McAfee ePolicy Orchestrator (EPO)
Use the IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) to closely monitor your McAfee EPO Antivirus extraction deployment.
IBM Security QRadar Content Extensions for McAfee ePolicy Orchestrator (EPO)
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.1
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.0
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.1.0
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.4
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.3
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.2
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.1
- IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.0
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.1
The following table shows the deleted custom property in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.1.
Name | Description |
---|---|
File Hash | Removed deprecated custom event property. |
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.0
The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.2.0.
Name | Description | ID | Forceparse | Regex |
---|---|---|---|---|
URL Host | Default custom extraction of URL Host from DSM payload. | 641cd865-b9fb-42f5-81a1-664bdab52270 | True |
TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) SourceURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) |
Machine Identifier | Default custom extraction of Machine ID from DSM payload. | 002a5618-8f44-41bc-b5aa-bc02153a7d84 | False |
TargetHostName>(.*?)<\/TargetHostName TargetHostName:\s"([^"]+)\" |
Analyzer Hostname | Default custom extraction of Analyzer Host Name from DSM payload. | 0f43b2c9-6ac4-419e-91c4-d7761e4b40e6 | False |
AnalyzerHostName>(.*?)<\/AnalyzerHostName AnalyzerHostName:\s+"(.*)"\s+AnalyzerIPV4 |
The File Hash property was removed. Use MD5 Hash to achieve similar results.
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.1.0
The following table shows the custom properties that have received new expressions in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.1.0.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
Action | Yes | 1 | ThreatActionTaken>(.*?)<\/ThreatActionTaken |
Action Result | No | 1 | ThreatHandled>(.*?)<\/ThreatHandled |
Agent GUID | No | 1 | AgentGUID>\{{0,1}(.*?)\}{0,1}<\/AgentGUID |
Analyzer | No | 1 | Analyzer>(.*?)<\/Analyzer |
Analyzer Host Name | No | 1 | AnalyzerHostName>(.*?)<\/AnalyzerHostName |
Analyzer Name | No | 1 | AnalyzerName>(.*?)<\/AnalyzerName |
Computer Name | No | 1 | TargetHostName>(.*?)<\/TargetHostName |
Detection Method | No | 1 | AnalyzerDetectionMethod>(.*?)<\/AnalyzerDetectionMethod |
File Directory | Yes | 1 |
TargetPath:\s"([^"]+)\\+[^\\]*?" TargetFileName>(.*?)\\+[^\\]*?<\/TargetFileName TargetFileName:\s"([^"]+)\\+[^\\]*?" TargetFileName>(.*?)<\/TargetFileName |
File Extension | Yes | 1 |
TargetName>.*?\.([^\.]*?)<\/TargetName TargetFileName>.*?\.([^\.]*?)<\/TargetFileName |
File Hash | Yes | 1 | TargetHash>(.*?)<\/TargetHash |
Filename | Yes | 1 |
TargetFileName>.*?\\([^\\]*?)<\/TargetFileName TargetName>(.*?)<\/TargetName |
Threat Category | No | 1 | ThreatCategory>(.*?)<\/ThreatCategory |
Threat Name | Yes | 1 | ThreatName>(.*?)<\/ThreatName |
Threat Severity | No | 1 | ThreatSeverity>(.*?)<\/ThreatSeverity |
Threat Type | No | 1 | ThreatType>(.*?)<\/ThreatType |
The File Path property was removed.
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.4
The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.4.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
MD5 Hash | Yes | 1 | MD5:\s"(\w{32})\" |
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.3
The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.3.
Name | Optimized | Capture Group | Regex |
---|---|---|---|
UrlHost | Yes | 1 | TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) SourceURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\,\"]+) |
All custom property descriptions were updated, and changes were made to allow custom properties to be translated.
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.2
The following table shows the changed custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.2.
Name | Optimized |
---|---|
Action | 1 |
Filename | 1 |
File Extension | 1 |
URL | 1 |
UrlHost | 1 |
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.1
The following table shows the custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.1.
Name | Capture Group | Regex |
---|---|---|
Computer Name | 1 | TargetHostName:\s"([^"]+)\" |
File Path | 1 | TargetPath:\s"([^"]+)\" TargetFileName:\s"([^\"]+\\).*?\" |
Filename | 1 | TargetFileName:\s"(?:[^\"]+\\)(.*?)\" TargetName:\s"([^"]+)\" |
File Extension | 1 | TargetName:\s"[^\.\"]+\.([^\"]+)\" TargetFileName:\s"[^\.\"]+\.([^\"]+)\" |
File Hash | 1 | TargetHash:\s"([^"]+)\" (?:SHA(?:256|1)|MD5):\s;(\w{32})\; |
MD5 Hash | 1 | MD5:\s"(\w{32})\" |
URL | 1 | TargetURL:\s"([^"]+)\" SourceURL:\s"([^"]+)\" |
UrlHost | 1 | TargetURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\ SourceURL:\s"(?:.*?:\/\/)?(?:www\.)?([^\/:\ |
Threat Name | 1 | ThreatName:\s"([^"]+)\" |
Threat Category | 1 | ThreatCategory:\s"([^"]+)\" |
Threat Type | 1 | ThreatType:\s"([^"]+)\" |
Threat Severity | 1 | ThreatSeverity:\s"([^"]+)\" |
Detection Method | 1 | AnalyzerDetectionMethod:\s"([^"]+)\" |
Action | 1 | ThreatActionTaken:\s+"(.*)"\s+ThreatHandled |
Action Result | 1 | ThreatHandled:\s"([^"]+)\" |
Agent GUID | 1 | AgentGUID:\s"([^"]+)\" |
IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.0
The following table shows the custom properties in IBM Security QRadar Content Extension for McAfee ePolicy Orchestrator (EPO) V1.0.0.
Name | Regex |
---|---|
Analyzer | Analyzer:\s+"(.*)"\s+AnalyzerName |
Analyzer Name | AnalyzerName:\s+"(.*)"\s+AnalyzerVersion |
Analyzer Host Name | AnalyzerHostName:\s+"(.*)"\s+AnalyzerIPV4 |
Threat Action Taken | ThreatActionTaken:\s+"(.*)"\s+ThreatHandled |
URL | SourceURL:\s+"(.*)"\s+TargetHostName |