McAfee has modified the db schema in its latest release of EPO. There's a new table called EPExtendedEventMT and the syntax for the changes to your SQL statement in DB Connect needs to be as follows:
[EPExtendedEventMT].[field_to_be_retrieved] as [desired_field_name_in_Splunk]
We expect these changes to be supported in a future release of our TA. For now, follow the steps below.
In order to capture the process name which has now been moved to a new table in the latest version , the query needs to be modified as follow.
Replace
[EPOEvents].[SourceProcessName] as [process]
With
[EPExtendedEventMT].[TargetName] as [process]
After FROM [EOPEvents]
Add
left join [EPExtendedEventMT] on
[EPOEvents].[AutoID] = [EPExtendedEventMT].[EventAutoID]
... View more