Splunk Enterprise Security

McAFee DLP logs into splunk.

agcorreia_asml
Engager

Hi guys,
Does anyone have successfully get the DLP incident logs from ePO to Mcafee? I'm using dbconnect with epo APP and I'm having bad time trying to get it. Any idea or anyone already made it?

Thanks in advance,
Alex

ncarey
Engager

The way I found to do it was to use the query interface to generate the set of info we wanted (based off the Data In Motion table) and then convert that into SQL, which we pasted into DBConnect. It then took a bit of time to sanitise it as the SQL format isn't well handled by the Java SQL engine used by DB Connect. The end result which you can use, and uses aliases a lot to avoid syntax errors, was:
SELECT DISTINCT T1.IncidentId AS IncID,
T1.IncidentType AS IncType,
T1.ViolationLocalTime AS Time,
T1.ViolationTimezone AS TimeZone,
T1.Severity AS Severity,
T1.SourceApplicationTemplates AS SourceApp,
T1.ActualAction AS Action,
T8.Name AS Workstation_Name,
T9.PolicyName AS Policy_Name,
T1.RulesToDisplay AS Rules,
T1.RuleSetToDisplay AS RuleSet,
T3.USBSerialNumber AS USB_Serial,
T7.Username_NTLM AS username,
T1.destination AS destination,
T4.ApplicationFileName AS ApplicationFilename,
T1.DlpAgentVersion AS Agent_Ver,
T1.ClassificationsToDisplay AS Classifications,
T2.FileExt AS File_Ext,
T2.FileName AS Filename,
T2.FileType AS FileType,
T1.TotalContentSize AS Size,
T5.DestinationURL AS Dest_URL,
T6.Recipients AS Email_Recp,
T3.DeviceDescription AS Device_Desc,
T3.VolumeLabel AS VolumeLabel,
T3.VolumeSerialNumber AS Vol_Serial,
T3.DeviceClassName AS Device_Class,
T7.PrimaryUserAccountID AS Acc_ID,
T10.copyDirection AS Direction
FROM UDLP_Incidents AS T1
LEFT JOIN UDLP_IncidentEmail AS T6
ON T1.IncidentId = T6.IncidentId
LEFT JOIN UDLP_EventUsers AS T7
ON T1.UserId = T7.UserId
LEFT JOIN UDLP_IncidentWebPost AS T5
ON T1.IncidentId = T5.IncidentId
LEFT JOIN UDLP_EventPolicyInfo AS T9
ON T1.PolicyInfoId = T9.PolicyInfoId
LEFT JOIN UDLP_IncidentDevice AS T3
ON T1.IncidentId = T3.IncidentId
LEFT JOIN UDLP_IncidentRuleEvidencesQueriesView AS T2
ON T1.IncidentId = T2.IncidentId
LEFT JOIN UDLP_EventComputers AS T8
ON T1.ComputerID = T8.ID
LEFT JOIN UDLP_IncidentApplications AS T4
ON T1.SourceApplicationId = T4.ApplicationId
LEFT JOIN UDLP_Incidents_Archive AS T10
ON T1.IncidentId = T10.IncidentId
WHERE T1.IncidentId > ?
ORDER BY T1.IncidentId asc

Again, bear in mind I'd go through the query interface if I was you, as your mileage with populated data, or schema may vary, and the table structure in ePO is simply terrible. And, I never could find an incident ID I could use to correlate this with the standard ePO query from the Splunk generated TA, and we needed to modify the ePO query itself to properly display the signature version, as not all fields properly populate for us.

adonio
Ultra Champion

@agcorreia
i converted @ncarey comment to an answer, kindly review and let us know if it works for you.
if it does, please accept the answer. otherwise, please provide more information

0 Karma

xpac
SplunkTrust
SplunkTrust

Hint: Responses might be much more helpful if you'd give more details, e.g. what "having bad time" exactly means. Like, error messages, expected vs. observed behavior, etc.

0 Karma

agcorreia
Explorer

I have integrated McAfee Splunk app to get event logs from McAfee DB to Splunk. I'm able to get all threat events into Splunk, but I'm not able to get the DLP Incident details to Splunk. Does anyone had success getting the DLP Incidents into Splunk?

My current script has information from the view "EPOEvents". This one has all the threat related information and details that I already see now in Splunk. This view is directly pulling from a table with out any filters.

The views [EPOProdPropsView_THREATPREVENTION] has all product related information i.e. component version and other data but not the actual information I'm looking for. Similar to this view I can see another view already existing for DLP and its named as [EPOProdPropsView_UDLP] but it has product related information which I do not need. What I need is DLP Incident related metadata including Evidence info, Any help would be welcome.

0 Karma

dfronck
Communicator

The Add-on only supports IDS, malware and inventory. You'll probably have to build out your own query.

Probably start here and do a bunch of joins to fill in the data.
| dbquery "McAfee_ePO_5" "SELECT * FROM UDLP_Incidents" limit=1000

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...