Moved this to HIPs for better attention hopefully.
If you go into the ePO console, find the machine that produced that HIPS event (18000), Actions -> Agent -> Show Threat Events. From there you can click on the event and see all the details about it; what detected it, directory of the file, action taken, what it tried to do, etc.
You can validate through below 2 ePO properties.
1. Event Category > Belongs to = Host Intrusion
2. Event Description > Equals = Host intrusion detected and handled
I found entries in the AgentEvent logs, so I have a couple of follow up questions:
I am conducting a forensics examination of this host. In the registry, there is a key named "LoggedOnUser" in SOFTWARE>Wow6432Node>Network Associates>ePolicy Orchestrator>Agent
How is this key populated?
Is there a registry artifact (or some other indication) that shows when the last time the AgentEvent logs were cleared?
Well LoggedOnUser defines currently logged user account details during Agent to ePO server communication. As it will use that user ID to upload the events into ePO console.
McAfee Agent policy is having settings on Log size so once it filled than automatically it will be override with new agent logs.