McAfee ePO
integrations endpoint ePO McAfee
The following instructions are for configuring McAfee ePolicy Orchestrator (ePO) for log ingestion into Secureworks® Taegis™ XDR.
XDR normalizes logs from the following ePO products:
- McAfee Endpoint Security
- McAfee DLP Endpoint
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
McAfee ePO | Taegis™ XDR Collector (mgmt IP) | TCP/6514 |
Data Provided from Integration ⫘
Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
McAfee ePO | Y | Y | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the ePO Platform ⫘
Register a Syslog Server ⫘
Follow the instructions in the Trellix ePolicy Orchestrator - On-prem 5.10.0 Product Guide article Register syslog servers to configure log forwarding.
Field | Required Value |
---|---|
Server Type | Syslog Server |
Server name | XDR Collector (mgmt IP) |
TCP port number | 6514 |
Enable event forwarding | Selected |
Important
On-prem Syslog forwarding only supports the TCP protocol. This may be achieved either through TCP 601, or through Transport Layer Security (TLS). Follow the TLS Enabled Syslog instructions to enable TLS Syslog on the XDR Collector prior to enabling syslog forwarding from a McAfee EPO server, and see the Trellix Product Documentation for further information on creating a self-signed certificate.
Choose Events to be Forwarded ⫘
Follow the instructions in the Trellix Product Documentation to configure which events are forwarded to the XDR Collector.
- Select All events to the server
- Select Events from any source
Example Query Language Searches ⫘
To search for antivirus
events from the last 24 hours:
FROM antivirus WHERE sensor_type = 'MCAFEE_EPO' and EARLIEST=-24h
To search for process
events where the process was blocked:
FROM process WHERE sensor_type = 'MCAFEE_EPO' and was_blocked = true
To search for antivirus
events associated with a specific host:
FROM antivirus WHERE sensor_type='MCAFEE_EPO' AND computer_name = 'foo'
To search for auth
events where a service logs on as Administrator:
FROM auth WHERE sensor_type = 'MCAFEE_EPO' and logon_type = 'service' and target_user_name contains 'administrator'
Event Details ⫘
McAfee ePO Event Details
Sample logs ⫘
Endpoint Security:
Mar 21 22:47:39 192.168.3.60 1 2023-03-21T22:47:39.0Z NSAT1MCEPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>HOSTNAME</MachineName><AgentGUID>{41gb1743-a17d-12eb-379b-000000000000}</AgentGUID><IPAddress>10.10.10.10</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>USERNAME</UserName><TimeZoneBias>360</TimeZoneBias><RawMACAddress>14b31f10c25c</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7.0.3468" ProductFamily="TVD"><CommonFields><Analyzer>ANALYZER</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.7.0.3468</AnalyzerVersion><AnalyzerHostName>ANALYZER