- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Queries Template for McAfee ePO
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Queries Template for McAfee ePO
Hello everyone,
We just integrate Splunk with McAfee ePO via DB Connect.
We're trying to get some informations from ePO, but, the default queries on it is just about antivirus.
Is there any query template that I can use to get informations from ePO?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, unless you want to ingest something very specific from a table, from ePO's database, I'd suggest to go with this. Easy integration, and will get you all the required threat logs into Splunk in a hassle free manner.
https://splunkbase.splunk.com/app/1819/#/details
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @shivanshu1593
Our Splunk Analyst already installed DB connect.
I'm trying to figure if, McAfee needs to provide the queries for us or our Splunk Analyst needs to know what he wants and know the queries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @raphaalmeida
default query get all relevant fields, which are populated by other components, not just antivirus. Are other events present in the DB already? Which events are stored in the DB can be configured on the ePO > Configuration > Server Settings > Event Filtering under Setting Categories and click Edit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @PavelP
Thanks for your explanation. I'm really new to this and still understanding how everything works.
I'll tell to our Splunk analyst to try to follow that document and keep you in touch.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PavelP
Thanks for your response.
There some events selected on that tab you mentioned, also, I've selected to store both on ePO and SIEM (this SIEM is McAfee SIEM or any SIEM?).
For Splunk, I'm doing this: In ePO, I'm going under query&reports > selecting a query checkbox > Actions button > View SQL.
I'm sending that SQL query to Splunk. Is this correct?
thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@raphaalmeida
store in ePO - store in the SQL DB
store in SIEM - send to SIEM via syslog over TLS
The SQL expression you got via query&reports is a ePO way to build an ePO report, I'm not sure you are on the right track this way.
You can start with following the documentation step by step: https://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureDBConnectv3inputs
and tune it later when you get if work.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
