Community in read only mode June 18 & 19
This community will be set in READ ONLY mode for a while on Tuesday June 18 into Wednesday June 19 while we import content and users from our Micro Focus Forums community site. MORE INFORMATION
Steve Cook Trusted Contributor.
Trusted Contributor.
268 views

Problem with ingesting McAfee ePO DLP data from database

I am trying to ingest DLP data from an ePO database using the McAfee ePO smartconnector v7.8.0. In previous versions of the software/smartconnector combination, a USB's make, model, and serial number would be ingested from the database and appear in the deviceCustomString4 field. With the current combination (ePO 5.9/7.80) the only thing that shows up in deviceCustomString4 is "DLPAGENT10000," even though the data is visible in the ePO database record. The dlp policies that we have configured include 'dlp,' and 'dlpincident.' The other two, dlpdiscovery and dlpadministrative are not used.

 Any help would be greatly appreciated!

Steve Cook

 

Steve Cook

0 Likes
2 Replies
Community Manager COEST Community Manager
Community Manager

Re: Problem with ingesting McAfee ePO DLP data from database

Hello!

as your post remained unanswered, I asked internal team to find a response. 

There is no final answer, but here some feedback: Supported versions are 7.9 and 7.10.

7.8 has not been recommended for quite some time now.

 

 

Suggestion is that you open a support case and provide much more details including log exports from ESM, raw events, logs, configuration, any existing overrides etc.

Once you have created a case, support can identify root cause quickly.

Sorry, but I hope you'll get this fixed asap once in contact with support.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Problem with ingesting McAfee ePO DLP data from database

I would also recommend checking the current unmapped fields, in 90% of the cases of missing fields or data being mapped, it is just because either the connector or the product producing the logs have changed, though the information is still available.

If you log in to ESM, right click the connector, choose "send command" and choose "get unmapped fields" you will be returned a list of all available data that the connector finds, but are yet to be mapped to an arcsight field.

You will most likely find your missing field there 🙂

PS: Just remember that actually mapping the field through the same routine, will only map this against the ESM destination, but it is very straightforward to make with a mapping file on the connector if you want to keep it the same for all destinations.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.