The way I found to do it was to use the query interface to generate the set of info we wanted (based off the Data In Motion table) and then convert that into SQL, which we pasted into DBConnect. It then took a bit of time to sanitise it as the SQL format isn't well handled by the Java SQL engine used by DB Connect. The end result which you can use, and uses aliases a lot to avoid syntax errors, was:
SELECT DISTINCT T1.IncidentId AS IncID,
T1.IncidentType AS IncType,
T1.ViolationLocalTime AS Time,
T1.ViolationTimezone AS TimeZone,
T1.Severity AS Severity,
T1.SourceApplicationTemplates AS SourceApp,
T1.ActualAction AS Action,
T8.Name AS WorkstationName,
T9.PolicyName AS PolicyName,
T1.RulesToDisplay AS Rules,
T1.RuleSetToDisplay AS RuleSet,
T3.USBSerialNumber AS USBSerial,
T7.UsernameNTLM AS username,
T1.destination AS destination,
T4.ApplicationFileName AS ApplicationFilename,
T1.DlpAgentVersion AS AgentVer,
T1.ClassificationsToDisplay AS Classifications,
T2.FileExt AS FileExt,
T2.FileName AS Filename,
T2.FileType AS FileType,
T1.TotalContentSize AS Size,
T5.DestinationURL AS DestURL,
T6.Recipients AS EmailRecp,
T3.DeviceDescription AS DeviceDesc,
T3.VolumeLabel AS VolumeLabel,
T3.VolumeSerialNumber AS VolSerial,
T3.DeviceClassName AS DeviceClass,
T7.PrimaryUserAccountID AS AccID,
T10.copyDirection AS Direction
FROM UDLPIncidents AS T1
LEFT JOIN UDLPIncidentEmail AS T6
ON T1.IncidentId = T6.IncidentId
LEFT JOIN UDLPEventUsers AS T7
ON T1.UserId = T7.UserId
LEFT JOIN UDLPIncidentWebPost AS T5
ON T1.IncidentId = T5.IncidentId
LEFT JOIN UDLPEventPolicyInfo AS T9
ON T1.PolicyInfoId = T9.PolicyInfoId
LEFT JOIN UDLPIncidentDevice AS T3
ON T1.IncidentId = T3.IncidentId
LEFT JOIN UDLPIncidentRuleEvidencesQueriesView AS T2
ON T1.IncidentId = T2.IncidentId
LEFT JOIN UDLPEventComputers AS T8
ON T1.ComputerID = T8.ID
LEFT JOIN UDLPIncidentApplications AS T4
ON T1.SourceApplicationId = T4.ApplicationId
LEFT JOIN UDLPIncidents_Archive AS T10
ON T1.IncidentId = T10.IncidentId
WHERE T1.IncidentId > ?
ORDER BY T1.IncidentId asc
Again, bear in mind I'd go through the query interface if I was you, as your mileage with populated data, or schema may vary, and the table structure in ePO is simply terrible. And, I never could find an incident ID I could use to correlate this with the standard ePO query from the Splunk generated TA, and we needed to modify the ePO query itself to properly display the signature version, as not all fields properly populate for us.
I have integrated McAfee Splunk app to get event logs from McAfee DB to Splunk. I'm able to get all threat events into Splunk, but I'm not able to get the DLP Incident details to Splunk. Does anyone had success getting the DLP Incidents into Splunk?
My current script has information from the view "EPOEvents". This one has all the threat related information and details that I already see now in Splunk. This view is directly pulling from a table with out any filters.
The views [EPOProdPropsViewTHREATPREVENTION] has all product related information i.e. component version and other data but not the actual information I'm looking for. Similar to this view I can see another view already existing for DLP and its named as [EPOProdPropsViewUDLP] but it has product related information which I do not need. What I need is DLP Incident related metadata including Evidence info, Any help would be welcome.
The Add-on only supports IDS, malware and inventory. You'll probably have to build out your own query.
Probably start here and do a bunch of joins to fill in the data.
| dbquery "McAfeeePO5" "SELECT * FROM UDLP_Incidents" limit=1000