cancel
Showing results for 
Search instead for 
Did you mean: 

Enhancing Security Events/Logging EPO

Hello All,

I was wondering if there's any way to enhance the logging/events capability in EPO?

Are there additional threat events we can create?

We have some usable intelligence from the threat event descriptions however we are looking to fine tune this to get more usable results. we currently get over 2000 events per day relating to host intrusion detected and handled and access protection violations. This will require fine tuning on our side but wondering if anyone else has had experience of fine tuning this to a small amount in a big company. Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?

Is there any way of adding any other security monitoring, alerting functions within EPO?

A sample of what we currently have is below:

All help greatly appreciated

3 Replies
Reliable Contributor tao
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Enhancing Security Events/Logging EPO

I was wondering if there's any way to enhance the logging/events capability in EPO?

The log files detailed in this guide represent a subset of all McAfee® ePolicy Orchestrator® log files, with particular attention to the log files used when managing and troubleshooting product issues.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24809/en_US/...

Are there additional threat events we can create?

Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event

Is there any way of adding any other security monitoring, alerting functions within EPO?

Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event -  You can setup Auto Response for these or any other "Threat Event"

Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?

Yes, click on "Access protection rule violation detected and blocked", under "Custom" create a filter for 6 hours - make sure to add two columns: "threat source process name" & "threat target file path" <> search both columns for a common source/file

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers
McAfee Employee moekhass
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Enhancing Security Events/Logging EPO

In addition, you can go to ePO Server Settings \ Event Filtering and enable additional alerts to be collected from endpoints.

Re: Enhancing Security Events/Logging EPO

This will require the infrastructure admin to do this, I believe we have basic options currently enabled. Can you tell me how much information you collect?

I found the following on McAfee: McAfee Corporate KB - McAfee point product generated Event IDs listed in ePolicy Orchestrator KB5467...

There are definitely a few useful ones.

In terms of user defined rules, i think we're still in our early days and are not yet at the level where we know specifically what we are looking for and are looking for some out the box or config changes to implement whilst we think of User defined rules to setup.

The most user defined rules we have related to specific trojans and ransomeware, is there any option to specifically report or create a dashboard based on user defined events only?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community