All Apps and Add-ons

Working DBConnect Query for McAfee with ENS

kyleburk
Explorer

Not sure where the best place to put this is but i wanted to provide the SQL query we're using for the McAfee Add-on.
This includes integration with Endpoint Security Threat Prevention. This also fixes an issue with the default query where the dest_nt_host field was being populated from a less-than-ideal location (i believe this to essentially be a bug).

```

SELECT [EPOEvents].[ReceivedUTC] AS [timestamp],
[EPOEvents].[AutoID],
[EPOEvents].[ThreatName] AS [signature],
[EPOEvents].[ThreatType] AS [threat_type],
[EPOEvents].[ThreatEventID] AS [signature_id],
[EPOEvents].[ThreatCategory] AS [category],
[EPOEvents].[ThreatSeverity] AS [severity_id],
[EPOEventFilterDesc].[Name] AS [event_description],
[EPOEvents].[DetectedUTC] AS [detected_timestamp],
[EPOEvents].[TargetFileName] AS [file_name],
[EPOEvents].[AnalyzerDetectionMethod] AS [detection_method],
[EPOEvents].[ThreatActionTaken] AS [vendor_action],
CAST([EPOEvents].[ThreatHandled] AS int) AS [threat_handled],
[EPOEvents].[TargetUserName] AS [logon_user],
[EPOComputerProperties].[UserName] AS [user],
[EPOComputerProperties].[DomainName] AS [dest_nt_domain],
[EPOEvents].[TargetHostName] AS [dest_dns],
[EPOComputerProperties].[ComputerName] AS [dest_nt_host],
[EPOComputerProperties].[IPHostName] AS [fqdn],
[dest_ip] = ( convert(varchar(3),
convert(tinyint,
substring(convert(varbinary(4),
convert(bigint,
([EPOComputerProperties].[IPV4x] + 2147483648))),
1,
1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] AS [dest_netmask],
[EPOComputerProperties].[NetAddress] AS [dest_mac],
[EPOComputerProperties].[OSType] AS [os],
[EPOComputerProperties].[OSServicePackVer] AS [sp],
[EPOComputerProperties].[OSVersion] AS [os_version],
[EPOComputerProperties].[OSBuildNum] AS [os_build],
[EPOComputerProperties].[TimeZone] AS [timezone],
[EPOEvents].[SourceHostName] AS [src_dns],
[src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ),
[EPOEvents].[SourceMAC] AS [src_mac],
[EPOEvents].[SourceProcessName] AS [process],
[EPOEvents].[SourceURL] AS [url],
[EPOEvents].[SourceUserName] AS [source_logon_user],
[EPOComputerProperties].[IsPortable] AS [is_laptop],
[EPOEvents].[AnalyzerName] AS [product],
[EPOEvents].[AnalyzerVersion] AS [product_version],
[EPOEvents].[AnalyzerEngineVersion] AS [engine_version],
[EPOEvents].[AnalyzerDATVersion] AS [dat_version],
[EPOProdPropsView_VIRUSCAN].[datver] AS [vse_dat_version],
[EPOProdPropsView_VIRUSCAN].[enginever64] AS [vse_engine64_version],
[EPOProdPropsView_VIRUSCAN].[enginever] AS [vse_engine_version],
[EPOProdPropsView_VIRUSCAN].[hotfix] AS [vse_hotfix],
[EPOProdPropsView_VIRUSCAN].[productversion] AS [vse_product_version],
[EPOProdPropsView_VIRUSCAN].[servicepack] AS [vse_sp],
[EPOProdPropsView_THREATPREVENTION].[verDAT32Major] as [enstp_dat_version],
[EPOProdPropsView_THREATPREVENTION].[verEngine64Major] as [enstp_engine64_version],
[EPOProdPropsView_THREATPREVENTION].[verEngine32Major] as [enstp_engine_version],
[EPOProdPropsView_THREATPREVENTION].[verHotfix] as [enstp_hotfix],
[EPOProdPropsView_THREATPREVENTION].[productversion] as [enstp_product_version],
[EPOProdPropsView_EPOAGENT].[productversion] as [ma_product_version],
[EPOProdPropsView_ENDPOINTSECURITYPLATFORM].[productversion] as [enspf_product_version],
[EPOProdPropsView_FIREWALL].[productversion] as [ensfw_product_version],
[EPOProdPropsView_WEBCONTROL].[productversion] as [enswc_product_version]
FROM [EPOEvents]
LEFT JOIN [EPOLeafNode]
ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID]
LEFT JOIN [EPOProdPropsView_VIRUSCAN]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID]
LEFT JOIN [EPOComputerProperties]
ON [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID]
LEFT JOIN [EPOEventFilterDesc]
ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId]
AND ([EPOEventFilterDesc].[Language]='0409')
LEFT JOIN [EPOProdPropsView_THREATPREVENTION]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_THREATPREVENTION].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_EPOAGENT]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_EPOAGENT].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_ENDPOINTSECURITYPLATFORM]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_ENDPOINTSECURITYPLATFORM].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_FIREWALL]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_FIREWALL].[LeafNodeID]
LEFT JOIN [EPOProdPropsView_WEBCONTROL]
ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_WEBCONTROL].[LeafNodeID]
WHERE [EPOEvents].[AutoID] > ?
ORDER BY [EPOEvents].[AutoID] ASC

```

robjackson
Path Finder

In DBConnect 2 error t', params: 'None', caused by: Exception(\' com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1..\',).',)"

sharmarohit123
Engager

I am getting the same exception, any idea how we can resolve this.

0 Karma

SarahSplunk123
Explorer

Hi,

If we need to be using the rising column parameter as a checkpoint, can you confirm that
WHERE [EPOEvents].[AutoID] > ?
ORDER BY [EPOEvents].[AutoID] ASC

should be replaced with

WHERE [EPOEvents].[AutoID] > 0 {{ AND [EPOEvents].$rising_column$ > ? }} ORDER BY [EPOEvents].[AutoID]

Thanks

0 Karma

kyleburk
Explorer

I use the EPOEvents.AutoID as my rising column and run the posted query as is.

0 Karma

SarahSplunk123
Explorer

The request raised an error in dbx.log, indicating that {{ AND [EPOEvents].$rising_column$ > ? }} was missing.
Can you confirm that in order to use it in dbx connect v1, it can be modified with the aforementioned modification?

Maybe db connect v2 introduces this condition in the configuration file when you select the rising column parameter in the GUI?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...