McAfee ePolicy Orchestrator (EPO)

Use the IBM® QRadar® Content Extension for McAfee ePolicy Orchestrator (EPO) to closely monitor your McAfee EPO Antivirus extraction deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Content Extensions for McAfee ePolicy Orchestrator (EPO)

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.0

The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.0.

Table 1.
Name Description ID Forceparse Regex
URL Host Default custom extraction of URL Host from DSM payload. 641cd865-b9fb-42f5-81a1-664bdab52270 True

TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

SourceURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)
Machine Identifier Default custom extraction of Machine ID from DSM payload. 002a5618-8f44-41bc-b5aa-bc02153a7d84 False

TargetHostName>(.*?)<\/TargetHostName

TargetHostName:\s"([^"]+)\"
Analyzer Hostname Default custom extraction of Analyzer Host Name from DSM payload. 0f43b2c9-6ac4-419e-91c4-d7761e4b40e6 False

AnalyzerHostName>(.*?)<\/AnalyzerHostName

AnalyzerHostName:\s+"(.*)"\s+AnalyzerIPV4

The File Hash property was removed. Use MD5 Hash to achieve similar results.

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.1.0

The following table shows the custom properties that have received new expressions in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.1.0.

Table 2.
Name Optimized Capture Group Regex
Action Yes 1 ThreatActionTaken>(.*?)<\/ThreatActionTaken
Action Result No 1 ThreatHandled>(.*?)<\/ThreatHandled
Agent GUID No 1 AgentGUID>\{{0,1}(.*?)\}{0,1}<\/AgentGUID
Analyzer No 1 Analyzer>(.*?)<\/Analyzer
Analyzer Host Name No 1 AnalyzerHostName>(.*?)<\/AnalyzerHostName
Analyzer Name No 1 AnalyzerName>(.*?)<\/AnalyzerName
Computer Name No 1 TargetHostName>(.*?)<\/TargetHostName
Detection Method No 1 AnalyzerDetectionMethod>(.*?)<\/AnalyzerDetectionMethod
File Directory Yes 1

TargetPath:\s"([^"]+)\\+[^\\]*?"

TargetFileName>(.*?)\\+[^\\]*?<\/TargetFileName

TargetFileName:\s"([^"]+)\\+[^\\]*?"

TargetFileName>(.*?)<\/TargetFileName
File Extension Yes 1

TargetName>.*?\.([^\.]*?)<\/TargetName

TargetFileName>.*?\.([^\.]*?)<\/TargetFileName
File Hash Yes 1 TargetHash>(.*?)<\/TargetHash
Filename Yes 1

TargetFileName>.*?\\([^\\]*?)<\/TargetFileName

TargetName>(.*?)<\/TargetName
Threat Category No 1 ThreatCategory>(.*?)<\/ThreatCategory
Threat Name Yes 1 ThreatName>(.*?)<\/ThreatName
Threat Severity No 1 ThreatSeverity>(.*?)<\/ThreatSeverity
Threat Type No 1 ThreatType>(.*?)<\/ThreatType

The File Path property was removed.

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.4

The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.4.

Table 3.
Name Optimized Capture Group Regex
MD5 Hash Yes 1 MD5:\s"(\w{32})\"

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.3

The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.3.

Table 4.
Name Optimized Capture Group Regex
UrlHost Yes 1 TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

SourceURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+)

All custom property descriptions were updated, and changes were made to allow custom properties to be translated.

(Back to top)

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.2

The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.2.

Table 5. Changed Custom Properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.2
Name Optimized
Action 1
Filename 1
File Extension 1
URL 1
UrlHost 1

(Back to top)

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.1

The following table shows the custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.1.

Table 6. Custom Properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.1
Name Capture Group Regex
Computer Name 1 TargetHostName:\s"([^"]+)\"
File Path 1 TargetPath:\s"([^"]+)\"

TargetFileName:\s"([^\"]+\\).*?\"
Filename 1 TargetFileName:\s"(?:[^\"]+\\)(.*?)\"

TargetName:\s"([^"]+)\"
File Extension 1 TargetName:\s"[^\.\"]+\.([^\"]+)\"

TargetFileName:\s"[^\.\"]+\.([^\"]+)\"
File Hash 1 TargetHash:\s"([^"]+)\"

(?:SHA(?:256|1)|MD5):\s;(\w{32})\;
MD5 Hash 1 MD5:\s"(\w{32})\"
URL 1 TargetURL:\s"([^"]+)\"

SourceURL:\s"([^"]+)\"
UrlHost 1 TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\

SourceURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\
Threat Name 1 ThreatName:\s"([^"]+)\"
Threat Category 1 ThreatCategory:\s"([^"]+)\"
Threat Type 1 ThreatType:\s"([^"]+)\"
Threat Severity 1 ThreatSeverity:\s"([^"]+)\"
Detection Method 1 AnalyzerDetectionMethod:\s"([^"]+)\"
Action 1 ThreatActionTaken:\s+"(.*)"\s+ThreatHandled
Action Result 1 ThreatHandled:\s"([^"]+)\"
Agent GUID 1 AgentGUID:\s"([^"]+)\"

(Back to top)

IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.0

The following table shows the custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.0.

Table 7. Custom Properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.0
Name Regex
Analyzer Analyzer:\s+"(.*)"\s+AnalyzerName
Analyzer Name AnalyzerName:\s+"(.*)"\s+AnalyzerVersion
Analyzer Host Name AnalyzerHostName:\s+"(.*)"\s+AnalyzerIPV4
Threat Action Taken ThreatActionTaken:\s+"(.*)"\s+ThreatHandled
URL SourceURL:\s+"(.*)"\s+TargetHostName

(Back to top)