Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Is anyone getting RSD (Rogue System Detection)...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The title says it all. It does not appear that RSD alerts are in the search query. Can they be added?
We have ePO 4.6, Splunk Add-on for McAfee version 2.1.3, DB Connect version 1, Splunk 6.4 and running on Linux.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, we (the Sec Engineering team) got a good config. We set up a SECOND query in the McAfee Add-On for McAfee app just for the rogues. Using DB Connect v3, this is the SQL query we set up:
SELECT [ePO_Server].[dbo].[RSDDetectedSystems].[DeviceType] as [devicetype],
[ePO_Server].[dbo].[RSDDetectedSystems].[DnsName] as [fqdn],
[dvc_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),4,1))) ),
[ePO_Server].[dbo].[RSDDetectedSystems].[LastDetectedTime] as [LastDetectedTime],
[ePO_Server].[dbo].[RSDDetectedSystems].[MAC] as [mac],
[ePO_Server].[dbo].[RSDDetectedSystems].[Managed] as [managed],
[ePO_Server].[dbo].[RSDDetectedSystems].[OSPlatform] as [os],
[ePO_Server].[dbo].[RSDDetectedSystems].[LastReportingSensor] as [LastReportingSensor],
[ePO_Server].[dbo].[RSDDetectedSystems].[DetectedSourceName] as [product],
[ePO_Server].[dbo].[RSDDetectedSystems].[OSVersion] as [os_version],
[ePO_Server].[dbo].[RSDDetectedSystems].[LastAgentCommunication] as [LastAgentCommunication],
[ePO_Server].[dbo].[RSDDetectedSystems].[HostID] as [HostID]
FROM "ePO_Server"."dbo"."RSDDetectedSystems"
WHERE [ePO_Server].[dbo].[RSDDetectedSystems].[HostID] > 0 AND [ePO_Server].[dbo].[RSDDetectedSystems].[Rogue]=1
ORDER BY [ePO_Server].[dbo].[RSDDetectedSystems].[HostID] ASC
I used HostID from the RSDDetectedSystems table as my rising check and LastDetectedTime as my timestamp. I set it to run every 3600 seconds.
Seems to be working nicely right now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, we (the Sec Engineering team) got a good config. We set up a SECOND query in the McAfee Add-On for McAfee app just for the rogues. Using DB Connect v3, this is the SQL query we set up:
SELECT [ePO_Server].[dbo].[RSDDetectedSystems].[DeviceType] as [devicetype],
[ePO_Server].[dbo].[RSDDetectedSystems].[DnsName] as [fqdn],
[dvc_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([ePO_Server].[dbo].[RSDDetectedSystems].[IPV4] + 2147483648))),4,1))) ),
[ePO_Server].[dbo].[RSDDetectedSystems].[LastDetectedTime] as [LastDetectedTime],
[ePO_Server].[dbo].[RSDDetectedSystems].[MAC] as [mac],
[ePO_Server].[dbo].[RSDDetectedSystems].[Managed] as [managed],
[ePO_Server].[dbo].[RSDDetectedSystems].[OSPlatform] as [os],
[ePO_Server].[dbo].[RSDDetectedSystems].[LastReportingSensor] as [LastReportingSensor],
[ePO_Server].[dbo].[RSDDetectedSystems].[DetectedSourceName] as [product],
[ePO_Server].[dbo].[RSDDetectedSystems].[OSVersion] as [os_version],
[ePO_Server].[dbo].[RSDDetectedSystems].[LastAgentCommunication] as [LastAgentCommunication],
[ePO_Server].[dbo].[RSDDetectedSystems].[HostID] as [HostID]
FROM "ePO_Server"."dbo"."RSDDetectedSystems"
WHERE [ePO_Server].[dbo].[RSDDetectedSystems].[HostID] > 0 AND [ePO_Server].[dbo].[RSDDetectedSystems].[Rogue]=1
ORDER BY [ePO_Server].[dbo].[RSDDetectedSystems].[HostID] ASC
I used HostID from the RSDDetectedSystems table as my rising check and LastDetectedTime as my timestamp. I set it to run every 3600 seconds.
Seems to be working nicely right now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are also on ePO 5.x, Splunk 7.x, Windows 2016, and McAfee add-on 2.21.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Going to give this a try. By chance did you do the same for the DLP events as well? I need a security engineering team...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, we did not.
And for the record, the DB connection has stopped working and I haven't had a chance to figure out if it is a problem on the Splunk side or the ePO side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| dbxquery query="SELECT * FROM RSDManagedSystemsForSubnet" connection="mcafee_epo" shortnames=t wrap=t
| where HasSensor="1"
| fields IPAddress
| table IPAddress
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out the Splunk query in the McAfee add-on does not request this data. I am using the connector from another product to get this information along with the AV, HIPS, and DLP alerts.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
