All Apps and Add-ons

Splunk Add-on for McAfee: How to add McAfee ePO HIPS descriptions to searches?

reswob4
Builder

So I noticed that the lookup tables that come with this do NOT include the descriptions of the HIPS events. Below are the steps we took to fix.

1 Solution

reswob4
Builder

Here are the steps we took to rectify this.

First, we followed the instructions here: Mcafee KB55119

to dump the SignatureID, CVECode, SignatureName, and SignatureDesc from the DB to a file. To modify the export into a csv, we did the following (I'm sure there are other ways, but...):

below, the regex search is supposed to be slash s slash s slash s plus and it is replaced by a pipe symbol

using regex, find \s\s\s+ and replace with |

open in excel with | as the delimeter
save as a csv

Note, you may have to add a line for signatureID 1157 USB Storage Device Inserted which is missing. Also, there are a bunch that have (literally) NULL for either CVECode, SignatureName and/or SignatureDesc.

After changing the name of the first column to signature instead of SignatureID, we then created a new lookup.

We uploaded the file to /etc/apps/Splunk_TA_mcafee/lookups/mcafee_signatureid_desc.csv

then in /etc/apps/Splunk_TA_mcafee/ we modified transforms.conf:

[epo_signatureid_desc_lookup]
disabled = 0
filename = mcafee_signatureid_desc.csv

Then in props.conf:

[mcafee:epo]
LOOKUP-eventinfo_for_mcafee_epo=epo_signatureid_desc_lookup signature OUTPUT CVECode,SignatureName,SignatureDesc

Then we restarted splunkd. And now searches like:

sourcetype="mcafee:epo" Product="McAfee Host Intrusion Prevention" | stats count by SignatureName

work very nicely with names rather than numbers.

View solution in original post

reswob4
Builder

Here are the steps we took to rectify this.

First, we followed the instructions here: Mcafee KB55119

to dump the SignatureID, CVECode, SignatureName, and SignatureDesc from the DB to a file. To modify the export into a csv, we did the following (I'm sure there are other ways, but...):

below, the regex search is supposed to be slash s slash s slash s plus and it is replaced by a pipe symbol

using regex, find \s\s\s+ and replace with |

open in excel with | as the delimeter
save as a csv

Note, you may have to add a line for signatureID 1157 USB Storage Device Inserted which is missing. Also, there are a bunch that have (literally) NULL for either CVECode, SignatureName and/or SignatureDesc.

After changing the name of the first column to signature instead of SignatureID, we then created a new lookup.

We uploaded the file to /etc/apps/Splunk_TA_mcafee/lookups/mcafee_signatureid_desc.csv

then in /etc/apps/Splunk_TA_mcafee/ we modified transforms.conf:

[epo_signatureid_desc_lookup]
disabled = 0
filename = mcafee_signatureid_desc.csv

Then in props.conf:

[mcafee:epo]
LOOKUP-eventinfo_for_mcafee_epo=epo_signatureid_desc_lookup signature OUTPUT CVECode,SignatureName,SignatureDesc

Then we restarted splunkd. And now searches like:

sourcetype="mcafee:epo" Product="McAfee Host Intrusion Prevention" | stats count by SignatureName

work very nicely with names rather than numbers.

ppablo
Retired

Hi @reswob4

Thanks for sharing this information on Answers. Would you actually be able to post the solution with the steps above as an answer below and accept it? That way, this post will actually show as answered and resolved.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...