☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

McAfee ePO

The following instructions are for configuring McAfee ePolicy Orchestrator (ePO) for log ingestion into Secureworks® Taegis™ XDR.

XDR normalizes logs from the following ePO products:

McAfee Endpoint Security
McAfee DLP Endpoint

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
McAfee ePO	Taegis™ XDR Collector (mgmt IP)	TCP/6514

Data Provided from Integration ⫘

	Antivirus	Auth	DHCP	DNS	Email	Encrypt	Filemod	HTTP	Management	Netflow	NIDS	Process	Thirdparty
McAfee ePO	Y	Y										D	Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the ePO Platform ⫘

Register a Syslog Server ⫘

Follow the instructions in the Trellix ePolicy Orchestrator - On-prem 5.10.0 Product Guide article Register syslog servers to configure log forwarding.

Field	Required Value
Server Type	Syslog Server
Server name	XDR Collector (mgmt IP)
TCP port number	6514
Enable event forwarding	Selected

Important

On-prem Syslog forwarding only supports the TCP protocol and requires Transport Layer Security (TLS). Follow the TLS Enabled Syslog instructions to enable TLS Syslog on the XDR Collector prior to enabling syslog forwarding from a McAfee EPO server, and see the Trellix Product Documentation for further information on creating a self-signed certificate.

Choose Events to be Forwarded ⫘

Follow the instructions in the Trellix Product Documentation to configure which events are forwarded to the XDR Collector.

Select All events to the server
Select Events from any source

Example Query Language Searches ⫘

To search for antivirus events from the last 24 hours:

FROM antivirus WHERE sensor_type = 'MCAFEE_EPO' and EARLIEST=-24h

To search for process events where the process was blocked:

FROM process WHERE sensor_type = 'MCAFEE_EPO' and was_blocked = true

To search for antivirus events associated with a specific host:

FROM antivirus WHERE sensor_type='MCAFEE_EPO' AND computer_name = 'foo'

To search for auth events where a service logs on as Administrator:

FROM auth WHERE sensor_type = 'MCAFEE_EPO' and logon_type = 'service' and target_user_name contains 'administrator'

Event Details ⫘

McAfee ePO Event Details

Sample logs ⫘

Endpoint Security:

    Mar 21 22:47:39 192.168.3.60 1 2023-03-21T22:47:39.0Z NSAT1MCEPO EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>HOSTNAME</MachineName><AgentGUID>{41gb1743-a17d-12eb-379b-000000000000}</AgentGUID><IPAddress>10.10.10.10</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>USERNAME</UserName><TimeZoneBias>360</TimeZoneBias><RawMACAddress>14b31f10c25c</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7.0.3468" ProductFamily="TVD"><CommonFields><Analyzer>ANALYZER</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.7.0.3468</AnalyzerVersion><AnalyzerHostName>ANALYZER_HOSTNAME</AnalyzerHostName><AnalyzerDATVersion></AnalyzerDATVersion><AnalyzerEngineVersion></AnalyzerEngineVersion></CommonFields><Event><EventID>1118</EventID><Severity>0</Severity><GMTTime>2023-03-21T22:32:40</GMTTime><CommonFields><AnalyzerDetectionMethod></AnalyzerDetectionMethod><ThreatName>_</ThreatName><ThreatType></ThreatType><ThreatCategory>ops.update.end</ThreatCategory><ThreatHandled>1</ThreatHandled><ThreatActionTaken>none</ThreatActionTaken><ThreatSeverity>6</ThreatSeverity></CommonFields></Event></SoftwareInfo></EPOEvent>

DLP Endpoint:

