McAfee ePolicy Orchestrator

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.2
Author	Microsoft - support@microsoft.com
First Published	2021-03-25
Solution Folder	McAfee ePolicy Orchestrator
Pre-requisites	Syslog

The McAfee ePolicy Orchestrator solution provides the capability to ingest McAfee ePO events into Microsoft Sentinel through the syslog. Refer to documentation for more information.

This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of Syslog via AMA Connector.Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Syslog

Data Connectors

This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):

[Deprecated] McAfee ePolicy Orchestrator (ePO) ⚠️

Connectors from dependency solutions:

Syslog via Legacy Agent (dependency on Syslog)
Syslog via AMA (dependency on Syslog)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`Syslog`	Syslog via AMA (dependency), Syslog via Legacy Agent (dependency), [Deprecated] McAfee ePolicy Orchestrator (ePO)	Analytics, Hunting, Workbooks

Content Items

This solution includes 26 content item(s):

Content Type	Count
Analytic Rules	14
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
McAfee ePO - Agent Handler down	Medium	DefenseEvasion	`Syslog`
McAfee ePO - Attempt uninstall McAfee agent	Medium	DefenseEvasion	`Syslog`
McAfee ePO - Deployment failed	High	DefenseEvasion	`Syslog`
McAfee ePO - Error sending alert	Medium	DefenseEvasion	`Syslog`
McAfee ePO - File added to exceptions	Medium	DefenseEvasion	`Syslog`
McAfee ePO - Firewall disabled	Medium	DefenseEvasion, CommandAndControl	`Syslog`
McAfee ePO - Logging error occurred	Medium	DefenseEvasion	`Syslog`
McAfee ePO - Multiple threats on same host	Medium	InitialAccess, Persistence, DefenseEvasion, PrivilegeEscalation	`Syslog`
McAfee ePO - Scanning engine disabled	Low	DefenseEvasion	`Syslog`
McAfee ePO - Spam Email detected	Medium	InitialAccess	`Syslog`
McAfee ePO - Task error	Medium	DefenseEvasion	`Syslog`
McAfee ePO - Threat was not blocked	High	InitialAccess, PrivilegeEscalation, DefenseEvasion	`Syslog`
McAfee ePO - Unable to clean or delete infected file	High	DefenseEvasion	`Syslog`
McAfee ePO - Update failed	Medium	DefenseEvasion	`Syslog`

Hunting Queries

Name	Tactics	Tables Used
McAfee ePO - Agent Errors	DefenseEvasion	`Syslog`
McAfee ePO - Applications blocked or contained	InitialAccess, Execution	`Syslog`
McAfee ePO - Email Treats	InitialAccess	`Syslog`
McAfee ePO - Infected Systems	InitialAccess	`Syslog`
McAfee ePO - Infected files by source	InitialAccess	`Syslog`
McAfee ePO - Long term infected systems	InitialAccess, Persistence	`Syslog`
McAfee ePO - Objects not scanned	DefenseEvasion	`Syslog`
McAfee ePO - Scan Errors	DefenseEvasion	`Syslog`
McAfee ePO - Sources with multiple threats	InitialAccess	`Syslog`
McAfee ePO - Threats detected and not blocked, cleaned or deleted	Persistence, PrivilegeEscalation	`Syslog`

Workbooks

Name	Tables Used
McAfeeePOOverview	`Syslog`

Parsers

Name	Description	Tables Used
McAfeeEPOEvent	-	`Syslog` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.2	18-12-2024	Removed Deprecated Data Connector
3.0.1	24-07-2024	Deprecated data connectors
3.0.0	16-07-2024	Updated Data Connector Description