cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 11 of 17

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution

What kind of errors?  Does splunk support tls version 1.2?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution
I resolved this myself. I had to step through the query one line at a time until I got it to work.

View solution in original post

Highlighted
Level 8
Report Inappropriate Content
Message 13 of 17

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution

could you please provide the query that worked for you

Highlighted

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution

This is the query that we're using

 

---------------------------------------------

SELECT
 [EPOEvents].[ReceivedUTC] as [timestamp],
 [EPOEvents].[AutoID],
    [EPOEvents].[ThreatName] as [signature],
    [EPOEvents].[ThreatType] as [threat_type],
    [EPOEvents].[ThreatEventID] as [signature_id],
    [EPOEvents].[ThreatCategory] as [category],
    [EPOEvents].[ThreatSeverity] as [severity_id],
 [EPOEvents].[DetectedUTC] as [detected_timestamp],
    [EPOEvents].[TargetFileName] as [file_name],
    [EPOEvents].[AnalyzerDetectionMethod] as [detection_method],
    [EPOEvents].[ThreatActionTaken] as [vendor_action],
    CAST([EPOEvents].[ThreatHandled] as int) as [threat_handled],
    [EPOEvents].[TargetUserName] as [logon_user],
 [EPOComputerPropertiesMT].[UserName] as [user],
    [EPOComputerPropertiesMT].[DomainName] as [dest_nt_domain],
 [EPOEvents].[TargetHostName] as [dest_dns],
    [EPOEvents].[TargetHostName] as [dest_nt_host],
 [EPOComputerPropertiesMT].[IPHostName] as [fqdn],
    [dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerPropertiesMT].[IPV4x] + 2147483648))),4,1))) ),
    [EPOComputerPropertiesMT].[SubnetMask] as [dest_netmask],
    [EPOComputerPropertiesMT].[NetAddress] as [dest_mac],
    [EPOComputerPropertiesMT].[OSType] as [os],
    [EPOComputerPropertiesMT].[OSVersion] as [os_version],
    [EPOComputerPropertiesMT].[OSBuildNum] as [os_build],
    [EPOComputerPropertiesMT].[TimeZone] as [timezone],
 [EPOEvents].[SourceHostName] as [src_dns],
    [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ),
 [EPOEvents].[SourceMAC] as [src_mac],
    [EPOEvents].[SourceProcessName] as [process],
    [EPOEvents].[SourceURL] as [url],
    [EPOEvents].[SourceUserName] as [source_logon_user],
 [EPOProdPropsView_VIRUSCAN].[datver] as [vse_dat_version],
    [EPOProdPropsView_VIRUSCAN].[enginever64] as [vse_engine64_version],
    [EPOProdPropsView_VIRUSCAN].[enginever] as [vse_engine_version],
    [EPOProdPropsView_VIRUSCAN].[hotfix] as [vse_hotfix],
    [EPOProdPropsView_VIRUSCAN].[productversion] as [vse_product_version],
    [EPOProdPropsView_VIRUSCAN].[servicepack] as [vse_sp] ,
 [EPOEvents].[AnalyzerName] as [product],
    [EPOEvents].[AnalyzerVersion] as [product_version],
    [EPOEvents].[AnalyzerEngineVersion] as [engine_version],
    [EPOEvents].[AnalyzerDATVersion] as [dat_version],
 [EPOProdPropsView_THREATPREVENTION].[verDAT32Major] AS [TP_dat_version],
 [EPOProdPropsView_THREATPREVENTION].[verEngine32Major] AS [TP_engine32_version],
 [EPOProdPropsView_THREATPREVENTION].[verEngine64Major] AS [TP_engine64_version],
 [EPOProdPropsView_THREATPREVENTION].[verHotfix] AS [TP_hotfix],
 [EPOProdPropsView_THREATPREVENTION].[ProductVersion] AS [TP_product_version]
FROM "EPOSERVER_Events"."dbo"."EPOEvents"
LEFT JOIN [EPOLeafNode] ON [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID]
LEFT JOIN [EPOProdPropsView_VIRUSCAN] ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID]
LEFT OUTER JOIN [EPOProdPropsView_THREATPREVENTION] ON [EPOLeafNode].[AutoID] = [EPOProdPropsView_THREATPREVENTION].[LeafNodeID]
LEFT JOIN [EPOComputerPropertiesMT] ON [EPOLeafNode].[AutoID] = [EPOComputerPropertiesMT].[ParentID]
LEFT JOIN [EPOEventFilterDesc] ON [EPOEvents].[ThreatEventID] = [EPOEventFilterDesc].[EventId]
AND ([EPOEventFilterDesc].[Language]='0409')
WHERE [EPOEvents].[AutoID] > ?
ORDER BY [EPOEvents].[AutoID] ASC

Highlighted

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution

@McAfeeTomHow did you join the two databases for this query? IIRC ePO created a new DB just for EPOEvents and the other tables remained in the original DB

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 16 of 17

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution

You don't need to join the tables.  When you query the epoevents table on the main db, they are linked, so the query will work as if they were one database.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Splunk integration broken after ePO 5.10 upgrade

Jump to solution

Hi,

For some reason i see the next error while i try your query: 

"The value is not set for the parameter number 1"

Do you know maybe why it is happening ? 

I also can see the next error when i connect to the lab: 

"Error(s) occur when reading checkpoint"

Thanks in advance

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community