cancel
Showing results for 
Search instead for 
Did you mean: 
mrgodfrey
Level 7

Regarding McAfee HIP v8.0.0 AgentEvent logs

How can I find information that explains what the AgentEvent logs contain?  I have several XML logs that show eventID 18000 with an signatureID 4336, along with other details regarding the incident.  Can I show this suspicious file that the HIP alerted to was actually executed or just viewed?

0 Kudos
5 Replies
exbrit
Level 21

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

Moved this to HIPs for better attention hopefully.

Peter

Moderator

0 Kudos
fitchsoccer342
Level 13

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

If you go into the ePO console, find the machine that produced that HIPS event (18000), Actions -> Agent -> Show Threat Events. From there you can click on the event and see all the details about it; what detected it, directory of the file, action taken, what it tried to do, etc.

0 Kudos
ansarias
Level 13

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

Hello,

You can validate through below 2 ePO properties.

1. Event Category > Belongs to = Host Intrusion

2. Event Description > Equals = Host intrusion detected and handled

0 Kudos
mrgodfrey
Level 7

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

I found entries in the AgentEvent logs, so I have a couple of follow up questions:

I am conducting a forensics examination of this host.  In the registry, there is a key named "LoggedOnUser" in SOFTWARE>Wow6432Node>Network Associates>ePolicy Orchestrator>Agent

How is this key populated?

Is there a registry artifact (or some other indication) that shows when the last time the AgentEvent logs were cleared?

0 Kudos
ansarias
Level 13

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

Well LoggedOnUser defines currently logged user account details during Agent to ePO server communication. As it will use that user ID to upload the events into ePO console.

McAfee Agent policy is having settings on Log size so once it filled than automatically it will be override with new agent logs.

0 Kudos