Mcafee DLP Events Support

QRadar Supports MacAfee EPO and Symantec SEP But not all of it.

1. SEP has full support for Antivirus, HIPS and Sonar functions, when using SEP as Device Control the Data is incoming as Misc. event and not as Device Control event.Meaning all of the Data Coming from SEP regarding Device Control Does Not parse in the system.

2. McAfee ePO same as SEP full support for antivirus software , just connect to EPO Database and you are done , But when using ePO Device Control aka DLP , the event are saved on a different view on the ePO database.

When using regular connection, in this scenario we aren’t even connected to the data loss prevention events.

I don’t have the answers why QRadar SIEM system does not monitor those alerts but I have the how.
I have done this only on MacAfee, but I guess it’s the same logic in SEP just need to look for the right Table.


The event are incoming as Misc. event and we can parse them according using Extract proprietary.


We can use universal DSM to connect with SEP database, look for the correct table, connect and parse.


Configuring regular MacAfee ePO connector – Link

Just Change  Table name and compare filed accordingly

Add a Universal DSM with JDBC\MSDE

 Connect to Macafee database which hold the ePO

table name: dbo.DLP_EventView
compare filed: EventRowID

Use this parser – Link

Use those QIDs to maps the events.:
25250440 Device Plug
25250441 Device Unplug
74000033 Connection To Device Blocked
25250115 Access Protection rule vilation detected and blocked

XML McAfee : Copy or just Download 
<device-extension xmlns=”event_parsing/device_extension”>

                <!– Do not remove the “allEventNames” value –>

                <pattern id=”allEventNames” xmlns=””><![CDATA[(.*)]]></pattern>

                <!– Everything below this line can be modified –>

                <pattern id=”EventName” xmlns=””><![CDATA[EventType\:\s\”(\d{1,9})\”]]></pattern>

                <pattern id=”DeviceTime” xmlns=””><![CDATA[LocalTime\:\s\”(\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2})]]></pattern>

                <pattern id=”UserName” xmlns=””><![CDATA[UserName.+\w+\\(.+?)\”]]></pattern>

                <match-group order=”1″ description=”Log Source Extension” xmlns=””>

                                <matcher field=”EventName” order=”1″ pattern-id=”EventName” capture-group=”1″ enable-substitutions=”false”/>

                                <matcher field=”DeviceTime” order=”1″ pattern-id=”DeviceTime” capture-group=”1″ />

                                <matcher field=”UserName” order=”1″ pattern-id=”UserName” capture-group=”1″ />

                                <event-match-multiple pattern-id=”allEventNames” capture-group-index=”1″ device-event-category=”unknown” send-identity=”OverrideAndNeverSend” />



if you have any problems you are welcome to e-mail us at: info@qmasters.co

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at michelled@qmasters.co...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram