🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

McAfee ePO

integrations endpoint ePO McAfee


The following instructions are for configuring McAfee ePolicy Orchestrator (ePO) for log ingestion into Secureworks® Taegis™ XDR.

XDR normalizes logs from the following ePO products:

Connectivity Requirements

Source Destination Port/Protocol
McAfee ePO Taegis™ XDR Collector (mgmt IP) TCP/6514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
McAfee ePO Y Y                   D Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the ePO Platform

Register a Syslog Server

Follow the instructions in the Trellix ePolicy Orchestrator - On-prem 5.10.0 Product Guide article Register syslog servers to configure log forwarding.

Field Required Value
Server Type Syslog Server
Server name XDR Collector (mgmt IP)
TCP port number 6514
Enable event forwarding Selected

Important

On-prem Syslog forwarding only supports the TCP protocol. This may be achieved either through TCP 601, or through Transport Layer Security (TLS). Follow the TLS Enabled Syslog instructions to enable TLS Syslog on the XDR Collector prior to enabling syslog forwarding from a McAfee EPO server, and see the Trellix Product Documentation for further information on creating a self-signed certificate.

Choose Events to be Forwarded

Follow the instructions in the Trellix Product Documentation to configure which events are forwarded to the XDR Collector.

Example Query Language Searches

To search for antivirus events from the last 24 hours:

FROM antivirus WHERE sensor_type = 'MCAFEE_EPO' and EARLIEST=-24h

To search for process events where the process was blocked:

FROM process WHERE sensor_type = 'MCAFEE_EPO' and was_blocked = true

To search for antivirus events associated with a specific host:

FROM antivirus WHERE sensor_type='MCAFEE_EPO' AND computer_name = 'foo'

To search for auth events where a service logs on as Administrator:

FROM auth WHERE sensor_type = 'MCAFEE_EPO' and logon_type = 'service' and target_user_name contains 'administrator'

Event Details

McAfee ePO Event Details

McAfee ePO Event Details

Sample logs

Endpoint Security:

    Mar 21 22:47:39 192.168.3.60 1 2023-03-21T22:47:39.0Z NSAT1MCEPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>HOSTNAME</MachineName><AgentGUID>{41gb1743-a17d-12eb-379b-000000000000}</AgentGUID><IPAddress>10.10.10.10</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>USERNAME</UserName><TimeZoneBias>360</TimeZoneBias><RawMACAddress>14b31f10c25c</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7.0.3468" ProductFamily="TVD"><CommonFields><Analyzer>ANALYZER</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.7.0.3468</AnalyzerVersion><AnalyzerHostName>ANALYZER_HOSTNAME</AnalyzerHostName><AnalyzerDATVersion></AnalyzerDATVersion><AnalyzerEngineVersion></AnalyzerEngineVersion></CommonFields><Event><EventID>1118</EventID><Severity>0</Severity><GMTTime>2023-03-21T22:32:40</GMTTime><CommonFields><AnalyzerDetectionMethod></AnalyzerDetectionMethod><ThreatName>_</ThreatName><ThreatType></ThreatType><ThreatCategory>ops.update.end</ThreatCategory><ThreatHandled>1</ThreatHandled><ThreatActionTaken>none</ThreatActionTaken><ThreatSeverity>6</ThreatSeverity></CommonFields></Event></SoftwareInfo></EPOEvent>

DLP Endpoint:

