Mcafee DLP Events Support

Qradar Supports MacAfee EPO and Symantec SEP But not all of it.

1. SEP has full support for Antivirus, HIPS and Sonar functions, when using SEP as Device Control the Data is incoming as Misc. event and not as Device Control event.Meaning all of the Data Coming from SEP regarding Device Control Does Not parse in the system.

2. McAfee ePO same as SEP full support for antivirus software , just connect to EPO Database and you are done , But when using ePO Device Control aka DLP , the event are saved on a different view on the ePO database.

When using regular connection, in this scenario we aren’t even connected to the DLP events.

I don’t have the answers why Qradar system does not monitor those alerts but I have the how.
I have done this only on MacAfee, but I guess it’s the same logic in SEP just need to look for the right Table.

SEP:

The event are incoming as Misc. event and we can parse them according using Extract proprietary.

OR

We can use universal DSM to connect with SEP database, look for the correct table, connect and parse.

MacAfee

Configuring regular MacAfee ePO connector – Link

Just Change  Table name and compare filed accordingly

Add a Universal DSM with JDBC\MSDE

 Connect to Macafee database which hold the ePO

table name: dbo.DLP_EventView
compare filed: EventRowID
 

Use this parser – Link
 

Use those QIDs to maps the events.:
25250440 Device Plug
25250441 Device Unplug
74000033 Connection To Device Blocked
25250115 Access Protection rule vilation detected and blocked

XML McAfee : Copy or just Download 
<device-extension xmlns=”event_parsing/device_extension”>

                <!– Do not remove the “allEventNames” value –>

                <pattern id=”allEventNames” xmlns=””><![CDATA[(.*)]]></pattern>

                <!– Everything below this line can be modified –>

                <pattern id=”EventName” xmlns=””><![CDATA[EventType\:\s\”(\d{1,9})\”]]></pattern>

                <pattern id=”DeviceTime” xmlns=””><![CDATA[LocalTime\:\s\”(\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})]]></pattern>

                <pattern id=”UserName” xmlns=””><![CDATA[UserName.+\w+\\(.+?)\”]]></pattern>

                <match-group order=”1″ description=”Log Source Extension” xmlns=””>

                                <matcher field=”EventName” order=”1″ pattern-id=”EventName” capture-group=”1″ enable-substitutions=”false”/>

                                <matcher field=”DeviceTime” order=”1″ pattern-id=”DeviceTime” capture-group=”1″ />

                                <matcher field=”UserName” order=”1″ pattern-id=”UserName” capture-group=”1″ />

                                <event-match-multiple pattern-id=”allEventNames” capture-group-index=”1″ device-event-category=”unknown” send-identity=”OverrideAndNeverSend” />

                </match-group>

</device-extension>

if you have any problems you are welcome to mail me at:  gregorin[@]qmasters.co