SmartConnector for McAfee ePolicy Orchestrator DB

SmartConnector for McAfee ePolicy Orchestrator DB

Labels (1)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.

There is no field mapping for the ePO RSD field "exceptions".  We are managing a large list of exceptions for RSD and this makes it difficult to filter out false positives in ArcSight. Any idea if this field can be added to the mapping?

For this type of request, you should file a Feature Request with Customer Support; it will then be forwarded to connector development for implementation.


What version of the smart connector is required?

Nick Gerbino | Senior Information Security Analyst | CISSP

CarMax, Inc. | 12800 Tuckahoe Creek Parkway, Richmond, Virginia 23238

Office: (804) 747-0422 x6224 | Mobile: (804) 839-9987


What version of th ePO Smart Connector is required for the new support of epo product events?

We have upgraded our ePO connector to this latest version in hopes of better capturing ePO version information via the epoproductevents field mappings.

Looking at the field mappings, there does not seem to be a way to filter on epoproductevents events only.  The only field that may give this is the Name field which the document states one of (Initiator Type or "Unkown Events').

Using unknown events are a condition, produces results that do not show DAT versions in the device custom string fields.

1. Are there values for Initiator Type that can be used as filters?

2. What filter can I use to show only events for "epoproductevents?


To show only EPO product events, update connector parameter Event Types to specify only epoproductevents.  This support is available with the SmartConnector 6.0.7 release.


I need to know which versions of the following products are supported by this connector:

-ePO Rollup Data (EPOROLLUP)

-GroupShield (GROUPSHIELD)

-Host Data Loss Prevention (HDLP)

-Network Data Loss Prevention (NDLP)

-Policy Auditor (policyauditorfile,policyauditorrule)

Hi Claudia,

The information requested is on page 4 onwards. If your version is not mentioned, please contact Tech Support on +44 203-564-1189 for more information on a feature request for your version.

Hope this helps.


Salvatore Alba

Technical Account Manager

Premier Support EMEA ArcSight

We can see our McAfee DLP events in ArcSight. We are wondering if there will support for the evidence file field in the connector. We can see the location and name of the file that was quarantined in the ePO DLP console but the field does not seem to part of the connector today.

Hello All!

We have upgraded our RSD to version 5.01 and this does not seem to be a supported version yet for the ePO Smart Connector. Is there an ETA on when it will be supported? We are not seeing any of the RSD events in ArcSight.

What driver are you guys using...I cannot get a driver to work with 32 bit mcafee epo connector?

Let me check into this, Timothy.

Are you using ODBC or JDBC? Different versions of the JDBC driver are required for different SQL Server database versions; be sure to use the correct driver for your database version. The name of the jar file may be different for some JDBC driver versions. See:


Does anyone have any experience connecting from an EPO SmartConnector installed on a CentOS device to the EPO SQL Server database using Windows Authentication?  We are getting an error; "ArcSight reports that the JDBC connector cannot be used for WindowsAuth" (apologies for paraphrase - I don't have access to the exact message)

There is a feature in the Microsoft MSSQL JDBC driver that supports Windows ("integrated") authentication, but it only works for connectors installed on Windows OSes (see Protect discussion here, Microsoft post here).

With that being said, one user has had success with JDTS, which worked (albeit with a lot of tweaks) in 2013.

The uploaded document say the release date is on 24th August 2019, today its just 22-August 2019.Release Date in Future.JPG



I did install this Epo connector and it works fine for the epo part of it. But I'm not getting any HIPS logs which is critical for monitoring. Are HIPS connectors different? If so, can someone provide me the link to download it?

Any suggestions on configuring HIPS will be appreciated. 



Top Contributors
Version history
Revision #:
29 of 29
Last update:
‎2020-08-19 06:52
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.