cancel
Showing results for 
Search instead for 
Did you mean: 
qnology
Level 7

McAfee EPO EEPC Splunk Integration

Jump to solution

Hello,

I'm working on integrating McAfee ePO and Splunk. I already have the Splunk Add-on for McAfee working using DBConnect.

Now I would like to get McAfee EEPC events into Splunk. Specifically these events:

  • 2411 Deployment Successful
  • 30001 Password Changed Event
  • 30005 Remote Recovery Event
  • 30006 Self Recovery Event
  • 30008 Crypt Start Event
  • 30010 Crypt Complete Event
  • 30015 Activation Start Event
  • 30016 Activation Complete Event

And login events.

Does anyone know what table or view these events are stored in or have the SQL handy? Thank you

Q

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

Events are stored in ePOProductEvents table. Additional information is stored in the epeEventParameters table with parent key ePOProductEvents.AutoID = epeEventParameters.ParentId

0 Kudos
8 Replies
tkinkead
Level 12

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

I don't work with EEPC, but you might want to start with the ePOEvents or ePOEventsMT tables.  Some products (HIPS for example) keep some events in other tables, but I would start there.

0 Kudos
qnology
Level 7

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

Thanks for the reply. I'm already pulling in the ePOEvents data into Splunk and do not see the EEPC encryption event. Also looked at ePOEventsMT, but not sure on the difference between it and ePOEvents.

Hoping someone with some knowledge of the DB schema can chime in and help.

0 Kudos
McAfee Employee

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

Events are stored in ePOProductEvents table. Additional information is stored in the epeEventParameters table with parent key ePOProductEvents.AutoID = epeEventParameters.ParentId

0 Kudos
qnology
Level 7

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

Thank you ​!

One more question, where can I get the TVDEventId to Name mapping?

For instance, TVDEventId=30008, I want to find "Crypt Start Event"

Thank you.

0 Kudos
McAfee Employee

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

EPOEventFilterDesc

0 Kudos
qnology
Level 7

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

Thank you.

Sorry, I lied, one more question.

Our ePO admin asked why the EEPC events aren't in the EPOEvents view? Or is there something that needs to be done within ePO to make it happen. Thank you.

0 Kudos
McAfee Employee

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

ePOEvents was intended for threat events. Because MDE doesn't create threat events, there isn't a reason for the events to be placed in this table.

0 Kudos
deileadoir
Level 7

Re: McAfee EPO EEPC Splunk Integration

Jump to solution

Hi tkinkhead

I am trying to figure out what's the best possible way to get the ePO threat events table (including HIPS) into Splunk. Do you have already some experience and any suggestion?, you answer points directly into the direction I want to go.

Best regards and thanks

0 Kudos