    Mar 21 22:18:29 10.200.5.94 Mar 21 22:18:29 198.210.15.151 1 2023-03-21T22:18:29.0Z GT2-AHPUB2 EPOEvents - EventFwd [agentInfo@4512 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><DLPAGENT><MachineInfo><AgentGUID>{04d4d952-4cbd-22ge-32ce-040e3c4137d5}</AgentGUID><MachineName>HOSTNAME</MachineName><RawMACAddress>0000000000000</RawMACAddress><IPAddress>10.0.0.10</IPAddress><AgentVersion>5.7.7.378</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>500</TimeZoneBias><UserName></UserName></MachineInfo><EventList ProductFamily="Secure" ProductVersion="11.9.100.18" ProductName="McAfee DLP Endpoint"><Event><EventID>19336</EventID><Severity>0</Severity><GMTTime>2023-01-17T22:17:11</GMTTime><OPGData>T1BHoQUAAAAAAAADWQsAAO1c628buRHn5/4VQb4nyt2lbQKoPth6XNzYlqBH3PtkyJZsq5ElV5ITu0X/9/5mhlw+drlL+SzcAV0YklbkkDMcDufFkZvqZ/Wo7tRCvVLf1Eyt1UbN1Uot1d/Ua/WDeqve4fMVepbqCu1T9C7VDfc+qK26Vm/UBzz/rA7Un1RTHakJZpipNj63ePUx4wpPM4ze6pkHGLlAS4cxLtH+Cq8ndY9vx8AgmD/i9R5PB5jVQo403CumXB7x20j/A8Ur+Ckg6eTtUh3vugocctA/Qd43OI1iF/DvG9h3FDxv0eVPwAChoFNPiU/QJKVuoSdCwwQxu9/wHv/L83iU/h338DCvK4mljNCt/m4PMTc/Hl8ecx+FgHoO4b74rs8wFGhuPyMP4cZh8b3HMISZMVf/Fk84B35S1k5C0+iUL6/MDY4mNkt+agXKR5pk7Qc8WSKjAkrTPI9BxnQigYY7dbeM2ZKsL7F/VX9RMwf8T7B7xEOkK4Jr7RjMtM8gkzSfmQz8W2QoZbLINnoLjFEvoFL5JiktIR1jhiae6pLv5O0EeQrzOOV+M23L3hFd/oVhr3wLw70OsqhyniKK1oq7lHu30P+DVTQXpD9MEUM1zxuY9zYIC5+1ihnNAzyLw5t21wu8Xnug18fXx2Ge5CnTNkG9/O9fmVVVTRIdy4ZzrmoEHW8gkQtJZlIJMh3DFmk74h82bNrYLhkc+K6W+jfaNp8KUuhOygfco0z5nXbo/RAgOejXRpXIP+qDWo0bkbPUuLOb7h03HNZ8/Ss8kwPfJK7nM9hHniaPQ89p/4XL7WHLOQKfqbdv0Co0Ty6Rxc4NULZLxoVsJ2xvYmvyrD1Qn0JnFims0UtpbN8dI6tYzaNsuS2yb05tub4NMGto0k8oGtgoHNt1dh/TsgN4W9+7FqVfhobXTOjJbZ7rSTpPFWrL+6mGHBMiKwRT2+xiK8omFaWvpX3gxpsLILxSu4wtgn53x9Rv/TXjyHOK4ySnxr3MaKTwMvYB8SEcPTxDmfQHfvB6s7t9XUZ/jcqu+8y18hM7eAWut9HaO3lenTNcuc7O+cz9pmD1TG8Ajfqmku2ut0ndzhFQ/Ym7a62XrXXfT1HR1dhs21SvvZUX922iPRNCus6hNbsKn2EBtZ/x2PmWivaZbNMeToZ+2c/lRooylceymaaaYjLvHNqrk/1DHNIPMFydsh3+e1o9X8WcW/XjNe2/YefsFHvH9kb5ae/6w99RCSuGL8nIXWq67lJc12jafQzr+sfa+mQzi8qcTdwiiS4Q509Qne2zlKyO88BB/lWw+a0PWrU2k4SIB3eWe1z5BPr/E1H1hey7y1cMwp913h1BM+I5HnvKO3WM8S358ARWPn2gaa9T1vrD3HhtOkc1bQQOJr0zpjHkcjqpW6+sSsnBMa2lGX3o3m44pjnEXQRzrxOyDe6IigCo60O63xX1jZLIfnnY754hCx8eR1rDVfrC8t2mKqfTW7A5becqgiHyNPUYstKmkt68m78thmKZqwN+R6+nfo/caYrC0x/Y1IPGLGmu9lEmylxkpx6tjYGNfnfc74lJPnjm0Xapw/it/UZ6pvC08b7auxyY1MF605i7JlS3bLMjAp1auUkxggRu9wXD4E3z7hWbJtecmkjILVqjF8frRdFKEW9xq6DNQ5n7cpa6QR662FszfiM5XjKYcK8RnoMrwdXiGdNDnZc8w71/zZFGrylBEWRqIQOc20jkM8b1mj3jKtMsr6abuOc3ENcVYu1T+VZJvSMgtm7BFnYZ52HFVE1fPwpuqJ/Ay+B7nb2CHTLGOLMjeUYTTZkzb7q7IfjVzLmLPt6wQt1Ijgj1Pmj7cwZDuLZDA8B65UtXYccfSMMbveEpB2OoYXGLsraOO9C5gxYEZeVBPHaHIx7mk9BVf9exA3Z5EKHc47xPsN53hjc/kQ4fi8FSiepQgunKsPzd9PnjEOLf6bhXQlPfR6TMx2tRP8Eb7vNqKMomoaUrA2CjjqQoxAj/hct2zbp1k8eVvC5d1mkHWeRqCtpS6DEU5UzVEOY3hVNUsVVHE0X03bLmOKcRzzmZPoP20tv3UWN+oxucyNd09jd68Myp3H+AGi3UiT/BvPn0FLfrYy2GbEgxCZt3S4o/J3KXT7YTMcYbv1uFw4v01uGdcON+x3ycWsdd7Et3o24vHbJVagHZDIyPew+zrG2/KMxjZsCnvz815zu7XqEqOJjzIGxIlzh0O8mCbZuxbG9TC+nd2jjbLbxTCPd4SWf3h5jxCTj188wGstkZZyNxYpgzac8TOXKas644jjnO//Pies7JizPz2cJrlTtGssxu3HwOZuIYWyAXsYPXgWh+DnCWOvoi4/xtIXp6KYRvIF18qtu3gZatt4GgRtPb7/PuJPun8tozpPl43kpBZD7lUe1Nbxoctjz+OMe32m5DDILI509nTk5RfLMRqbPGYb/cDQojHovLdYD6/0bb+1vynQMq/RfWNe04pjCXem4n7SSF/ZIz5H32VpnY3VmOkj4nGdiTAWmMnQFmq2AUZ+j/aadrpXFmthajPcbJNYQeKa6LriaNjv6+IpvTKoy9U+1X6+O6vR2yu2OxTnudnbsMfuZFGP5GPW2haWjS2HEv9jncEY/voWpcfW5kZJzcEiAtV1tLFvy76omc5irB37ZWsnynIsfjVIi0/AHUfcU+5bZvjHmHOhnz9xJH2rpXHBGmTmeTJhaw1Xw+0HruFJoy/5vnS758TvyWsBqzmMl1rrllq31HD/X3Avo1uqNYg5lRKJ04m9ZF/Xvcssh4ndT8drt2K1wLuMIMpJ/8xKRo3Q+5hAT8+5WXb14C4jwvpOV5PZXXBb89GPqTqb8H1XW6/ZzLfWelMyA5tIVeeP2d3Ay9XFUzRMsd8J77Gb666r3v8oVe+2/ve31bCb6oW6Yv33qFgvjjXrCvW6Qt1wta5QryvU6wr1ukI9xFpXqNcV6nWFel2hXleo1xXqot3rCvW6Qr2uUP99K9Qt/3/Bjsz3koMqwuFiLtvboba1JGdnfLYula3QOWKPI92/arOFP2b7RHVC48S7dB9PmNMWKRDIfHvTy5O6sPn2JlN05PDG6sKwvckWtedlD3blwDG39Rxvc1jChTw+4YTRepSNmvD+mPsqty+2k5ZzKbA+N01kOcRaN3zW7p4tDV2upu7w6fqVs350vlKkI5Uie9N3r7XcZeY/W/u7YRuxzKQibsElr2XygeZMUEb1hk/7lOczNfZhHYt/zna9p3XXLHHRFe+Ypc7MS3t6E8nixnrFut+Xji2DKK7d2u32wlishfY6JRM7VSZn/TXjsPExySY+6juoGe+y+yuVWG8zmy+Wj4r3m3Wm02iz8yb7ONMej3CLJOyE+Uj+J3mkNBNFctYPcecj7DdqrmV9zXXbV/oUm1885M/6rqNS8JjfCxB/HpTUvD4Hc9U8Jkv/klwUz6KrfcNwz/J+R7U35NYEV0N3uFaC6E7RnmbMgP9rjR/BxeY7cHpj66S451L3+LbRrzhxbaa5IxIdZ/elkYPuVdhHqh89ymyAbxt6bBcpH/WZI+lzvBfr/16WLUpZTQymuKLY1DyuOFJZJFi4WH1xj++7TpKsWzkNeSpHrKOWTJfkbnenc4TPQ/ZGzI3U7pTm6RAL2w/uJaupozEXOjNk/r9amZcUYhBPaMHUiJ/3HrAmJ+T3GEs/AT2bLPsV5uCL+8lbprux8LcCYat41RNuvfXk0W/fRyyQx+BjDbWTVPtKJLgfiopwhJjLqApvx30PvxrSX39bmfvidzl+2T5/TNrvJw7Zyx9z/s2voxhyRm7AMWXKOSvCXZQ9Gimpr7tRM51Vt2ekGjIvLVZOG8/8T40H6n8=</OPGData><UserInfo>T1BHoQUAAAAAAAAD+gAAAG2RvU7DQBCEp+YpLPrgpEvhOEJJFLmAIBEaOis/YMk2lnNG5O35bs8JYNH4dnZnZsd3ieb6UqVSkT51UKuTCn2o1ky3muhOY86ISa0d/T3TWm827eR01EhT6rlS3SjRCpcXPLxTBvOIJoJ3VkMvQx98p/hOqFI0axSZlooNLdlwgl0qR/XIt0IZZvdk8Ck6nN1gFnSuz9cZeme6H/Cef+1ak9K7NXBDZ4vOsfvCXqHM6ZU9XsCv4OdsOV83H6zToqzsplw/eTBeTh5/Hz8OIX97dVjY1gt6BTV9veFuQpWR0fvtQGNw/KeT6Am/wl6psDTl4L/jf98m1Tc=</UserInfo><ThreatName /><PolicyName /><TimeSZone>Eastern Standard Time</TimeSZone></Event></EventList></DLPAGENT>