    Mar 21 22:18:29 10.200.5.94 Mar 21 22:18:29 198.210.15.151 1 2023-03-21T22:18:29.0Z GT2-AHPUB2 EPOEvents - EventFwd [agentInfo@4512 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><DLPAGENT><MachineInfo><AgentGUID>{04d4d952-4cbd-22ge-32ce-040e3c4137d5}</AgentGUID><MachineName>HOSTNAME</MachineName><RawMACAddress>0000000000000</RawMACAddress><IPAddress>10.0.0.10</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>500</TimeZoneBias><UserName></UserName></MachineInfo><EventList ProductFamily="Secure" ProductVersion="11.9.100.18" ProductName="McAfee DLP Endpoint"><Event><EventID>19336</EventID><Severity>0</Severity><GMTTime>2023-01-17T22:17:11</GMTTime><OPGData>T1BHoQUAAAAAAAADWQsAAO1c628buRHn5/4VQb4nyt2lbQKoPth6XNzYlqBH3PtkyJZsq5ElV5ITu0X/9/5mhlw+drlL+SzcAV0YklbkkDMcDufFkZvqZ/Wo7tRCvVLf1Eyt1UbN1Uot1d/Ua/WDeqve4fMVepbqCu1T9C7VDfc+qK26Vm/UBzz/rA7Un1RTHakJZpipNj63ePUx4wpPM4ze6pkHGLlAS4cxLtH+Cq8ndY9vx8AgmD/i9R5PB5jVQo403CumXB7x20j/A8Ur+Ckg6eTtUh3vugocctA/Qd43OI1iF/DvG9h3FDxv0eVPwAChoFNPiU/QJKVuoSdCwwQxu9/wHv/L83iU/h338DCvK4mljNCt/m4PMTc/Hl8ecx+FgHoO4b74rs8wFGhuPyMP4cZh8b3HMISZMVf/Fk84B35S1k5C0+iUL6/MDY4mNkt+agXKR5pk7Qc8WSKjAkrTPI9BxnQigYY7dbeM2ZKsL7F/VX9RMwf8T7B7xEOkK4Jr7RjMtM8gkzSfmQz8W2QoZbLINnoLjFEvoFL5JiktIR1jhiae6pLv5O0EeQrzOOV+M23L3hFd/oVhr3wLw70OsqhyniKK1oq7lHu30P+DVTQXpD9MEUM1zxuY9zYIC5+1ihnNAzyLw5t21wu8Xnug18fXx2Ge5CnTNkG9/O9fmVVVTRIdy4ZzrmoEHW8gkQtJZlIJMh3DFmk74h82bNrYLhkc+K6W+jfaNp8KUuhOygfco0z5nXbo/RAgOejXRpXIP+qDWo0bkbPUuLOb7h03HNZ8/Ss8kwPfJK7nM9hHniaPQ89p/4XL7WHLOQKfqbdv0Co0Ty6Rxc4NULZLxoVsJ2xvYmvyrD1Qn0JnFims0UtpbN8dI6tYzaNsuS2yb05tub4NMGto0k8oGtgoHNt1dh/TsgN4W9+7FqVfhobXTOjJbZ7rSTpPFWrL+6mGHBMiKwRT2+xiK8omFaWvpX3gxpsLILxSu4wtgn53x9Rv/TXjyHOK4ySnxr3MaKTwMvYB8SEcPTxDmfQHfvB6s7t9XUZ/jcqu+8y18hM7eAWut9HaO3lenTNcuc7O+cz9pmD1TG8Ajfqmku2ut0ndzhFQ/Ym7a62XrXXfT1HR1dhs21SvvZUX922iPRNCus6hNbsKn2EBtZ/x2PmWivaZbNMeToZ+2c/lRooylceymaaaYjLvHNqrk/1DHNIPMFydsh3+e1o9X8WcW/XjNe2/YefsFHvH9kb5ae/6w99RCSuGL8nIXWq67lJc12jafQzr+sfa+mQzi8qcTdwiiS4Q509Qne2zlKyO88BB/lWw+a0PWrU2k4SIB3eWe1z5BPr/E1H1hey7y1cMwp913h1BM+I5HnvKO3WM8S358ARWPn2gaa9T1vrD3HhtOkc1bQQOJr0zpjHkcjqpW6+sSsnBMa2lGX3o3m44pjnEXQRzrxOyDe6IigCo60O63xX1jZLIfnnY754hCx8eR1rDVfrC8t2mKqfTW7A5becqgiHyNPUYstKmkt68m78thmKZqwN+R6+nfo/caYrC0x/Y1IPGLGmu9lEmylxkpx6tjYGNfnfc74lJPnjm0Xapw/it/UZ6pvC08b7auxyY1MF605i7JlS3bLMjAp1auUkxggRu9wXD4E3z7hWbJtecmkjILVqjF8frRdFKEW9xq6DNQ5n7cpa6QR662FszfiM5XjKYcK8RnoMrwdXiGdNDnZc8w71/zZFGrylBEWRqIQOc20jkM8b1mj3jKtMsr6abuOc3ENcVYu1T+VZJvSMgtm7BFnYZ52HFVE1fPwpuqJ/Ay+B7nb2CHTLGOLMjeUYTTZkzb7q7IfjVzLmLPt6wQt1