cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 10

Adaptive Threat Protection Events

Jump to solution

We are not seeing any ATP events under Reporting or Dashboards. Is this normal if observe mode is checked in the policy?  I should at least see observed events right? Or is there another reason for why no events are present. Everything is configured and working as far as DXL & TIE are concerned. Find it odd no events reporting.

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Hi @kblowe 

Many thanks for posting on the Community.

I would be very surprised if you weren't seeing any events generated however to force one, you can use the Real-Protect Test Files: https://kc.mcafee.com/corporate/index?page=content&id=KB88828

One in-built Dashboard is called: Endpoint Security: Adaptive Threat Protection Observed Events - this dashboard should be getting populated with your observation events.

If you aren't seeing any events at all, it might be worth checking that you are allowing the generation of these events. To do this, please navigate within your ePO server to Server Settings > Event Filtering. You want to check that the events 35100 - 35107 are enabled.

If these are checked, then you can also check that within your McAfee Agent policy you aren't just forwarding Major events. You may need to select a lower event level i.e. Informational

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

9 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Hi @kblowe 

Many thanks for posting on the Community.

I would be very surprised if you weren't seeing any events generated however to force one, you can use the Real-Protect Test Files: https://kc.mcafee.com/corporate/index?page=content&id=KB88828

One in-built Dashboard is called: Endpoint Security: Adaptive Threat Protection Observed Events - this dashboard should be getting populated with your observation events.

If you aren't seeing any events at all, it might be worth checking that you are allowing the generation of these events. To do this, please navigate within your ePO server to Server Settings > Event Filtering. You want to check that the events 35100 - 35107 are enabled.

If these are checked, then you can also check that within your McAfee Agent policy you aren't just forwarding Major events. You may need to select a lower event level i.e. Informational

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Level 10
Report Inappropriate Content
Message 3 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Events 35100 - 35107 are enabled and stored on ePO. Also the McAfee Agent>General policy Events are set to Minor. Could be issue with policy.  I checked and the ENS Common policy didn't have Client Logging> Event Logging for ATP events to log: set at all. I set to warning,critical, and alert. Will monitor for events.

If you have any other steps, please let me know.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Hi @kblowe 

You may need to set the Event Level within ePO Forwarding to Informational. If you still don't see any events, please do try this. And as I said, if you want to force event generation so you can check quicker then you can use the Real Protect Test Files.

But if you didn't have ATP Events within ENS Common Policy enabled, then you may have already found the problem 🙂 

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Level 10
Report Inappropriate Content
Message 5 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Just a FYI, I was seeing events up until a month ago. I changed to Informational and that didn't make a difference. I downloaded the Test File to generate a event and that worked as it should. The events showed in under ATP events as blocked.

My question now is maybe the ATP policy is not strict enough. I have "Endpoint Security Adaptive Threat Protection : Policy Category > Options" set to Productivity under Rule Assignment. Which by default the Action Enforcement is  "Trigger Dynamic Application Containment when reputation threshold reaches: Most Likely Malicious" and "Block when reputation threshold reaches: Known Malicious". Is it better to keep the Rule Assignment at "Balanced" or it depends on the organization. Because currently no events are happening and we not not in observe mode. Any insight would be helpful. Thanks.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Hi @kblowe 

Thank you for sharing feedback. I am glad you received events once forced with the Test File - at least that proves that you do have everything set up correctly.

We recommend keeping the default configuration. Of course you can change these settings if you want, this is your choice and I urge caution and would advise only applying the policy as a test to a certain sub-set of machines so you avoid any impact. If you change DAC to trigger when "Unknown" I would expect you to see a lot of events. 

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Level 10
Report Inappropriate Content
Message 7 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Thanks for the tips. I recreated the ATP Option policy and left at the default of Balanced instead of Productivity. I started noticing events slowly generating.

There is not much in the ATP guide on Threat Detection Messaging. I have the defaults below, but isn't that excessive, meaning it will send a message for every Unknown file to the user?

Display threat notifications to user The defaults when checked states: Notify the user when reputation threshold reaches: Unknown  Default Action: Allow  Specify length (minutes) of timeout: 5. Message: McAfee Endpoint Security detected a file with an unknown reputation.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Hi @kblowe 

By default, ATP's specific Threat Detection User Messaging is actually disabled. You will still receive threat detection notifications in the form of a windows toast notification, the same as you would for a threat detected from On-Access Scan.

To directly answer your question though, yes this would generate a lot of noise/interruption for users if you have this setting enabled and set to trigger at unknown. The main benefit this feature provides is the ability to make users confirm that they want to run the unknown application (by selecting Allow in the notification) to give an extra bump towards thinking about what they're running on the machine. But, like I said, this will generate a lot of noise.

Hopefully that helps!

 

Thank you,
Mitchell Buehler

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: Adaptive Threat Protection Events

Jump to solution

Hi Kblowe,

Please tell me if you are using ePO ( On-Prem or MVSION-ePO/Cloud-ePO )

If you are using On-Prem then the events should be selectable from the event-id list from the server settings option event filtering. 

If however you are using MVISION ePO or Cloud based ePO, events 35100-35107 are filtered out by the platform and at this stage cannot be enabled on either cloud based platform.




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Level 10
Report Inappropriate Content
Message 10 of 10

Re: Adaptive Threat Protection Events

Jump to solution

ePO is on-premise and l mentioned previously events 35100-35107 are all selected. Thanks

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community