topic Re: Queries Template for McAfee ePO in Splunk Search

Queries Template for McAfee ePO

raphaalmeida — Fri, 22 May 2020 14:26:39 GMT

Hello everyone,

We just integrate Splunk with McAfee ePO via DB Connect.

We're trying to get some informations from ePO, but, the default queries on it is just about antivirus.

Is there any query template that I can use to get informations from ePO?

Thanks

Re: Queries Template for McAfee ePO

PavelP — Fri, 22 May 2020 16:08:10 GMT

Hello @raphaalmeida

default query get all relevant fields, which are populated by other components, not just antivirus. Are other events present in the DB already? Which events are stored in the DB can be configured on the ePO > Configuration > Server Settings > Event Filtering under Setting Categories and click Edit.

Re: Queries Template for McAfee ePO

raphaalmeida — Fri, 22 May 2020 16:56:58 GMT

Hello @PavelP

Thanks for your response.

There some events selected on that tab you mentioned, also, I've selected to store both on ePO and SIEM (this SIEM is McAfee SIEM or any SIEM?).

For Splunk, I'm doing this: In ePO, I'm going under query&reports > selecting a query checkbox > Actions button > View SQL.

I'm sending that SQL query to Splunk. Is this correct?

thanks for your help.

Re: Queries Template for McAfee ePO

PavelP — Fri, 22 May 2020 21:28:24 GMT

@raphaalmeida

store in ePO - store in the SQL DB

store in SIEM - send to SIEM via syslog over TLS

The SQL expression you got via query&reports is a ePO way to build an ePO report, I'm not sure you are on the right track this way.

You can start with following the documentation step by step: https://docs.splunk.com/Documentation/AddOns/released/McAfeeEPO/ConfigureDBConnectv3inputs

and tune it later when you get if work.

Re: Queries Template for McAfee ePO

shivanshu1593 — Fri, 22 May 2020 21:39:49 GMT

Well, unless you want to ingest something very specific from a table, from ePO's database, I'd suggest to go with this. Easy integration, and will get you all the required threat logs into Splunk in a hassle free manner.

https://splunkbase.splunk.com/app/1819/#/details

Re: Queries Template for McAfee ePO

raphaalmeida — Tue, 26 May 2020 12:17:06 GMT

Hello @shivanshu1593

Our Splunk Analyst already installed DB connect.

I'm trying to figure if, McAfee needs to provide the queries for us or our Splunk Analyst needs to know what he wants and know the queries.

Re: Queries Template for McAfee ePO

raphaalmeida — Tue, 26 May 2020 12:18:50 GMT

Hey @PavelP

Thanks for your explanation. I'm really new to this and still understanding how everything works.

I'll tell to our Splunk analyst to try to follow that document and keep you in touch.

Thanks.