MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Hi Prentice,

Another issue, in the installation guide for the McAfee ePO package there are instructions from the wiki for the package configuration that outlines "hooking" four filters into the L1 Malware package.  In the screenshots it shows just the McAfee filter.  However, in my package there is a broken filter resource present called "/All Filters/ArcSight Activate/Core/Common/Events/No Events". 

Do I need to address this or should I delete that dependency?

-Mary

filter_dep.JPG

wiki_guide.JPG

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Oy!

Yeah, just delete it. I'll fix it in the next update! It should be "false", not a reference to a filter...

Thanks for pointing that out!

--

Prentice

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Just a clarification point, if I may.

The filters that we hook product package filters into should have a default value of false. This should be deleted and replaced with the appropriate product filter.

This allows us to install the packages and keep them from randomly firing off of the wrong events before we can configure the product packages. It makes all of our lives easier!

Thanks & fyi,

--

Prentice

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Woot!  Successful install of package

Thanks Prentice!

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Is there supposed to be a parser override for this?

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

- can you send me the parser override for this?

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Hey,

I don't think there is a parser override for this. Perhaps knows, but I think if there was one, he would have posted it.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

So I believe there is definitely supposed to be a parser override.  Below is a screenshot from the wiki documentation:

mcafee_wiki.PNG

Also, parsed events don't contain a target or attacker hostname but the raw events have that information in their schema as agenthostname.  Raw events also have the username which is not available in parsed events as well as some other pieces of data. 

/ / do any of you have this parser?

0 Likes
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Sorry, that one isn't ringing a bell at the moment.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

/ deathbywedgie / chrisb / awmorris

OMG...the parser is attached to the WIKI...THAT IS A LINK!!!

<sorry lol>

mcafee_parser_omg.PNG

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.