cancel
Showing results for 
Search instead for 
Did you mean: 

is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

Team,

we have our McAfee ePO 5.9.1 integrated with SIEM Q-Radar and all the logs details with the detection information are transferred from ePO DB to QRADAR

When we check the detection information in ePO in the threat events section, we can see all the details are populated in the ePO database as well however the hash information does not show in the ePO database 

For example:

We observed a detection in ePO for Event ID : 1284: File infected. Undetermined clean error, delete failed 

We have enabled this event ID in ePO in the event filtering section and also enabled the option to store the event in both ePO and SIEM

In the ePO we can see the target hash information as well however this hash info does not show in the ePO DB. We want this hash information to be shown in DB as well, so that the same hash information also gets displayed in the SIEM QRadar.

If there any specific query that we can run in ePO Database to pull out the hash information. If not, how can we get the hash details shown in ePO DB as well.

 

1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

If your query in epo that you got the script from is a chart of any kind, that might explain what you are seeing.  Make sure the query is a table type.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

5 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

If you are seeing the hash in the epo console somewhere in a query, then it is in the database.  Whatever query you are running to find that hash, select that query in queries and reporting, then go to actions, view sql.  That will show you the table and columns that it is pulling data from.  It may be pulling it from a view, but nevertheless, it has to be in the database somewhere or you wouldn't see it in epo at all.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

Hi cdinet,

Thanks a lot for this response

I checked and observed that the hash information is populated in the reports and queries for event IDs 1284 in ePO console. I checked the view sql and ran the same query as it is in the ePO DB however it only shows the count of the events in ePO DB

Is there any way we can get the hash information in tabular form in ePO DB. 

This query shows me the count of the events in EPO DB however no more details in tabular form. Is there any way I can customise this query 

 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

If your query in epo that you got the script from is a chart of any kind, that might explain what you are seeing.  Make sure the query is a table type.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

Got it !!! 

 

thanks a lot cdinet

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: is there a way the infected file hash details can also get populated in the ePO database

Jump to solution

Glad to help!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community