All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Working DBConnect Query for McAfee with ENS

kyleburk
Explorer
‎05-22-2018 01:03 PM

Not sure where the best place to put this is but i wanted to provide the SQL query we're using for the McAfee Add-on.
This includes integration with Endpoint Security Threat Prevention. This also fixes an issue with the default query where the dest_nt_host field was being populated from a less-than-ideal location (i believe this to essentially be a bug).

```

SELECT [EPOEvents].[ReceivedUTC] AS [timestamp],
[EPOEvents].[AutoID],
[EPOEvents].[ThreatName] AS [signature],
[EPOEvents].[ThreatType] AS [threat_type],
[EPOEvents].[ThreatEventID] AS [signature_id],
[EPOEvents].[ThreatCategory] AS [category],
[EPOEvents].[ThreatSeverity] AS [severity_id],
[EPOEventFilterDesc].[Name] AS [event_description],
[EPOEvents].[DetectedUTC] AS [detected_timestamp],
[EPOEvents].[TargetFileName] AS [file_name],
[EPOEvents].[AnalyzerDetectionMethod] AS [detection_method],
[EPOEvents].[ThreatActionTaken] AS [vendor_action],
CAST([EPOEvents].[ThreatHandled] AS int) AS [threat_handled],
[EPOEvents].[TargetUserName] AS [logon_user],
[EPOComputerProperties].[UserName] AS [user],
[EPOComputerProperties].[DomainName] AS [dest_nt_domain],
[EPOEvents].[TargetHostName] AS [dest_dns],
[EPOComputerProperties].[ComputerName] AS [dest_nt_host],
[EPOComputerProperties].[IPHostName] AS [fqdn],
[dest_ip] = ( convert(varchar(3),
convert(tinyint,
substring(convert(varbinary(4),
convert(bigint,
([EPOComputerProperties].[IPV4x] + 2147483648))),
1,
1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] AS [dest_netmask],
[EPOComputerProperties].[NetAddress] AS [dest_mac],
[EPOComputerProperties].[OSType] AS [os],
[EPOComputerProperties].[OSServicePackVer] AS [sp],
[EPOComputerProperties].[OSVersion] AS [os_version],
[EPOComputerProperties].[OSBuildNum] AS [os_build],
[EPOComputerProperties].[TimeZone] AS [timezone],
[EPOEvents].[SourceHostName] AS [src_dns],
[src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ),
[EPOEvents].[SourceMAC] AS [src_mac],
[EPOEvents].[SourceProcessName] AS [process],
[EPOEvents].[SourceURL] AS [url],
[EPOEvents].[SourceUserName] AS [source_logon_user],
[EPOComputerProperties].[IsPortable] AS [is_laptop],
[EPOEvents].[AnalyzerName] AS [product],
[EPOEvents].[AnalyzerVersion] AS [product_version],
[EPOEvents].[AnalyzerEngineVersion] AS [engine_version],
[EPOEvents].[AnalyzerDATVersion] AS [dat_version],
[EPOProdPropsView_VIRUSCAN].[datver] AS [vse_dat_version],
[EPOProdPropsView_VIRUSCAN].[enginever64] AS [vse_engine64_version],
[EPOProdPropsView_VIRUSCAN].[enginever] AS [vse_engine_version],
[EPOProdPropsView_VIRUSCAN].[hotfix] AS [vse_hotfix],
[EPOProdPropsView_VIRUSCAN].[productversion] AS [vse_product_version],
[EPOProdPropsView_VIRUSCAN].[servicepack] AS [vse_sp],
[EPOProdPropsView_THREATPREVENTION].[verDAT32Major] as [enstp_dat_version],
[EPOProdPropsView_THREATPREVENTION].[verEngine64Major] as [enstp_engine64_version],
[EPOProdPropsView_THREATPREVENTION].[verEngine32Major] as [enstp_engine_version],
[EPOProdPropsView_THREATPREVENTION].[verHotfix] as [enstp_hotfix],
[EPOProdPropsView_THREATPREVENTION].[productversion] as [enstp_product_version],
[EPOProdPropsView_EPOAGENT].[productversion] as [ma_product_version],
[EPOProdPropsView_ENDPOINTSECURITYPLATFORM].[productversion] as [enspf_product_version],
[EPOProdPropsView_FIREWALL].[productversion] as [ensfw_product_version],
[EPOProdPropsView_WEBCONTROL].[productversion] as [enswc_product_version]
FROM [EPOEvents]
LEFT JOIN [EPOLeafNode]
ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID]
LEFT JOIN [EPOProdPropsView_VIRUSCAN]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID]
LEFT JOIN [EPOComputerProperties]
ON [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID]
LEFT JOIN [EPOEventFilterDesc]
ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId]
AND ([EPOEventFilterDesc].[Language]='0409')
LEFT JOIN [EPOProdPropsView_THREATPREVENTION]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_THREATPREVENTION].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_EPOAGENT]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_EPOAGENT].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_ENDPOINTSECURITYPLATFORM]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_ENDPOINTSECURITYPLATFORM].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_FIREWALL]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_FIREWALL].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_WEBCONTROL]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_WEBCONTROL].[LeafNodeID]
WHERE [EPOEvents].[AutoID] > ?
ORDER BY [EPOEvents].[AutoID] ASC

```

Reply

robjackson
Path Finder
‎03-06-2019 01:35 PM

In DBConnect 2 error t', params: 'None', caused by: Exception(\' com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1..\',).',)"

Reply

sharmarohit123
Engager
‎06-12-2019 04:47 PM

I am getting the same exception, any idea how we can resolve this.

0 Karma
Reply

SarahSplunk123
Explorer
‎09-11-2018 07:06 AM

Hi,

If we need to be using the rising column parameter as a checkpoint, can you confirm that
WHERE [EPOEvents].[AutoID] > ?
ORDER BY [EPOEvents].[AutoID] ASC

should be replaced with

WHERE [EPOEvents].[AutoID] > 0 {{ AND [EPOEvents].$rising_column$ > ? }} ORDER BY [EPOEvents].[AutoID]

Thanks

0 Karma
Reply

kyleburk
Explorer
‎09-11-2018 07:51 AM

I use the EPOEvents.AutoID as my rising column and run the posted query as is.

0 Karma
Reply

SarahSplunk123
Explorer
‎09-19-2018 08:24 AM

The request raised an error in dbx.log, indicating that {{ AND [EPOEvents].$rising_column$ > ? }} was missing.
Can you confirm that in order to use it in dbx connect v1, it can be modified with the aforementioned modification?

Maybe db connect v2 introduces this condition in the configuration file when you select the rising column parameter in the GUI?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...