McAfee ePolicy Orchestrator¶
Constructor : Mcafee¶
Product : ePolicy Orchestrator¶
Log format : splunk¶
Structured log message :
AutoID=60757851 signature=\"Protection standard commune:Empecher l\'arret des processus McAfee signature_id=1092 category=hip.file severity_id=5 event_description=\"Access Protection rule violation detected and blockedC:PROGRAM FILESMCAFEEVIRUSSCAN ENTERPRISEVSTSKMGR.EXE\" detection_method=OAS action=NT AUTHORITYSYSTEM\" user=N/A dest_nt_domain=EU dest_dns=FRT dest_nt_host=FR fqdn=FRD.eu dest_ip=10.10.11.12 dest_netmask= dest_mac=0000CC216f3b os= os_version=5.2 os_build=3790 timezone= src_dns=_ src_ip=10.1.2.3 src_mac= process=\"C:PROGRAM FILESEMCNAVISPHERE AGENTNAVIAGENT.EXE\" url= logon_user_1= is_laptop=0 product= product_version=8.8 engine_version= dat_version= vse_dat_version=8040.0000 vse_engine64_version=N/A vse_engine_version=5800.7501 vse_hotfix=6 vse_product_version=8.8.0.1445 vse_sp=
Log format : csv¶
Csv log message :
2105984;6902F367-093D-4CDC-B70F-CB81331BE718;SERV1;2015-02-21 19:39:15.550;2015-02-21 19:38:31.000;8D2F0EF2-3352-486A-9670-787D8CB97994;VIRUSCAN8800;VirusScan Enterprise;8.8;D305967;10.10.10.10 ;0x00000000000000000000FFFF90100541;NULL;7718.0000;5700.7163;(managed) Weekly Scan Virusscan Enterprise 8.8.0;_;10.10.10.10 ;0x00000000000000000000FFFF90100541;NULL;NULL;NULL;NULL;D305967;10.10.10.10 ;0x00000000000000000000FFFF90100541;NULL;SYSTEM;NULL;NULL;NULL;c:tempbackup_backupdiskebooks.zip70-271_70-272_MCDST_Study_Guide_and_Transcender_Exams.rartranscenderengine v3.5 Patch.exetranscenderengine v3.5 Patch.exe;av.pup;21280;1;Tool-TPatch;app_pua;deleted;1;0x0000000002E86EEF
| Constructor field | LMC field |
|---|---|
| [src_dns] | [init][host][name] |
| [src_ip] | [init][host][ip] |
| [src_mac] | [init][host][mac] |
| [source_logon_user] | [init][usr][name] |
| [process] | [init][process][name] |
| [dest_dns] | [target][host][name] |
| [dest_ip] | [target][host][ip] |
| [dest_mac] | [target][host][mac] |
| [dest_netmask] | [target][host][net] |
| [logon_user] | [target][usr][name] |
| [signature_id] | [alarm][name] |
| [severity_id] | [alarm][sev] |
| [timestamp] | [mcafee][epo][received_utc] |
| [product] | [mcafee][epo][analyzer_name] |
| [product_version] | [mcafee][epo][analyzer_version] |
| [dat_version] | [mcafee][epo][analyzer_dat_version] |
| [engine_version] | [mcafee][epo][analyzer_engine_version] |
| [detection_method] | [mcafee][epo][analyzer_detection_method] |
| [url] | [mcafee][epo][source_url] |
| [file_name] | [mcafee][epo][target_filename] |
| [category] | [mcafee][epo][threat_category] |
| [signature] | [mcafee][epo][threat_name] |
| [threat_type] | [mcafee][epo][threat_type] |
| [action] | [mcafee][epo][threat_action_taken] |
| [threat_handled] | [mcafee][epo][threat_handled] |
| [event_description] | [mcafee][epo][description] |
| [dest_nt_domain] | [mcafee][epo][computer][nt_domain] |
| [fqdn] | [mcafee][epo][computer][fqdn] |
| [is_laptop] | [mcafee][epo][computer][is_laptop] |
| [os] | [mcafee][epo][computer][os_type] |
| [os_build] | [mcafee][epo][computer][os_build] |
| [os_version] | [mcafee][epo][computer][os_version] |
| [sp] | [mcafee][epo][computer][os_sp] |
| [timezone] | [mcafee][epo][computer][timezone] |
| [user] | [mcafee][epo][computer][user] |
| [vse_dat_version] | [mcafee][epo][vse][dat_version] |
| [vse_engine64_version] | [mcafee][epo][vse][engine64_version] |
| [vse_engine_version] | [mcafee][epo][vse][engine_version] |
| [vse_hotfix] | [mcafee][epo][vse][hotfix] |
| [vse_product_version] | [mcafee][epo][vse][product_version] |
| [vse_sp] | [mcafee][epo][vse][sp] |
Unit Test List¶
unit_csv_1034.json unit_csv_1092.json unit_csv_1119.json unit_csv_21401.json unit_csv_1035.json unit_csv_1094.json unit_csv_21027.json unit_splunk.json unit_csv_1027.json unit_csv_1038.json unit_csv_1095.json unit_csv_21280.json