Splunk Enterprise Security

McAFee DLP logs into splunk.

Hi guys,
Does anyone have successfully get the DLP incident logs from ePO to Mcafee? I'm using dbconnect with epo APP and I'm having bad time trying to get it. Any idea or anyone already made it?

Thanks in advance,
Alex

Engager

The way I found to do it was to use the query interface to generate the set of info we wanted (based off the Data In Motion table) and then convert that into SQL, which we pasted into DBConnect. It then took a bit of time to sanitise it as the SQL format isn't well handled by the Java SQL engine used by DB Connect. The end result which you can use, and uses aliases a lot to avoid syntax errors, was:
SELECT DISTINCT T1.IncidentId AS IncID,
T1.IncidentType AS IncType,
T1.ViolationLocalTime AS Time,
T1.ViolationTimezone AS TimeZone,
T1.Severity AS Severity,
T1.SourceApplicationTemplates AS SourceApp,
T1.ActualAction AS Action,
T8.Name AS WorkstationName,
T9.PolicyName AS Policy
Name,
T1.RulesToDisplay AS Rules,
T1.RuleSetToDisplay AS RuleSet,
T3.USBSerialNumber AS USBSerial,
T7.Username
NTLM AS username,
T1.destination AS destination,
T4.ApplicationFileName AS ApplicationFilename,
T1.DlpAgentVersion AS AgentVer,
T1.ClassificationsToDisplay AS Classifications,
T2.FileExt AS File
Ext,
T2.FileName AS Filename,
T2.FileType AS FileType,
T1.TotalContentSize AS Size,
T5.DestinationURL AS DestURL,
T6.Recipients AS Email
Recp,
T3.DeviceDescription AS DeviceDesc,
T3.VolumeLabel AS VolumeLabel,
T3.VolumeSerialNumber AS Vol
Serial,
T3.DeviceClassName AS DeviceClass,
T7.PrimaryUserAccountID AS Acc
ID,
T10.copyDirection AS Direction
FROM UDLPIncidents AS T1
LEFT JOIN UDLP
IncidentEmail AS T6
ON T1.IncidentId = T6.IncidentId
LEFT JOIN UDLPEventUsers AS T7
ON T1.UserId = T7.UserId
LEFT JOIN UDLP
IncidentWebPost AS T5
ON T1.IncidentId = T5.IncidentId
LEFT JOIN UDLPEventPolicyInfo AS T9
ON T1.PolicyInfoId = T9.PolicyInfoId
LEFT JOIN UDLP
IncidentDevice AS T3
ON T1.IncidentId = T3.IncidentId
LEFT JOIN UDLPIncidentRuleEvidencesQueriesView AS T2
ON T1.IncidentId = T2.IncidentId
LEFT JOIN UDLP
EventComputers AS T8
ON T1.ComputerID = T8.ID
LEFT JOIN UDLPIncidentApplications AS T4
ON T1.SourceApplicationId = T4.ApplicationId
LEFT JOIN UDLP
Incidents_Archive AS T10
ON T1.IncidentId = T10.IncidentId
WHERE T1.IncidentId > ?
ORDER BY T1.IncidentId asc

Again, bear in mind I'd go through the query interface if I was you, as your mileage with populated data, or schema may vary, and the table structure in ePO is simply terrible. And, I never could find an incident ID I could use to correlate this with the standard ePO query from the Splunk generated TA, and we needed to modify the ePO query itself to properly display the signature version, as not all fields properly populate for us.

SplunkTrust
SplunkTrust

@agcorreia
i converted @ncarey comment to an answer, kindly review and let us know if it works for you.
if it does, please accept the answer. otherwise, please provide more information

0 Karma

SplunkTrust
SplunkTrust

Hint: Responses might be much more helpful if you'd give more details, e.g. what "having bad time" exactly means. Like, error messages, expected vs. observed behavior, etc.

0 Karma

Explorer

I have integrated McAfee Splunk app to get event logs from McAfee DB to Splunk. I'm able to get all threat events into Splunk, but I'm not able to get the DLP Incident details to Splunk. Does anyone had success getting the DLP Incidents into Splunk?

My current script has information from the view "EPOEvents". This one has all the threat related information and details that I already see now in Splunk. This view is directly pulling from a table with out any filters.

The views [EPOProdPropsViewTHREATPREVENTION] has all product related information i.e. component version and other data but not the actual information I'm looking for. Similar to this view I can see another view already existing for DLP and its named as [EPOProdPropsViewUDLP] but it has product related information which I do not need. What I need is DLP Incident related metadata including Evidence info, Any help would be welcome.

0 Karma

Communicator

The Add-on only supports IDS, malware and inventory. You'll probably have to build out your own query.

Probably start here and do a bunch of joins to fill in the data.
| dbquery "McAfeeePO5" "SELECT * FROM UDLP_Incidents" limit=1000

0 Karma