I've spoken to 3 different McAfee support tech's regarding this topic. And I believe the gist of what I'm hearing is they recommend using Windows Event Forwarding to collect logs to the WEF server. Then configuring WEF with the SIEM collector to send the events to the SIEM. We originally just used SIEM Collector on each workstation, but when using DHCP and the IP changes (e.g. a laptop undocks and gets on wifi or goes home and connects over VPN) the IP changes and the data source is bound to the IP. Using WEF allows us to set it up via GPO which will also help us to not have to build a data source for each workstation build. It also minimizes the traffic coming from every host over a WAN to the ERC (if applicable for your environment).
The only issue I have right now is a big time delta issue for the WEF server in ESM. If I resolve that and remember to, I'll re-post any improvements needed to fix that.
This was my goal too, unfortunately Microsoft does not include the IP of the event generating workstation in the event, so this means workstation logs are all stored under the same ESM data source (the collector server). That may or may not work for you, but it makes correlation rules pretty difficult.
Haven't tried this myself, but I thought endpoint WMI can be achieved by using SIEM collector configured using Host ID rather than source IP address. But the FW rules will be a nightmare, unless you specify the entire endpoint subnet.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.