cancel
Showing results for 
Search instead for 
Did you mean: 

Enhancing Security Events/Logging EPO

Hello All,

I was wondering if there's any way to enhance the logging/events capability in EPO?

Are there additional threat events we can create?

We have some usable intelligence from the threat event descriptions however we are looking to fine tune this to get more usable results. we currently get over 2000 events per day relating to host intrusion detected and handled and access protection violations. This will require fine tuning on our side but wondering if anyone else has had experience of fine tuning this to a small amount in a big company. Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?

Is there any way of adding any other security monitoring, alerting functions within EPO?

A sample of what we currently have is below:

All help greatly appreciated

3 Replies
tao
Level 13
Report Inappropriate Content
Message 2 of 4

Re: Enhancing Security Events/Logging EPO

I was wondering if there's any way to enhance the logging/events capability in EPO?

The log files detailed in this guide represent a subset of all McAfee® ePolicy Orchestrator® log files, with particular attention to the log files used when managing and troubleshooting product issues.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24809/en_US/...

Are there additional threat events we can create?

Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event

Is there any way of adding any other security monitoring, alerting functions within EPO?

Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event -  You can setup Auto Response for these or any other "Threat Event"

Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?

Yes, click on "Access protection rule violation detected and blocked", under "Custom" create a filter for 6 hours - make sure to add two columns: "threat source process name" & "threat target file path" <> search both columns for a common source/file

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Enhancing Security Events/Logging EPO

In addition, you can go to ePO Server Settings \ Event Filtering and enable additional alerts to be collected from endpoints.

Re: Enhancing Security Events/Logging EPO

This will require the infrastructure admin to do this, I believe we have basic options currently enabled. Can you tell me how much information you collect?

I found the following on McAfee: McAfee Corporate KB - McAfee point product generated Event IDs listed in ePolicy Orchestrator KB5467...

There are definitely a few useful ones.

In terms of user defined rules, i think we're still in our early days and are not yet at the level where we know specifically what we are looking for and are looking for some out the box or config changes to implement whilst we think of User defined rules to setup.

The most user defined rules we have related to specific trojans and ransomeware, is there any option to specifically report or create a dashboard based on user defined events only?