_HOSTNAME</AnalyzerHostName><AnalyzerDATVersion></AnalyzerDATVersion><AnalyzerEngineVersion></AnalyzerEngineVersion></CommonFields><Event><EventID>1118</EventID><Severity>0</Severity><GMTTime>2023-03-21T22:32:40</GMTTime><CommonFields><AnalyzerDetectionMethod></AnalyzerDetectionMethod><ThreatName>_</ThreatName><ThreatType></ThreatType><ThreatCategory>ops.update.end</ThreatCategory><ThreatHandled>1</ThreatHandled><ThreatActionTaken>none</ThreatActionTaken><ThreatSeverity>6</ThreatSeverity></CommonFields></Event></SoftwareInfo></EPOEvent>
DLP Endpoint:
Mar 21 22:18:29 10.200.5.94 Mar 21 22:18:29 198.210.15.151 1 2023-03-21T22:18:29.0Z GT2-AHPUB2 EPOEvents - EventFwd [agentInfo@4512 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><DLPAGENT><MachineInfo><AgentGUID>{04d4d952-4cbd-22ge-32ce-040e3c4137d5}</AgentGUID><MachineName>HOSTNAME</MachineName><RawMACAddress>0000000000000</RawMACAddress><IPAddress>10.0.0.10</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>500</TimeZoneBias><UserName></UserName></MachineInfo><EventList ProductFamily="Secure" ProductVersion="11.9.100.18" ProductName="McAfee DLP Endpoint"><Event><EventID>19336</EventID><Severity>0</Severity><GMTTime>2023-01-17T22:17:11</GMTTime><OPGData>T1BHoQUAAAAAAAADWQsAAO1c628buRHn5/4VQb4nyt2lbQKoPth6XNzYlqBH3PtkyJZsq5ElV5ITu0X/9/5mhlw+drlL+SzcAV0YklbkkDMcDufFkZvqZ/Wo7tRCvVLf1Eyt1UbN1Uot1d/Ua/WDeqve4fMVepbqCu1T9C7VDfc+qK26Vm/UBzz/rA7Un1RTHakJZpipNj63ePUx4wpPM4ze6pkHGLlAS4cxLtH+Cq8ndY9vx8AgmD/i9R5PB5jVQo403CumXB7x20j/A8Ur+Ckg6eTtUh3vugocctA/Qd43OI1iF/DvG9h3FDxv0eVPwAChoFNPiU/QJKVuoSdCwwQxu9/wHv/L83iU/h338DCvK4mljNCt/m4PMTc/Hl8ecx+FgHoO4b74rs8wFGhuPyMP4cZh8b3HMISZMVf/Fk84B35S1k5C0+iUL6/MDY4mNkt+agXKR5pk7Qc8WSKjAkrTPI9BxnQigYY7dbeM2ZKsL7F/VX9RMwf8T7B7xEOkK4Jr7RjMtM8gkzSfmQz8W2QoZbLINnoLjFEvoFL5JiktIR1jhiae6pLv5O0EeQrzOOV+M23L3hFd/oVhr3wLw70OsqhyniKK1oq7lHu30P+DVTQXpD9MEUM1zxuY9zYIC5+1ihnNAzyLw5t21wu8Xnug18fXx2Ge5CnTNkG9/O9fmVVVTRIdy4ZzrmoEHW8gkQtJZlIJMh3DFmk74h82bNrYLhkc+K6W+jfaNp8KUuhOygfco0z5nXbo/RAgOejXRpXIP+qDWo0bkbPUuLOb7h03HNZ8/Ss8kwPfJK7nM9hHniaPQ89p/4XL7WHLOQKfqbdv0Co0Ty6Rxc4NULZLxoVsJ2xvYmvyrD1Qn0JnFims0UtpbN8dI6tYzaNsuS2yb05tub4NMGto0k8oGtgoHNt1dh/TsgN4W9+7FqVfhobXTOjJbZ7rSTpPFWrL+6mGHBMiKwRT2+xiK8omFaWvpX3gxpsLILxSu4wtgn53x9Rv/TXjyHOK4ySnxr3MaKTwMvYB8SEcPTxDmfQHfvB6s7t9XUZ/jcqu+8y18hM7eAWut9HaO3lenTNcuc7O+cz9pmD1TG8Ajfqmku2ut0ndzhFQ/Ym7a62XrXXfT1HR1dhs21SvvZUX922iPRNCus6hNbsKn2EBtZ/x2PmWivaZbNMeToZ+2c/lRooylceymaaaYjLvHNqrk/1DHNIPMFydsh3+e1o9X8WcW/XjNe2/YefsFHvH9kb5ae/6w99RCSuGL8nIXWq67lJc12jafQzr+sfa+mQzi8qcTdwiiS4Q509Qne2zlKyO88BB/lWw+a0PWrU2k4SIB3eWe1z5BPr/E1H1hey7y1cMwp913h1BM+I5HnvKO3WM8S358ARWPn2gaa9T1vrD3HhtOkc1bQQOJr0zpjHkcjqpW6+sSsnBMa2lGX3o3m44pjnEXQRzrxOyDe6IigCo60O63xX1jZLIfnnY754hCx8eR1rDVfrC8t2mKqfTW7A5becqgiHyNPUYstKmkt68m78thmKZqwN+R6+nfo/caYrC0x/Y1IPGLGmu9lEmylxkpx6tjYGNfnfc74lJPnjm0Xapw/it/UZ6pvC08b7auxyY1MF605i7JlS3bLMjAp1auUkxggRu9wXD4E3z7hWbJtecmkjILVqjF8frRdFKEW9xq6DNQ5n7cpa6QR662FszfiM5XjKYcK8RnoMrwdXiGdNDnZc8w71/zZFGrylBEWRqIQOc20jkM8b1mj3jKtMsr6abuOc3ENcVYu1T+VZJvSMgtm7BFnYZ52HFVE1fPwpuqJ/Ay+B7nb2CHTLGOLMjeUYTTZkzb7q7IfjVzLmLPt6wQt1Ijgj1Pmj7cwZDuLZDA8B65UtXYccfSMMbveEpB2OoYXGLsraOO9C5gxYEZeVBPHaHIx7mk9BVf9exA3Z5EKHc47xPsN53hjc/kQ4fi8FSiepQgunKsPzd9PnjEOLf6bhXQlPfR6TMx2tRP8Eb7vNqKMomoaUrA2CjjqQoxAj/hct2zbp1k8eVvC5d1mkHWeRqCtpS6DEU5UzVEOY3hVNUsVVHE0X03bLmOKcRzzmZPoP20tv3UWN+oxucyNd09jd68Myp3H+AGi3UiT/BvPn0FLfrYy2GbEgxCZt3S4o/J3KXT7YTMcYbv1uFw4v01uGdcON+x3ycWsdd7Et3o24vHbJVagHZDIyPew+zrG2/KMxjZsCnvz815zu7XqEqOJjzIGxIlzh0O8mCbZuxbG9TC+nd2jjbLbxTCPd4SWf3h5jxCTj188wGstkZZyNxYpgzac8TOXKas644jjnO//Pies7JizPz2cJrlTtGssxu3HwOZuIYWyAXsYPXgWh+DnCWOvoi4/xtIXp6KYRvIF18qtu3gZatt4GgRtPb7/PuJPun8tozpPl43kpBZD7lUe1Nbxoctjz+OMe32m5DDILI509nTk5RfLMRqbPGYb/cDQojHovLdYD6/0bb+1vynQMq/RfWNe04pjCXem4n7SSF/ZIz5H32VpnY3VmOkj4nGdiTAWmMnQFmq2AUZ+j/aadrpXFmthajPcbJNYQeKa6LriaNjv6+IpvTKoy9U+1X6+O6vR2yu2OxTnudnbsMfuZFGP5GPW2haWjS2HEv9jncEY/voWpcfW5kZJzcEiAtV1tLFvy76omc5irB37ZWsnynIsfjVIi0/AHUfcU+5bZvjHmHOhnz9xJH2rpXHBGmTmeTJhaw1Xw+0HruFJoy/5vnS758TvyWsBqzmMl1rrllq31HD/X3Avo1uqNYg5lRKJ04m9ZF/Xvcssh4ndT8drt2K1wLuMIMpJ/8xKRo3Q+5hAT8+5WXb14C4jwvpOV5PZXXBb89GPqTqb8H1XW6/ZzLfWelMyA5tIVeeP2d3Ay9XFUzRMsd8J77Gb666r3v8oVe+2/ve31bCb6oW6Yv33qFgvjjXrCvW6Qt1wta5QryvU6wr1ukI9xFpXqNcV6nWFel2hXleo1xXqot3rCvW6Qr2uUP99K9Qt/3/Bjsz3koMqwuFiLtvboba1JGdnfLYula3QOWKPI92/arOFP2b7RHVC48S7dB9PmNMWKRDIfHvTy5O6sPn2JlN05PDG6sKwvckWtedlD3blwDG39Rxvc1jChTw+4YTRepSNmvD+mPsqty+2k5ZzKbA+N01kOcRaN3zW7p4tDV2upu7w6fqVs350vlKkI5Uie9N3r7XcZeY/W/u7YRuxzKQibsElr2XygeZMUEb1hk/7lOczNfZhHYt/zna9p3XXLHHRFe+Ypc7MS3t6E8nixnrFut+Xji2DKK7d2u32wlishfY6JRM7VSZn/TXjsPExySY+6juoGe+y+yuVWG8zmy+Wj4r3m3Wm02iz8yb7ONMej3CLJOyE+Uj+J3mkNBNFctYPcecj7DdqrmV9zXXbV/oUm1885M/6rqNS8JjfCxB/HpTUvD4Hc9U8Jkv/klwUz6KrfcNwz/J+R7U35NYEV0N3uFaC6E7RnmbMgP9rjR/BxeY7cHpj66S451L3+LbRrzhxbaa5IxIdZ/elkYPuVdhHqh89ymyAbxt6bBcpH/WZI+lzvBfr/16WLUpZTQymuKLY1DyuOFJZJFi4WH1xj++7TpKsWzkNeSpHrKOWTJfkbnenc4TPQ/ZGzI3U7pTm6RAL2w/uJaupozEXOjNk/r9amZcUYhBPaMHUiJ/3HrAmJ+T3GEs/AT2bLPsV5uCL+8lbprux8LcCYat41RNuvfXk0W/fRyyQx+BjDbWTVPtKJLgfiopwhJjLqApvx30PvxrSX39bmfvidzl+2T5/TNrvJw7Zyx9z/s2voxhyRm7AMWXKOSvCXZQ9Gimpr7tRM51Vt2ekGjIvLVZOG8/8T40H6n8=</OPGData><UserInfo>T1BHoQUAAAAAAAAD+gAAAG2RvU7DQBCEp+YpLPrgpEvhOEJJFLmAIBEaOis/YMk2lnNG5O35bs8JYNH4dnZnZsd3ieb6UqVSkT51UKuTCn2o1ky3muhOY86ISa0d/T3TWm827eR01EhT6rlS3SjRCpcXPLxTBvOIJoJ3VkMvQx98p/hOqFI0axSZlooNLdlwgl0qR/XIt0IZZvdk8Ck6nN1gFnSuz9cZeme6H/Cef+1ak9K7NXBDZ4vOsfvCXqHM6ZU9XsCv4OdsOV83H6zToqzsplw/eTBeTh5/Hz8OIX97dVjY1gt6BTV9veFuQpWR0fvtQGNw/KeT6Am/wl6psDTl4L/jf98m1Tc=</UserInfo><ThreatName /><PolicyName /><TimeSZone>Eastern Standard Time</TimeSZone></Event></EventList></DLPAGENT>