaNsuS2yb05tub4NMGto0k8oGtgoHNt1dh/TsgN4W9+7FqVfhobXTOjJbZ7rSTpPFWrL+6mGHBMiKwRT2+xiK8omFaWvpX3gxpsLILxSu4wtgn53x9Rv/TXjyHOK4ySnxr3MaKTwMvYB8SEcPTxDmfQHfvB6s7t9XUZ/jcqu+8y18hM7eAWut9HaO3lenTNcuc7O+cz9pmD1TG8Ajfqmku2ut0ndzhFQ/Ym7a62XrXXfT1HR1dhs21SvvZUX922iPRNCus6hNbsKn2EBtZ/x2PmWivaZbNMeToZ+2c/lRooylceymaaaYjLvHNqrk/1DHNIPMFydsh3+e1o9X8WcW/XjNe2/YefsFHvH9kb5ae/6w99RCSuGL8nIXWq67lJc12jafQzr+sfa+mQzi8qcTdwiiS4Q509Qne2zlKyO88BB/lWw+a0PWrU2k4SIB3eWe1z5BPr/E1H1hey7y1cMwp913h1BM+I5HnvKO3WM8S358ARWPn2gaa9T1vrD3HhtOkc1bQQOJr0zpjHkcjqpW6+sSsnBMa2lGX3o3m44pjnEXQRzrxOyDe6IigCo60O63xX1jZLIfnnY754hCx8eR1rDVfrC8t2mKqfTW7A5becqgiHyNPUYstKmkt68m78thmKZqwN+R6+nfo/caYrC0x/Y1IPGLGmu9lEmylxkpx6tjYGNfnfc74lJPnjm0Xapw/it/UZ6pvC08b7auxyY1MF605i7JlS3bLMjAp1auUkxggRu9wXD4E3z7hWbJtecmkjILVqjF8frRdFKEW9xq6DNQ5n7cpa6QR662FszfiM5XjKYcK8RnoMrwdXiGdNDnZc8w71/zZFGrylBEWRqIQOc20jkM8b1mj3jKtMsr6abuOc3ENcVYu1T+VZJvSMgtm7BFnYZ52HFVE1fPwpuqJ/Ay+B7nb2CHTLGOLMjeUYTTZkzb7q7IfjVzLmLPt6wQt1Ijgj1Pmj7cwZDuLZDA8B65UtXYccfSMMbveEpB2OoYXGLsraOO9C5gxYEZeVBPHaHIx7mk9BVf9exA3Z5EKHc47xPsN53hjc/kQ4fi8FSiepQgunKsPzd9PnjEOLf6bhXQlPfR6TMx2tRP8Eb7vNqKMomoaUrA2CjjqQoxAj/hct2zbp1k8eVvC5d1mkHWeRqCtpS6DEU5UzVEOY3hVNUsVVHE0X03bLmOKcRzzmZPoP20tv3UWN+oxucyNd09jd68Myp3H+AGi3UiT/BvPn0FLfrYy2GbEgxCZt3S4o/J3KXT7YTMcYbv1uFw4v01uGdcON+x3ycWsdd7Et3o24vHbJVagHZDIyPew+zrG2/KMxjZsCnvz815zu7XqEqOJjzIGxIlzh0O8mCbZuxbG9TC+nd2jjbLbxTCPd4SWf3h5jxCTj188wGstkZZyNxYpgzac8TOXKas644jjnO//Pies7JizPz2cJrlTtGssxu3HwOZuIYWyAXsYPXgWh+DnCWOvoi4/xtIXp6KYRvIF18qtu3gZatt4GgRtPb7/PuJPun8tozpPl43kpBZD7lUe1Nbxoctjz+OMe32m5DDILI509nTk5RfLMRqbPGYb/cDQojHovLdYD6/0bb+1vynQMq/RfWNe04pjCXem4n7SSF/ZIz5H32VpnY3VmOkj4nGdiTAWmMnQFmq2AUZ+j/aadrpXFmthajPcbJNYQeKa6LriaNjv6+IpvTKoy9U+1X6+O6vR2yu2OxTnudnbsMfuZFGP5GPW2haWjS2HEv9jncEY/voWpcfW5kZJzcEiAtV1tLFvy76omc5irB37ZWsnynIsfjVIi0/AHUfcU+5bZvjHmHOhnz9xJH2rpXHBGmTmeTJhaw1Xw+0HruFJoy/5vnS758TvyWsBqzmMl1rrllq31HD/X3Avo1uqNYg5lRKJ04m9ZF/Xvcssh4ndT8drt2K1wLuMIMpJ/8xKRo3Q+5hAT8+5WXb14C4jwvpOV5PZXXBb89GPqTqb8H1XW6/ZzLfWelMyA5tIVeeP2d3Ay9XFUzRMsd8J77Gb666r3v8oVe+2/ve31bCb6oW6Yv33qFgvjjXrCvW6Qt1wta5QryvU6wr1ukI9xFpXqNcV6nWFel2hXleo1xXqot3rCvW6Qr2uUP99K9Qt/3/Bjsz3koMqwuFiLtvboba1JGdnfLYula3QOWKPI92/arOFP2b7RHVC48S7dB9PmNMWKRDIfHvTy5O6sPn2JlN05PDG6sKwvckWtedlD3blwDG39Rxvc1jChTw+4YTRepSNmvD+mPsqty+2k5ZzKbA+N01kOcRaN3zW7p4tDV2upu7w6fqVs350vlKkI5Uie9N3r7XcZeY/W/u7YRuxzKQibsElr2XygeZMUEb1hk/7lOczNfZhHYt/zna9p3XXLHHRFe+Ypc7MS3t6E8nixnrFut+Xji2DKK7d2u32wlishfY6JRM7VSZn/TXjsPExySY+6juoGe+y+yuVWG8zmy+Wj4r3m3Wm02iz8yb7ONMej3CLJOyE+Uj+J3mkNBNFctYPcecj7DdqrmV9zXXbV/oUm1885M/6rqNS8JjfCxB/HpTUvD4Hc9U8Jkv/klwUz6KrfcNwz/J+R7U35NYEV0N3uFaC6E7RnmbMgP9rjR/BxeY7cHpj66S451L3+LbRrzhxbaa5IxIdZ/elkYPuVdhHqh89ymyAbxt6bBcpH/WZI+lzvBfr/16WLUpZTQymuKLY1DyuOFJZJFi4WH1xj++7TpKsWzkNeSpHrKOWTJfkbnenc4TPQ/ZGzI3U7pTm6RAL2w/uJaupozEXOjNk/r9amZcUYhBPaMHUiJ/3HrAmJ+T3GEs/AT2bLPsV5uCL+8lbprux8LcCYat41RNuvfXk0W/fRyyQx+BjDbWTVPtKJLgfiopwhJjLqApvx30PvxrSX39bmfvidzl+2T5/TNrvJw7Zyx9z/s2voxhyRm7AMWXKOSvCXZQ9Gimpr7tRM51Vt2ekGjIvLVZOG8/8T40H6n8=</OPGData><UserInfo>T1BHoQUAAAAAAAAD+gAAAG2RvU7DQBCEp+YpLPrgpEvhOEJJFLmAIBEaOis/YMk2lnNG5O35bs8JYNH4dnZnZsd3ieb6UqVSkT51UKuTCn2o1ky3muhOY86ISa0d/T3TWm827eR01EhT6rlS3SjRCpcXPLxTBvOIJoJ3VkMvQx98p/hOqFI0axSZlooNLdlwgl0qR/XIt0IZZvdk8Ck6nN1gFnSuz9cZeme6H/Cef+1ak9K7NXBDZ4vOsfvCXqHM6ZU9XsCv4OdsOV83H6zToqzsplw/eTBeTh5/Hz8OIX97dVjY1gt6BTV9veFuQpWR0fvtQGNw/KeT6Am/wl6psDTl4L/jf98m1Tc=</UserInfo><ThreatName /><PolicyName /><TimeSZone>Eastern Standard Time</TimeSZone></Event></EventList></DLPAGENT>

 

On this page: