McAfee_Epo_reports

flat =Epo4 reports= Here my favorites fields when making epo4 reports to get HIPS report check reports->hips

= Name standar in Queries = Suggestions to a name standar yyy is a group of queries collected to dashboard or to solve a purpose and also collected in a 4.5 to a queriy group

Select type of query yyy Events    (4.0 Event            4.5 Threat events) yyy System   (4.0 Managed systems   4.5 Managed systems) yyy ClientEvents  (4.0 -                4.5 Client Event (products) )

if multigroup table or group table idee to syntax yyy Events [more filter]( which columns to show ) time filter (if it sumes some exceptions) yyy Events ( host, threat name ) 24h  - is multigroup with threat target host name and threat name with filter 24h yyy Events malware ( host, threat name ) 24h  - is also with filter event category malware yyy Events malware ( host, threat name ) (nr hosts9 24h - showing in last column numbder of host

table (if only table no groups), pie, bar, line, complaint if something else than a group table

yyy malware pie (threat name ) 24h

time 1-24h, 2-30 days, 1-11 month, 1 years Normal time selection 4h, 24h, 7d, 14d, 1 month, 3 month, 6 month, 1 year 4h - when operatign to now what happens now (must be double the ascii time for)

= Client Product Events = MultiGroup (Product, Error) (Nr Host) 24h - show which product has been installed and updateded Columns Detected UTC, Host Name, IP Adress, User Name, Initiator ID, Event type, Event Description, Error Code, Product Code, Version

=Server task logs= Name Task log Entries ServerTask (Hour, name)24h

= Event GS Exchanged = Threat Type ( Corrupted, File Filter, Mail Size Filter, packer, Password Protected, Signed, Phish, Spam )

Event ID (Event description is missing for 17xx) 1750 packer 1751 phish 1752 Mailsize Filter 1753 Signed   (many) 1755 Corrupted (very many) 1758 Password Protected 8000 Virus 8500 Banned Content 8501 Encrypted Corrupted 8502 File Filter 8503 Spam (very very many)

Threat source process Name ( "OnAcess (Trans", "OnAccess (VSAPI" ) Event Category (Email filter, Email phishing Detected, Email spam)

MultiGroup (Threat type, File Path) 24h UTC, Detecting Product Host Name, Threat Source process Threat Source User name, Threat target user name, Threat Type, Threat name, Threat Target File Path, Action Taken

= events Audit= Audit log Entries No pull (days, success, user name) 7 days

= Events HIPS =

Important Event ID which have some different in fields 18000 Host intrusion     (HOST What i will call it when point out differens) 18001 Network Intrusion   (NET) 18002 Application blocking, (APP) 18003 Failed Quarantine check

Event generated time (UTC) Threat Target Host Name Threat Target Host IPv4 Address Threat Source User Name (Virusscan used Threat Target user Name, GS used both) Event ID (Only on if next is to slow) Event Description (Slow on some epo 4.0, Found under header Threat event in epo 4.5)

Event Category (HOST more info,   NET Network intrusion detected, APP Application block) Threat Name    (HOST Sign number, NET Sign Number, APP app Rule Name ) Signatur Name  (HOST Sign Name,   NET Sign Name,  APP [Blank] ) Threat type    (HOST more info,   NET [blank],     APP info )

Threat Source Process name (HOST path file, NET Blank, APP only file name Threat Source URL:     (HOST path file, NET None, APP path file on app block)

HOST used this field Threat Source User Name (not by app) Threat Source Process name Threat Source URL Threat Target Host Name Threat Target IPv4 Adress Threat Target MAC Address

Threat Target Process Name always None Threat Target User Name    always None  (use Threat Source User Name insted) Threat Target File Path    always None

(Action handle)          (true if blocked, false if ) (Action Taken)           ( Blocked, ) (Threat Target File Path) ( Is always None, Work better on Virusscan) (Analyzer Detection method) Is always None, Work better on Virusscan)

Filter In epo 4.0 Detecting product   ID META_HIP In EPO 4.5 Detecting proding name  Host Intrusion Prevention

Event category can give and Threat type have some option On hip 7.x Host intrusion (hip.hip.Illegal_API_Use), bad_parameter Host intrusion (hip.Registery)        , delete, modify Host intrusion (hip.Buffer overflow)  , heap, invalid_call Host intrusion (hip.Files)            , rename Host intrusion (hip.Program)          , run Network Intrusion detected Application Block, Create On Hip 8.x is changes to more readeble

= Duplicated system = Epo 4.5 In epo45 in a function in a normal managed system query

system Duplicate system (Groups) - show where in tree there is most duplicates system All (groups)             - compare to all computers in in tree system Duplicate system (system name) (nr of systems) - show if some computers has many duplicates system Duplicate system (Weeks)       - If removed oldest week first it fast to get all duplicates system Duplicate system (Mac, Network) - Check if some VPN adapders make problem.

Columns: System name, Last communication, Assigment path, group name, Tags, Last seq error, Seq error, IP4, Mac Filter: System Name Is Duplicated

=Epo 4.0 and 4.5 Events= Event generated time (UTC) Threat Source Host Name - When virus infected share, virusscan show which computer did the infectand Threat Target User Name (Virusscan used Threat Target user Name, GS used both) Threat Target Host Name Threat Target Host IPv4 Address Event ID (Only on epo 4.0) Event Description (Slow on epo 4.0, Found under header Threat event in epo 4.5) Event Category Threat Name Signatur Name (HIPs, found under header HOST IPS Signature info take not longer time) Threat Source Process name (work for Virusscan acces protection) Threat Target File Path (work for virusscan) Action Taken Analyzer Detection method

Filter IS Event received Time (UTC) within last 1 days Does not equal 1051 AND does not equal 1059  (scan time out, scan password)

Other good filter Event Category belong to Malware Threat type does not belong to Access protection

remember have fields from others headers can slow time query time with 10-100 times.

Some good views malware Events malware (Detections, Host, Threat name ) 24h Events malware (Hour, Host, Threat Name ) 24h Events malware bars (Days, Threat name ) (nr hosts) 7 days Events malware bars (Detections, Threat name ) (nr hosts) 7 days - show how OAS% ODS% Events malware (source host name) (nr target)

All event Events bars (days) 7 days Events (Hour, Description, Threat Name) 8h Events AP Events Not AP

=epo45 task error on queries= In server task builder on action run query and Apply tag get this error message "Task validation failure:" "This action can only be used with queries that return a Table of Managed Systems" Need to used a field from in left side of Managed system like a system name or GUID

=Event reports= Event Generated Time (UTC) Host Name, IPv4 Address, User Name Event ID, Event Description, Threat Name, Threat Source Process Name, File Path Action Taken, Analyser Detection Method (OAS or which job did find it)

Threat type Detecting Product ID Threat Source Host Name (not so common, should make special report for this) Threat Source IP4 adress (not so common, should make special report for this)

Filter on Event Recive time

Event ID Does not equal 1051(password prot), 1059(scantime to long), 1095(AP would block file) Threat name Doeas contain cookie

[|kc.mcafee all vs events] [|kc.mcafee all epo and vs event]

look in database on table dbo.EPoEventFilterDesc there is all description in all language of extensions install in epo server

Some grouping types on epo 4 vs 8.5p5, HIP7p2 some event change when patching
 * Threat Severity||Threat Type||**Event ID**||**Event Description**||Event Category||**Analyzer Detection Method**||
 * Notice||access protection||1092||Access Protection blocked||Host intrusion (hip.registry)||OAS||
 * Notice||access protection||1094||Port blocking detected||Firewall detected||OAS||
 * Notice||access protection||1095||Access Protection NOT blocked||Host intrusion 'file' class||OAS||
 * Notice||access protection||1096||Port blocking rule violation detected and NOT blocked||Host intrusion 'file' class||OAS||
 * Information||none||1034||Scan completed. No viruses found.||Operational (ops.task.end)||(managed)scan||
 * Information||none||1035||Scan was cancelled.||Operational (ops.task.cancel)||(managed)scan||
 * Information||none||1064||Service was started.||Operational (ops.service.start)||OAS||
 * Information||none||1065||Service ended.||Operational (ops.service.end)||OAS||
 * Information||none||1087||On-access Scan started||Operational (ops.scan.start)||OAS||
 * Information||none||1088||On-access scan stopped.||Operational (ops.scan.end)||OAS||
 * Information||none||1118||The update was successful||Operational (ops.update.end)||AutoUpdate||
 * Information||none||1120||The update is running||Operational (ops.update)||AutoUpdate||
 * Information||none||1202||On-demand scan started||Operational (ops.task.start)||(managed) AntiSpyWare RegistryScan||
 * Information||none||1203||On Demand scan complete||Operational (ops.task.end)||(managed) AntiSpyWare Reg & Cookie Scan||
 * Warning||none||1119||The update failed see event log||Operational (ops.update.end)||AutoUpdate||
 * Warning||run||18000||Host intrusion detected and handled||Host intrusion (hip.Program)|| ||
 * Warning||create||18002||Application blocked||Application block|| ||
 * Emergency||Encrypted Corrupted||8501||Encrypted/Corrupted item found||E-mail filtered||
 * Alert|| _ ||1051||Unable to scan password protected||Malware||(managed) scan||
 * Alert||trojan||1025||Infected file successfully Cleaned.||Malware detected||OAS||
 * Alert||trojan||1027||Infected file deleted.||Malware detected||OAS||
 * Alert||virus||1059||Scan Timed Out||Malware||OAS||
 * Alert||trojan||1091||JavaScript security and blocked||Malware detected||OAS||
 * Alert||virus||8000||Infected item found||Malware detected|| ||
 * Alert||app_adware||21025||Unwanted program successfully cleaned.||Malware (av.pup)||OAS||
 * Alert||app_puo||21027||Unwanted program deleted.||Malware (av.pup)||(managed) AntiSpyWare reg cookie Scan||
 * Alert||app_puocookie||21027||Unwanted program deleted.||Malware (av.pup)||(managed) AntiSpyWare reg cookie Scan||
 * Alert||app_pua||21405||User-specified unwanted program, clean error, deleted||Malware (av.pup)||OAS||
 * Critical||none||1038||Scan found infected files.||Operational (ops.task.end)||(managed) scan||
 * Critical||trojan||1284||file infected. clean error||Malware detected||OAS||
 * Critical||bad_parameter||18000||Host intrusion detected and handled||Host intrusion (hip.Illegal_API_Use|| ||
 * Critical|| ||18001||Network intrusion detected and handled||Network intrusion detected|| ||
 * Critical||app_adware||21284||unwanted program, clean error||Malware (av.pup)||OAS||
 * Critical||trojan||1292||file infected. Undetermined clean error, OAS denied access and continued||Malware detected||(managed) scan||

To get Only identify viruslarm use Event Category = Malware detected

Alerts Emergency (GS Critical

some exemples Detecting product ID: HOSTIPS_META Detecting Product Host name: Detecting Product IP: Threat process name: Threat Source URL: could be a file name IPv4 Adress event ID: 18002 event Category: Applications block Threat name: Threat Type: create Action Taken: Blocked (important) Threat Handle: True

Detecting product ID: HOSTIPS_META Detecting Product Host name: Detecting Product IP: Threat process IPv4 adress: event Category: Network intrusion detected event ID: 18001 Threat name: 3723 Threat Type: Action Taken: Blocked (important) Threat Handle: True

flat =Rough reports= Detected System Interface have most to get out in a reports

Find computer for sensors
Find computer powerfull to install sensors Detected System Interface Ip Adress Organization name (network card factory name) managed System system name Agent Properties Product version Computer Properties CPU Speed CPU type free Memory(bytes) ((RAM)) Is Laptop OS Version managed System Last Update Is within the last 3 Hour Detected Subnets Covered Equals False
 * Detected System Interface**
 * FILTER**

Rough
Rouge dircet under network choosen uncover subnet Under options can Free memory, and total memory be add which make it more easy to pick right computer for sensors.

Rogue
Columns: Ip-adress, Organization name (Network interface), Last det Time, Rogue Action, Rogue state, OS version, Domain, Computer Name, DNS Name, System Name, Agent Version, Last update Filter: Last detected Time,, Domain <> MyOwn, OS platform = Windows Exception=False, Rogue=True

flat =HIP events=

Get internal network intrusion
System name, Ipv3 Address,Operating system, Threat Name, Threat Severity, Threat Source Ipv4 adress Event Category Belongs to Network intrusion Event gen time Last Detecting product ID Equals HOSTISP or Equals ENTERCPT_6000 or Equals HOSTIPS_7000
 * Columns**
 * filter**

flat

=Versions= Take all properties from Computer properties never take any properties from Detected System here they don't show same thing This are rapports one for versions, of MA VS and HIP this is missing from 3.6.1 reports Summary table Agent version, OS type, tags, system name, IP, user, [Assigmant Path], Group name, Last update Filter last contact one month
 * Managed systems**
 * Agent**
 * VS:** Product version(VS), Engine ver(VS), Dat ver(VS),
 * HIP:** Product ver(HIP), Hotfix/patch(HIP);contens ver(HIP)
 * OS** OS version, Is 64bit, OS service pack,

Problem to find how many computer has got a virusalarm last month Tag all computer which has got a virus last month V Show all computer with tag V (could be sort show on tree) or all subnet with alarms (if vpn or outside)

Show all v computers with found in temporay internet files Show all v computer found in e:\ Show all v computers found in d:\ Show all v on servers and clients

Tag computer got virus last week V1, Computer virus week 2-4 with v2 Then show all computer with v1 and v2

On demand scanning reports
Analyzer Detection Method start with (Managed)  (check if language independent) Event ID Does Not equal 1034 scan completed 1051 Unable password protected 1202 On demandstart 1203 On demand complete 21405 User spec unwantedprogram, clean error,deleted 21404 User spec unwantedprogram, clean error, deleted faild 1035 scan cancelled 1038 scan found infected files 1039

OAS 1059 scanned timed out Many in Threat target file path c:\program files\common Files\Mcafee\Engines (cleans) 1051 Unable to scanned password protected most in Many in Threat target file path Temporay Internet Files  (cleans)

1087 On access scan started 1088 On access scan stopped 1064 service started 1065 Service ended

1095 AP rule and not blocked (Common standard prot:Prevent run prg from temp) 1092 AP rule and blocked

21404 User define program clean error delete fail 21405 User define program clean error delete succed 1094 Port blocking rules Threat Source process Name  Need a special question

21027 Unwanted program deleted 21284 Unwanted program clean error deleted fail

Threat Target file Contains Windows

Idee to tags VW1 Virus in Windows catalog found with OAS in 1 week VW9 Virus in Windows catalog found with OAS in 2-16 week VD1 Virus found with on DemandScanner in 1 Week VD9 Virus found with on DemandScanner in 2-16 week 1  Malware detected   1 week 9  Malware detected   2-16 week

Other idee VW1 virus in windows  in one week VD1 virus found on demand scan V1 V9 VC1   virus communicated  smtp, irc, VR1   virus on report last week VRTOT has been on report anytime

Idee to clean event more than 16 week on receive time. 1059, 1051 scan time out, Password protected 1095, 1092 AP (contains threat name vmware, mcafee, common standard protection: prevent common program from running from temp folder), user define rules: 1087, 1088 On access scan started, stopped 1034, 1035, scan OK, Scan canceled

Idee to clean AP event more than 6 month on receive time. Ap 1095, 1092 with contains user-defined, mcafee, temp, vmware

Idee to clean all events older than 2 years

Word in threat target file path fqck 60,pqrn 15, pqssy 10, pqrr 5, which find many bad pages. Some statestic 124/4000 computer had virus stoppad 30/4000 was infected under 4 month 30/1000 computers had virus stoppad 8/1000 had virus infected 2009-10 under 1 month 9 p2p or 6x / 124  with virus 9 virus / 52 p2p 6 virus / 18x

Somewhere in epo4 should this events id show up, is from epo45 client events 2401 	Update Successful 2402 	Update Failed 2411 	Deployment Successful 2412 	Deployment Failed 2413 	Attempt to uninstall ePolicy Orchestrator Agent

=DASHBOARDS=

Epo 45,46 status 3x2
- this dashboard shows 5 different aspect on that epo server is working it should update, get contact, and received alert. - this time is for a asci 1h if other ascii the value if 2h and dat 8h may need to change MyAvert Threat Advisory ClientEvent Line (received time, day) (Nr hosts) 14 days - show how many client conected every days. Threat Events Line (received time, hour) 24h - show total numbers of event every hour if drop to zero event parser has stoped System circle (dat) 8h              - show how many get latest dat - if not latest some repository have failed System server compliant (contact 2h, 14days) - (is within 2h) - show that servers has contact Event bar grouped (Detecting Product Version, received time Days) 7 days - show how many event every product gives

Epo 45 46 statsus extra unsorted
Audit Log Entries (Success, Name,what ) 24h Server Task Log (Status,Source,Name) 24h

==Epo 45 46 4x2 Clients status= System (OS type) 30 days System Server compliant (Agent4,VS87,Engine,Dat2) 24h Events Scanning (Task,result) 2days System duplicate (week, name)

System (VirusScan,MacScan) 30 days System Client PC compliant (Agent4,VS87,Engine,Dat7) 24h System Client MAC compliant (Agent,VS,Engine,Dat7) 24h System Sequens error>10 (Last contact Week) 30 days

Events1 3x2
Threat Event Malware (Host name, Threat name) 24h Threat Event some filter (Host Name, Threat Name) 24h Threat Events not AP (Event Description, Threat Name) 24h [ eventID <> 1092,1094,1095,1096, [1051,1059,21027,21024]] Threat Event Malware (Host name, Threat name) 7days       [Event Category = Malware] Threat Event Bar (day), 7days Threat Event AP (Threat name) 24h [eventID = 1092,1094,1095,1096]

Events2 3x2
Event (source host name, Threat name, Threat target host name) 24h  - to show if any computer infect another Event Malware (Analyzer detection Method, host name, threat name ) 24h Event Malware (Os platform, Host name, File path) 24h Event (Generate time hour, Event description, Threat name) 8h Event malware (Generate time days, Host name, Threat name) 14days HIPs top ten (Threat source IP adresses), events, Nr of Threat target IPv4 adresses

Event3 4x2
Events malware Source (Source,host, threat,file) 1 week Events malware (day, host, threats) 2 day soc2 Events NO-AP (Category, Threatname) (nrhost,nr)2 days soc2 Events NO-AP top 10 (Host, Threatname) (nr) 2 days - This for easy analys which computer make all event, if a single one

soc2 Events malware TOP 10 (virusname) (nrhosts) 1 week soc2 Events malware (USer,host ) 1 week soc2 Events AP (Category, Threatname) (nrhost,nr) 2 day soc2 Events AP top 10 (Host,threatnamn) (nr) 2 day - This for easy analys which computer make all event, if a single one

Watch 3x2 tagged computer all events
Computer with tag watch have a dashboard of there own Watch System( last comm, tree,host,user) Watch Threat filter (day,host,Threat) All (filter=Threat name<>none, Theath name not mcafee(AP common)) Watch event(Host,threat,desc) all Quick search (replace with reports from other Products) Watch events (Dayshost,threat, desc) ALL Watch ClientEvents(day,host,product,error) ALL

include page="Mcafee_header" editable="true" toc =McAfee Epolicy orchester 4.6= Some new function that change how things can be done in epo 4.6: - Software download (but then you don't get a separate backup-up of what install) - Task catalog, Now first client task need to be created then assign as in policy - Policy on tag, works complete different from task on tags - Direct filter in some tables like events, systems that is same for different repports - Custom queries output add and remove field per query and epo-user - Epo agent 4.6 can be custom languages in policies name trobleshooting - Epo agent 4.6 has now 3 policies which will work for old agents too - Epo agent 4.6 runs with lower process prio

Menu quick icons
Have Dashboard System Tree Queries & Reports Policy Catalog Client Task Catalog (Add this in epo 46) Master repository (Add this in epo 46)

Show properties
Original custom props Mcafee Agent Compliance Summary

Custome 1: Subnet mask: Time Zone: System tree sorting

Threat event in last 2 week

The custome props I would prefer to have is in Menu-Configureations-Server Settings-System Details-Setting Properties panel Last Communication: User Name: Tags: OS Type: Product Version (Agent) Product Version (VirusScan Enterprise) Engine Version (VirusScan Enterprise) DAT Version (VirusScan Enterprise)

Make boolean report with name Green:MA40 VS87 DAT10X Grey:7d old Make queries, maneged system, boolean pie chart Configure colums: have only last communications and system name Configurat boolean criteria: - product agent > 4 - product version(virusscan) > 8.7 - Dat version is within X version 10 Config filter: last communication is 1 week

make queries, Threat events, stacked bar chart Event generate time, days, theat name Name Event bar malware (days, threat name) 30days Malware found 30 days filter Event category Malware recive time 30 days

Queries
System duplicate (week,Name) 1 year Fields, last contact, group name system name, Ip address, Description, seq error, Last seq error, Agent Guid Filter last contact 1 year, System name Is Duplicate Some queries that can be imported in on NSEC blogs http://www.nsec.se/blogg/?p=214

=Automatic Responses= In epo 4.5 and 4.6 changes name from notifications to automatic responses Aggregation:Trigger every event, Throttling at most 30 minutes

McAfee Epo:  {setOfTargetHostName}, {setOfThreatType} {setOfThreatActionTaken}:   {setOfThreatName}

{setOfDetectedUTC} {setOfAnalyzerDetectionMethod}: {setOfEventDesc}

{setOfThreatType} {setOfThreatActionTaken}:  {setOfThreatName} SourceHost: {setOfSourceHostName} SourceProcess: {setOfSourceProcessName} TargetFile:          {setOfTargetFileName}

Host: {setOfTargetHostName} IPV4:  {setOfTargetIPV4} User:  {setOfTargetUserName}

Threat Lib: https://www.mcafee.com/apps/search/threat.aspx?q={setOfThreatName}

OsType: {setOfOsType} IPV6:      {setOfTargetIPV6} Analyzer:      {setOfAnalyzerName},  {setOfAnalyzerVersion},   {setOfAnalyzerEngineVersion} DATVersion: {setOfAnalyzerDATVersion}

EpoReceivedTime:            {setOfReceivedUTC} EpoPlaceInSystemTree:  {setOfNodeTextPath} EpoPolicyDefineAt:          {setOfDefinedAt} EpoResponseRule:           {responseRuleName}

.