Ijgj1Pmj7cwZDuLZDA8B65UtXYccfSMMbveEpB2OoYXGLsraOO9C5gxYEZeVBPHaHIx7mk9BVf9exA3Z5EKHc47xPsN53hjc/kQ4fi8FSiepQgunKsPzd9PnjEOLf6bhXQlPfR6TMx2tRP8Eb7vNqKMomoaUrA2CjjqQoxAj/hct2zbp1k8eVvC5d1mkHWeRqCtpS6DEU5UzVEOY3hVNUsVVHE0X03bLmOKcRzzmZPoP20tv3UWN+oxucyNd09jd68Myp3H+AGi3UiT/BvPn0FLfrYy2GbEgxCZt3S4o/J3KXT7YTMcYbv1uFw4v01uGdcON+x3ycWsdd7Et3o24vHbJVagHZDIyPew+zrG2/KMxjZsCnvz815zu7XqEqOJjzIGxIlzh0O8mCbZuxbG9TC+nd2jjbLbxTCPd4SWf3h5jxCTj188wGstkZZyNxYpgzac8TOXKas644jjnO//Pies7JizPz2cJrlTtGssxu3HwOZuIYWyAXsYPXgWh+DnCWOvoi4/xtIXp6KYRvIF18qtu3gZatt4GgRtPb7/PuJPun8tozpPl43kpBZD7lUe1Nbxoctjz+OMe32m5DDILI509nTk5RfLMRqbPGYb/cDQojHovLdYD6/0bb+1vynQMq/RfWNe04pjCXem4n7SSF/ZIz5H32VpnY3VmOkj4nGdiTAWmMnQFmq2AUZ+j/aadrpXFmthajPcbJNYQeKa6LriaNjv6+IpvTKoy9U+1X6+O6vR2yu2OxTnudnbsMfuZFGP5GPW2haWjS2HEv9jncEY/voWpcfW5kZJzcEiAtV1tLFvy76omc5irB37ZWsnynIsfjVIi0/AHUfcU+5bZvjHmHOhnz9xJH2rpXHBGmTmeTJhaw1Xw+0HruFJoy/5vnS758TvyWsBqzmMl1rrllq31HD/X3Avo1uqNYg5lRKJ04m9ZF/Xvcssh4ndT8drt2K1wLuMIMpJ/8xKRo3Q+5hAT8+5WXb14C4jwvpOV5PZXXBb89GPqTqb8H1XW6/ZzLfWelMyA5tIVeeP2d3Ay9XFUzRMsd8J77Gb666r3v8oVe+2/ve31bCb6oW6Yv33qFgvjjXrCvW6Qt1wta5QryvU6wr1ukI9xFpXqNcV6nWFel2hXleo1xXqot3rCvW6Qr2uUP99K9Qt/3/Bjsz3koMqwuFiLtvboba1JGdnfLYula3QOWKPI92/arOFP2b7RHVC48S7dB9PmNMWKRDIfHvTy5O6sPn2JlN05PDG6sKwvckWtedlD3blwDG39Rxvc1jChTw+4YTRepSNmvD+mPsqty+2k5ZzKbA+N01kOcRaN3zW7p4tDV2upu7w6fqVs350vlKkI5Uie9N3r7XcZeY/W/u7YRuxzKQibsElr2XygeZMUEb1hk/7lOczNfZhHYt/zna9p3XXLHHRFe+Ypc7MS3t6E8nixnrFut+Xji2DKK7d2u32wlishfY6JRM7VSZn/TXjsPExySY+6juoGe+y+yuVWG8zmy+Wj4r3m3Wm02iz8yb7ONMej3CLJOyE+Uj+J3mkNBNFctYPcecj7DdqrmV9zXXbV/oUm1885M/6rqNS8JjfCxB/HpTUvD4Hc9U8Jkv/klwUz6KrfcNwz/J+R7U35NYEV0N3uFaC6E7RnmbMgP9rjR/BxeY7cHpj66S451L3+LbRrzhxbaa5IxIdZ/elkYPuVdhHqh89ymyAbxt6bBcpH/WZI+lzvBfr/16WLUpZTQymuKLY1DyuOFJZJFi4WH1xj++7TpKsWzkNeSpHrKOWTJfkbnenc4TPQ/ZGzI3U7pTm6RAL2w/uJaupozEXOjNk/r9amZcUYhBPaMHUiJ/3HrAmJ+T3GEs/AT2bLPsV5uCL+8lbprux8LcCYat41RNuvfXk0W/fRyyQx+BjDbWTVPtKJLgfiopwhJjLqApvx30PvxrSX39bmfvidzl+2T5/TNrvJw7Zyx9z/s2voxhyRm7AMWXKOSvCXZQ9Gimpr7tRM51Vt2ekGjIvLVZOG8/8T40H6n8=</OPGData><UserInfo>T1BHoQUAAAAAAAAD+gAAAG2RvU7DQBCEp+YpLPrgpEvhOEJJFLmAIBEaOis/YMk2lnNG5O35bs8JYNH4dnZnZsd3ieb6UqVSkT51UKuTCn2o1ky3muhOY86ISa0d/T3TWm827eR01EhT6rlS3SjRCpcXPLxTBvOIJoJ3VkMvQx98p/hOqFI0axSZlooNLdlwgl0qR/XIt0IZZvdk8Ck6nN1gFnSuz9cZeme6H/Cef+1ak9K7NXBDZ4vOsfvCXqHM6ZU9XsCv4OdsOV83H6zToqzsplw/eTBeTh5/Hz8OIX97dVjY1gt6BTV9veFuQpWR0fvtQGNw/KeT6Am/wl6psDTl4L/jf98m1Tc=</UserInfo><ThreatName /><PolicyName /><TimeSZone>Eastern Standard Time</TimeSZone></Event></EventList></DLPAGENT>

 

On this page: