×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ncarey
Engager
Member since: ‎03-19-2018
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎03-19-2018
Activity Feed
Topics I've Started
No posts to display.
View All

Re: McAFee DLP logs into splunk.

by in Splunk Enterprise Security
‎09-04-2018 10:24 PM
2 Karma
‎09-04-2018 10:24 PM
2 Karma
The way I found to do it was to use the query interface to generate the set of info we wanted (based off the Data In Motion table) and then convert that into SQL, which we pasted into DBConnect. It then took a bit of time to sanitise it as the SQL format isn't well handled by the Java SQL engine used by DB Connect. The end result which you can use, and uses aliases a lot to avoid syntax errors, was: SELECT DISTINCT T1.IncidentId AS IncID, T1.IncidentType AS IncType, T1.ViolationLocalTime AS Time, T1.ViolationTimezone AS TimeZone, T1.Severity AS Severity, T1.SourceApplicationTemplates AS SourceApp, T1.ActualAction AS Action, T8.Name AS Workstation_Name, T9.PolicyName AS Policy_Name, T1.RulesToDisplay AS Rules, T1.RuleSetToDisplay AS RuleSet, T3.USBSerialNumber AS USB_Serial, T7.Username_NTLM AS username, T1.destination AS destination, T4.ApplicationFileName AS ApplicationFilename, T1.DlpAgentVersion AS Agent_Ver, T1.ClassificationsToDisplay AS Classifications, T2.FileExt AS File_Ext, T2.FileName AS Filename, T2.FileType AS FileType, T1.TotalContentSize AS Size, T5.DestinationURL AS Dest_URL, T6.Recipients AS Email_Recp, T3.DeviceDescription AS Device_Desc, T3.VolumeLabel AS VolumeLabel, T3.VolumeSerialNumber AS Vol_Serial, T3.DeviceClassName AS Device_Class, T7.PrimaryUserAccountID AS Acc_ID, T10.copyDirection AS Direction FROM UDLP_Incidents AS T1 LEFT JOIN UDLP_IncidentEmail AS T6 ON T1.IncidentId = T6.IncidentId LEFT JOIN UDLP_EventUsers AS T7 ON T1.UserId = T7.UserId LEFT JOIN UDLP_IncidentWebPost AS T5 ON T1.IncidentId = T5.IncidentId LEFT JOIN UDLP_EventPolicyInfo AS T9 ON T1.PolicyInfoId = T9.PolicyInfoId LEFT JOIN UDLP_IncidentDevice AS T3 ON T1.IncidentId = T3.IncidentId LEFT JOIN UDLP_IncidentRuleEvidencesQueriesView AS T2 ON T1.IncidentId = T2.IncidentId LEFT JOIN UDLP_EventComputers AS T8 ON T1.ComputerID = T8.ID LEFT JOIN UDLP_IncidentApplications AS T4 ON T1.SourceApplicationId = T4.ApplicationId LEFT JOIN UDLP_Incidents_Archive AS T10 ON T1.IncidentId = T10.IncidentId WHERE T1.IncidentId > ? ORDER BY T1.IncidentId asc Again, bear in mind I'd go through the query interface if I was you, as your mileage with populated data, or schema may vary, and the table structure in ePO is simply terrible. And, I never could find an incident ID I could use to correlate this with the standard ePO query from the Splunk generated TA, and we needed to modify the ePO query itself to properly display the signature version, as not all fields properly populate for us. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All