What type of data in addition to sysloag should be ingested into Splunk to help SOC team? I already have the ePO add on installed. Do I need additional apps or TAs?
Hi @SamHTexas
As per the installation instructions the add-on could have been installed on SH ( for knowledge management), HF / Indexer/ UF depends on your environment ( to ingest the syslogs). Install the Splunk Add-on for McAfee ePO Syslog - Splunk Documentation
Add-on sourcetype supports these CIM compatible Intrusion Detection,
Malware datamodels according to Splunk docs - Source types for the Splunk Add-on for McAfee ePO Syslog - Splunk Documentation. Hence if the add-on correctly installed on SH, and syslog data is getting ingested then that is all SOC team wanted for their usecases.
---------------------------------------------
An upvote would be appreciated if it helps!