Hello everyone,
We just integrate Splunk with McAfee ePO via DB Connect.
We're trying to get some informations from ePO, but, the default queries on it is just about antivirus.
Is there any query template that I can use to get informations from ePO?
Thanks
Well, unless you want to ingest something very specific from a table, from ePO's database, I'd suggest to go with this. Easy integration, and will get you all the required threat logs into Splunk in a hassle free manner.
https://splunkbase.splunk.com/app/1819/#/details
Hello @shivanshu1593
Our Splunk Analyst already installed DB connect.
I'm trying to figure if, McAfee needs to provide the queries for us or our Splunk Analyst needs to know what he wants and know the queries.
Hello @raphaalmeida
default query get all relevant fields, which are populated by other components, not just antivirus. Are other events present in the DB already? Which events are stored in the DB can be configured on the ePO > Configuration > Server Settings > Event Filtering under Setting Categories and click Edit.
Hey @PavelP
Thanks for your explanation. I'm really new to this and still understanding how everything works.
I'll tell to our Splunk analyst to try to follow that document and keep you in touch.
Thanks.
Hello @PavelP
Thanks for your response.
There some events selected on that tab you mentioned, also, I've selected to store both on ePO and SIEM (this SIEM is McAfee SIEM or any SIEM?).
For Splunk, I'm doing this: In ePO, I'm going under query&reports > selecting a query checkbox > Actions button > View SQL.
I'm sending that SQL query to Splunk. Is this correct?
thanks for your help.
@raphaalmeida
store in ePO - store in the SQL DB
store in SIEM - send to SIEM via syslog over TLS
The SQL expression you got via query&reports is a ePO way to build an ePO report, I'm not sure you are on the right track this way.
You can start with following the documentation step by step: https://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureDBConnectv3inputs
and tune it later when you get if work.