- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I noticed that the lookup tables that come with this do NOT include the descriptions of the HIPS events. Below are the steps we took to fix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the steps we took to rectify this.
First, we followed the instructions here: Mcafee KB55119
to dump the SignatureID, CVECode, SignatureName, and SignatureDesc from the DB to a file. To modify the export into a csv, we did the following (I'm sure there are other ways, but...):
below, the regex search is supposed to be slash s slash s slash s plus and it is replaced by a pipe symbol
using regex, find \s\s\s+ and replace with |
open in excel with | as the delimeter
save as a csv
Note, you may have to add a line for signatureID 1157 USB Storage Device Inserted which is missing. Also, there are a bunch that have (literally) NULL for either CVECode, SignatureName and/or SignatureDesc.
After changing the name of the first column to signature instead of SignatureID, we then created a new lookup.
We uploaded the file to /etc/apps/Splunk_TA_mcafee/lookups/mcafee_signatureid_desc.csv
then in /etc/apps/Splunk_TA_mcafee/ we modified transforms.conf:
[epo_signatureid_desc_lookup]
disabled = 0
filename = mcafee_signatureid_desc.csv
Then in props.conf:
[mcafee:epo]
LOOKUP-eventinfo_for_mcafee_epo=epo_signatureid_desc_lookup signature OUTPUT CVECode,SignatureName,SignatureDesc
Then we restarted splunkd. And now searches like:
sourcetype="mcafee:epo" Product="McAfee Host Intrusion Prevention" | stats count by SignatureName
work very nicely with names rather than numbers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are the steps we took to rectify this.
First, we followed the instructions here: Mcafee KB55119
to dump the SignatureID, CVECode, SignatureName, and SignatureDesc from the DB to a file. To modify the export into a csv, we did the following (I'm sure there are other ways, but...):
below, the regex search is supposed to be slash s slash s slash s plus and it is replaced by a pipe symbol
using regex, find \s\s\s+ and replace with |
open in excel with | as the delimeter
save as a csv
Note, you may have to add a line for signatureID 1157 USB Storage Device Inserted which is missing. Also, there are a bunch that have (literally) NULL for either CVECode, SignatureName and/or SignatureDesc.
After changing the name of the first column to signature instead of SignatureID, we then created a new lookup.
We uploaded the file to /etc/apps/Splunk_TA_mcafee/lookups/mcafee_signatureid_desc.csv
then in /etc/apps/Splunk_TA_mcafee/ we modified transforms.conf:
[epo_signatureid_desc_lookup]
disabled = 0
filename = mcafee_signatureid_desc.csv
Then in props.conf:
[mcafee:epo]
LOOKUP-eventinfo_for_mcafee_epo=epo_signatureid_desc_lookup signature OUTPUT CVECode,SignatureName,SignatureDesc
Then we restarted splunkd. And now searches like:
sourcetype="mcafee:epo" Product="McAfee Host Intrusion Prevention" | stats count by SignatureName
work very nicely with names rather than numbers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @reswob4
Thanks for sharing this information on Answers. Would you actually be able to post the solution with the steps above as an answer below and accept it? That way, this post will actually show as answered and resolved.
