I was wondering if there's any way to enhance the logging/events capability in EPO?
The log files detailed in this guide represent a subset of all McAfee® ePolicy Orchestrator® log files, with particular attention to the log files used when managing and troubleshooting product issues.
Are there additional threat events we can create?
Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event
Is there any way of adding any other security monitoring, alerting functions within EPO?
Yes, "User-Defined Rules" create your own threat event and tracked/monitor that event - You can setup Auto Response for these or any other "Threat Event"
Also is there any way to search the threat events for key words or change it from the last 24 hours to 30 days with a search option?
Yes, click on "Access protection rule violation detected and blocked", under "Custom" create a filter for 6 hours - make sure to add two columns: "threat source process name" & "threat target file path" <> search both columns for a common source/file
1 of 1 people found this helpful
In addition, you can go to ePO Server Settings \ Event Filtering and enable additional alerts to be collected from endpoints.
This will require the infrastructure admin to do this, I believe we have basic options currently enabled. Can you tell me how much information you collect?
I found the following on McAfee: McAfee Corporate KB - McAfee point product generated Event IDs listed in ePolicy Orchestrator KB54677
There are definitely a few useful ones.
The most user defined rules we have related to specific trojans and ransomeware, is there any option to specifically report or create a dashboard based on user defined events only?