topic Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk? in All Apps and Add-ons

Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

reswob4 — Tue, 12 Jul 2016 12:23:05 GMT

The title says it all. It does not appear that RSD alerts are in the search query. Can they be added?

We have ePO 4.6, Splunk Add-on for McAfee version 2.1.3, DB Connect version 1, Splunk 6.4 and running on Linux.

Thanks.

Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

reswob4 — Mon, 30 Jan 2017 19:06:48 GMT

Turns out the Splunk query in the McAfee add-on does not request this data. I am using the connector from another product to get this information along with the AV, HIPS, and DLP alerts.

Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

mbudzeni — Wed, 04 Jul 2018 10:18:45 GMT

| dbxquery query="SELECT * FROM RSDManagedSystemsForSubnet" connection="mcafee_epo" shortnames=t wrap=t
| where HasSensor="1"
| fields IPAddress
| table IPAddress

Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

reswob4 — Thu, 19 Jul 2018 13:13:07 GMT

OK, we (the Sec Engineering team) got a good config. We set up a SECOND query in the McAfee Add-On for McAfee app just for the rogues. Using DB Connect v3, this is the SQL query we set up:

SELECT [ePO_Server].[dbo].[RSDDetectedSystems].[DeviceType] as [devicetype],
[ePO_Server].[dbo].[RSDDetectedSystems].[DnsName] as [fqdn],
[dvc_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),4,1))) ),
[ePO_Server].[dbo].[RSDDetectedSystems].[LastDetectedTime] as [LastDetectedTime],
[ePO_Server].[dbo].[RSDDetectedSystems].[MAC] as [mac],
[ePO_Server].[dbo].[RSDDetectedSystems].[Managed] as [managed],
[ePO_Server].[dbo].[RSDDetectedSystems].[OSPlatform] as [os], 
[ePO_Server].[dbo].[RSDDetectedSystems].[LastReportingSensor] as [LastReportingSensor],
[ePO_Server].[dbo].[RSDDetectedSystems].[DetectedSourceName] as [product],
[ePO_Server].[dbo].[RSDDetectedSystems].[OSVersion] as [os_version],
[ePO_Server].[dbo].[RSDDetectedSystems].[LastAgentCommunication] as [LastAgentCommunication],
[ePO_Server].[dbo].[RSDDetectedSystems].[HostID] as [HostID]
FROM "ePO_Server"."dbo"."RSDDetectedSystems" 
WHERE [ePO_Server].[dbo].[RSDDetectedSystems].[HostID] > 0 AND [ePO_Server].[dbo].[RSDDetectedSystems].[Rogue]=1
ORDER BY [ePO_Server].[dbo].[RSDDetectedSystems].[HostID] ASC

I used HostID from the RSDDetectedSystems table as my rising check and LastDetectedTime as my timestamp. I set it to run every 3600 seconds.

Seems to be working nicely right now.

Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

reswob4 — Thu, 19 Jul 2018 13:15:37 GMT

We are also on ePO 5.x, Splunk 7.x, Windows 2016, and McAfee add-on 2.21.

Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

rburton83 — Thu, 16 Jan 2020 14:48:35 GMT

Going to give this a try. By chance did you do the same for the DLP events as well? I need a security engineering team...

Re: Is anyone getting RSD (Rogue System Detection) alerts from ePO into Splunk?

reswob4 — Mon, 20 Jan 2020 14:58:55 GMT

No, we did not.

And for the record, the DB connection has stopped working and I haven't had a chance to figure out if it is a problem on the Splunk side or the ePO side.