I have integrated McAfee Splunk app to get event logs from McAfee DB to Splunk. I'm able to get all threat events into Splunk, but I'm not able to get the DLP Incident details to Splunk. Does anyone had success getting the DLP Incidents into Splunk?
My current script has information from the view "EPOEvents". This one has all the threat related information and details that I already see now in Splunk. This view is directly pulling from a table with out any filters.
The views [EPOProdPropsView_THREATPREVENTION] has all product related information i.e. component version and other data but not the actual information I'm looking for. Similar to this view I can see another view already existing for DLP and its named as [EPOProdPropsView_UDLP] but it has product related information which I do not need. What I need is DLP Incident related metadata including Evidence info, Any help would be welcome.
... View more