3 Replies Latest reply on Dec 9, 2016 9:40 AM by rameezq

    Enhancing Security Events/Logging EPO

    rameezq

      Hello All,

       

       

      I was wondering if there's any way to enhance the logging/events capability in EPO?

       

       

      Are there additional threat events we can create?

       

       

      We have some usable intelligence from the threat event descriptions however we are looking to fine tune this to get more usable results. we currently get over 2000 events per day relating to host intrusion detected and handled and access protection violations. This will require fine tuning on our side but wondering if anyone else has had experience of fine tuning this to a small amount in a big company. Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?

       

       

      Is there any way of adding any other security monitoring, alerting functions within EPO?

       

      A sample of what we currently have is below:

       

       

      All help greatly appreciated

        • 1. Re: Enhancing Security Events/Logging EPO
          tao

          I was wondering if there's any way to enhance the logging/events capability in EPO?

          The log files detailed in this guide represent a subset of all McAfee® ePolicy Orchestrator® log files, with particular attention to the log files used when managing and troubleshooting product issues.

           

          https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24809/en_US/epo_510_rg_Log%20Files_0-00_en-us.pdf

           

          Are there additional threat events we can create?

          Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event

           

          Is there any way of adding any other security monitoring, alerting functions within EPO?

          Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event -  You can setup Auto Response for these or any other "Threat Event"

           

          Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?

          Yes, click on "Access protection rule violation detected and blocked", under "Custom" create a filter for 6 hours - make sure to add two columns: "threat source process name" & "threat target file path" <> search both columns for a common source/file

          • 2. Re: Enhancing Security Events/Logging EPO
            Moe Hassan

            In addition, you can go to ePO Server Settings \ Event Filtering and enable additional alerts to be collected from endpoints.

            1 of 1 people found this helpful
            • 3. Re: Enhancing Security Events/Logging EPO
              rameezq

              This will require the infrastructure admin to do this, I believe we have basic options currently enabled. Can you tell me how much information you collect?

               

              I found the following on McAfee: McAfee Corporate KB - McAfee point product generated Event IDs listed in ePolicy Orchestrator KB54677

               

              There are definitely a few useful ones.

               

              In terms of user defined rules, i think we're still in our early days and are not yet at the level where we know specifically what we are looking for and are looking for some out the box or config changes to implement whilst we think of User defined rules to setup.

               

              The most user defined rules we have related to specific trojans and ransomeware, is there any option to specifically report or create a dashboard based on user defined events only?