cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JKBH1
Level 10
Report Inappropriate Content
Message 1 of 4

ePO's DLP events forwarded to syslog showing limited fields when data is ingested in Splunk

Hi, we recently configured our ePO to forward events to syslog. The DLP data is showing in Splunk, however, we noticed that the fields are limited.

For example, for a Removable Storage incident, these are the fields that are showing up in Splunk:

  • timestamp
  • IncidentID
  • dest_nt_host
  • source_logon_user
  • event_description
  • dlp_rule
  • detection_method
  • UniqueMatchKeywords
  • EvidenceFileName
  • classification

In ePO, when digging into a Removable Storage incident, these fields (from Additional Information) are not showing up in Splunk:

  • Copy Direction
  • Device Friendly Name
  • Device Description
  • Device Class Name
  • Device Class GUID
  • Compatible ID
  • Instance ID
  • Bus Type
  • USB Class
  • USB Serial Number
  • File System Access
  • File System Type
  • Volume Label
  • Volume Serial Number
  • Destination Path
  • USB (VID/PID Codes)

For a Cloud Protection incident, this field is not showing up in Splunk: Cloud Service.

These are the DLP events selected. Wish it was easier to go through what events are being sent out as it is a long list. A filter perhaps for Agent, DLP, ENS, ATP, etc.

19136: McAfee DLP Endpoint User Sessions (Info)

19402: McAfee DLP Prevent Registered (Info)

 

 

3 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: ePO's DLP events forwarded to syslog showing limited fields when data is ingested in Splunk

See if this helps any, otherwise you might want to contact dlp team.

KB93612

https://community.mcafee.com/t5/Data-Loss-Prevention-DLP/bd-p/data-loss-prevention

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

JKBH1
Level 10
Report Inappropriate Content
Message 3 of 4

Re: ePO's DLP events forwarded to syslog showing limited fields when data is ingested in Splunk

Thank you @cdinet for the KB info.

Based on the attached files in that KB, the DLP events do not seem to forward everything when a DLP incident is generated. 

We're trying to get out of the DB query/connect as this is custom, joining tables can be daunting when you're not a DBA. Unfortunately, the support team won't touch an SR when we need assistance when it comes to custom DB query.

So, I'm leveraging this forward feature from ePO to syslog. Disappointing to initially see that the forwarded DLP events are limited. It's looking like we have to go back to modifying our DB queries to get this information to Splunk.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ePO's DLP events forwarded to syslog showing limited fields when data is ingested in Splunk

Let me move this over to dlp team to see if they have any other suggestions.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community