McAfee ePolicy Orchestrator sample event messages

Use these sample event messages to verify a successful integration with QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

McAfee ePolicy Orchestrator sample event message when you use the JDBC protocol

The following sample event message shows that a host intrusion was detected, but not handled.

AutoID: "231426750" AutoGUID: "995F348A-4CA3-4CEF-B259-5E678106884E" ServerID: "QRADARSERVER1" ReceivedUTC: "2014-07-23 08:02:13.553" DetectedUTC: "2014-07-23 07:55:11.0" AgentGUID: "2AB7C0C3-23C5-4FBD-B0A6-9A3A9B802A9E" Analyzer: "HOSTIPS_8000" AnalyzerName: "McAfee Host Intrusion Prevention" AnalyzerVersion: "8.0.0" AnalyzerHostName: "QRADARANALYZER" AnalyzerIPV4: "739325208" AnalyzerIPV6: "[B@e00e408" AnalyzerMAC: "001cc4e0e79e" AnalyzerDATVersion: "null" AnalyzerEngineVersion: "null" AnalyzerDetectionMethod: "null" SourceHostName: "null" SourceIPV4: "739325208" SourceIPV6: "[B@7d03cef5" SourceMAC: "00005E005300" SourceUserName: "QRADAR\SYSTEM" SourceProcessName: "C:\WINNT\SYSTEM32\SERVICES.EXE" SourceURL: "file:///C:\WINNT\SYSTEM32\SERVICES.EXE" TargetHostName: "QRADAR" TargetIPV4: "739325208" TargetIPV6: "[B@cf5e07d2" TargetMAC: "00005E005300" TargetUserName: "null" TargetPort: "null" TargetProtocol: "null" TargetProcessName: "null" TargetFileName: "null" ThreatCategory: "hip.Registry" ThreatEventID: "18000" ThreatSeverity: "2" ThreatName: "915" ThreatType: "modify" ThreatActionTaken: "hip.reaction.permit" ThreatHandled: "false" TheTimestamp: "[B@6d04e225"

McAfee ePolicy Orchestrator sample message when you use the TLS Syslog protocol

The following sample event message shows that an infected file was deleted.

<29>1 2018-06-29T10:53:33.0Z mcafee.epo.test EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>mcafee.epo.test</MachineName><AgentGUID>{890cc45c-7b89-11e8-1cd6-005056afc747}</AgentGUID><IPAddress>10.254.35.131</IPAddress><OSName>Windows Server 2012 R2</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-330</TimeZoneBias><RawMACAddress>00-00-5E-00-53-00 through 00-00-5E-00-53-FF</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>mcafee.epo.test</AnalyzerHostName><AnalyzerEngineVersion>5900.7806</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3389.0</AnalyzerDATVersion></CommonFields><Event><EventID>1027</EventID><Severity>3</Severity><GMTTime>2018-06-29T10:52:58</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1027</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>Elspy.worm</ThreatName><ThreatType>virus</ThreatType><DetectedUTC>2018-06-29T10:52:58Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>mcafee.epo.test</SourceHostName><SourceProcessName>c:\Program Files\QRadar\file1.ext</SourceProcessName><TargetHostName>mcafee.epo.test</TargetHostName><TargetUserName>domain\admin</TargetUserName><TargetFileName>c:\Program Files\QRadar_v1\91</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-06-28T02:04:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>True</ThreatDetectedOnCreation><TargetName>91</TargetName><TargetPath>c:\Program Files\QRadar_v2\Desktop</TargetPath><TargetHash>ed066136978a05009cf30c35de92e08e</TargetHash><TargetFileSize>70</TargetFileSize><TargetModifyTime>2018-06-29T10:52:57Z</TargetModifyTime><TargetAccessTime>2018-06-29T10:52:57Z</TargetAccessTime><TargetCreateTime>2018-06-29T10:52:57Z</TargetCreateTime><Cleanable>True</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>True</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>False</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>1</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=91|TargetPath=c:\Program Files\QRadar_v2\Desktop|ThreatName=Elspy.worm|SourceProcessName=c:\Program Files\QRadar\file1.ext|ThreatType=virus|TargetUserName=domain\admin</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3389.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOEvent>