# McAfee ePO syslog over TLS
"Modern" versions of ePO support syslog over TLS as a way of delivering threat events.
This is in lieu of the normal Splunk supported DB connect methodology.
## Syslog-ng server configuration
### Generate a certificate / certificate request
I'm not going to go into full detail here. Customer requirements (aka Nessus)
may dictate a "real customer cert" or they may be fine with a self-signed cert.
The actual ePO server seems to not care if the certificate is self-signed or
what. Here, I'll use a self-signed in order to get the job done. If a
customer demands an accurate certificate generated by either and external CA or
their internal private CA, then we should do the needful there.
The [syslog-ng docs](https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.18/administration-guide/58#TOPIC-1044106)
can be helpful here. Note that we do not (yet) attempt to protect the private key using
a password. The syslog-ng product has some support for this, but I do not yet know
how to automate it.
Also, if you're making a "real cert" you'll probably want to include subject
alt names for all possible DNS names that could have the cert. You can google
how to do that.
```
cd /etc/syslog-ng/
mkdir tls
cd tls
openssl req -new -x509 -days 3650 -genkey rsa:2048
openssl req -new -x509 -days 3650 -key epo.key -out epo.pem -outform pem
```
Brad's Alternate
```
openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 3650 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"
```
Answer the questions, with things like "US", "Virginia", "Fairfax",
"AFS", "XDR", "foo-bar.defpoint.com", "john.reuther@accenturefederal.com" . This should make a
self-signed certificate good for 10 years. Be sure to include John's email because we love that guy.
In an actual customer environment, you might do this a little differently?
Like putting it inside of the customer's syslog configuration in the
msoc-infrastructure repo, or wherever that customer's salt states related to
syslog configuration live.
### Configure syslog-ng to use the cert
In the "correct" nnn-xxxyyy.conf config file for syslog-ng, we have to make
a few changes. Basically, should look not far from:
```
source s_mcafeeepo {
network(
ip(0.0.0.0)
transport("tls")
tls(
key-file("/etc/syslog-ng/tls/epo.key")
cert-file("/etc/syslog-ng/tls/epo.pem")
peer-verify(no)
)
port(4013)
so-rcvbuf(4194304)
max-connections(100)
log-iw-size(500000)
);
};
destination d_mcafeeepo {
file("/opt/syslog-ng/mcafeeepo/$LOGHOST/log/$R_YEAR-$R_MONTH-$R_DAY/$HOST_FROM/$HOST/$FACILITY.log"
dir-owner("splunk") dir-group("splunk") dir-perm(0750)
owner("splunk") group("splunk") perm(0640));
};
log { source(s_mcafeeepo); destination(d_mcafeeepo); flags(final); };
```
The `transport("tls")` combined with the `tls(...)` block enables TLS mode.
Other than this, it's pretty identical to any other syslog-ng config we have.
You need to remove the UDP port (because we can't do syslog over tls on UDP)
and make the `key-file` and `cert-file` references point to the ones we made
above.
Do a `syslog-ng -s` to see if any errors are picked up, and if so fix them. Then
restart syslog-ng. You should see it listening on the port.
### Sending a test event from the CLI
Use openssl to send a test event. Something like:
```
echo "this is a test yay" | openssl s_client -connect 127.0.0.1:4013
```
## ePO configuration
This is not our problem, but the general notes for the ePO admin are googleable. If
they are struggling to find it, this is a [good link](https://kc.mcafee.com/corporate/index?page=content&id=KB87927&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US&bk=n).
## Recommended Splunk config
We don't have a perfect TA for this yet. Recommend we configure Splunk to strip off
the leading "syslog header" and leave just the XML data. Basically everything we need
in `_raw` is in the XML data. An incomplete `props.conf` stanza is below.
```
[mcafee:epo:syslog]
KV_MODE = xml
SEDCMD-stripheader = s/^[^<]+<\?[^?]+\?>//
```
## Sample Event
Here's some sample events:
```
Dec 12 04:29:08 172.28.126.100 1 2018-12-12T04:29:08.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] {92d6da85-d653-4176-a509-4de59489a78c}VAGRANT-8N2Q9U4080027C82903172.28.126.1025.5.1.342Windows Server 20160vagrant240102018-12-12T04:00:37AMCORDAT200004090AMCore3555.0EPOAGENT3000UpdateTaskePO_VAGRANT-8N2Q9U4
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0128032018-12-12T04:54:48av.detect12802W97M/Downloader.gatrojan2018-12-12T04:54:48ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\explorer.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a\WordDocumentIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseTrueWordDocumentC:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a5e6ed43d10765e36afd6721a4761f8d21383682018-12-12T04:54:48Z2018-12-11T12:10:00Z2018-12-11T12:10:00ZTrueIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue40IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=WordDocument|TargetPath=C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a|ThreatName=W97M/Downloader.ga|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T04:54:22av.detect12782EICAR test filetest2018-12-12T04:54:22ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\explorer.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo.exeIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo.exeC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:10Z2018-12-11T17:25:02Z2018-12-11T17:25:02ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue441360IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.exe|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T04:54:22av.detect12782EICAR test filetest2018-12-12T04:54:22ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\explorer.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\bar.exeIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsebar.exeC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:10Z2018-12-11T18:01:53Z2018-12-11T18:01:53ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue439149IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=bar.exe|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Demand Scan3555.0129042018-12-12T05:02:19av.detect12901EICAR test filetest2018-12-12T05:02:19ZIDS_ALERT_ACT_TAK_CONTFalseVAGRANT-8N2Q9U4On-Demand ScanVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo2.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo2.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:19Z2018-12-11T17:04:19Z2018-12-11T17:04:19ZFalseIDS_ODS_TASK_NAME_RIGHT_CLICKIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_CONTrue443080IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo2.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Demand Scan3555.0129042018-12-12T05:02:19av.detect12901EICAR test filetest2018-12-12T05:02:19ZIDS_ALERT_ACT_TAK_CONTFalseVAGRANT-8N2Q9U4On-Demand ScanVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\fooe.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefooe.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:07:04Z2018-12-11T17:07:04Z2018-12-11T17:07:04ZFalseIDS_ODS_TASK_NAME_RIGHT_CLICKIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_CONTrue442915IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=fooe.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Demand Scan3555.0129042018-12-12T05:02:20av.detect12901EICAR test filetest2018-12-12T05:02:20ZIDS_ALERT_ACT_TAK_CONTFalseVAGRANT-8N2Q9U4On-Demand ScanVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\eicar.comIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalseeicar.comC:\Users\vagrant\Documents44d88612fea8a8f36de82e1278abb02f682018-12-11T18:39:07Z2018-12-11T18:39:07Z2018-12-11T18:39:07ZFalseIDS_ODS_TASK_NAME_RIGHT_CLICKIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_CONTrue437393IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=eicar.com|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Demand Scan3555.0129042018-12-12T05:02:20av.detect12901EICAR test filetest2018-12-12T05:02:20ZIDS_ALERT_ACT_TAK_CONTFalseVAGRANT-8N2Q9U4On-Demand ScanVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\fhjfhks.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefhjfhks.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T20:55:47Z2018-12-11T20:55:47Z2018-12-11T20:55:47ZFalseIDS_ODS_TASK_NAME_RIGHT_CLICKIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_CONTrue429193IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=fhjfhks.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Demand Scan3555.0129042018-12-12T05:02:20av.detect12901EICAR test filetest2018-12-12T05:02:20ZIDS_ALERT_ACT_TAK_CONTFalseVAGRANT-8N2Q9U4On-Demand ScanVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo.docIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo.docC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:10Z2018-12-11T17:25:00Z2018-12-11T17:25:00ZFalseIDS_ODS_TASK_NAME_RIGHT_CLICKIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_CONTrue441840IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo.doc|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Demand Scan3555.0129042018-12-12T05:02:20av.detect12901EICAR test filetest2018-12-12T05:02:20ZIDS_ALERT_ACT_TAK_CONTFalseVAGRANT-8N2Q9U4On-Demand ScanVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:10Z2018-12-11T17:04:10Z2018-12-11T17:04:10ZFalseIDS_ODS_TASK_NAME_RIGHT_CLICKIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_CONTrue443090IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T05:02:32av.detect12782EICAR test filetest2018-12-12T05:02:32ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\explorer.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\eicar.comIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalseeicar.comC:\Users\vagrant\Documents44d88612fea8a8f36de82e1278abb02f682018-12-11T18:39:07Z2018-12-11T18:39:07Z2018-12-11T18:39:07ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue437405IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=eicar.com|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T05:02:44av.detect12782EICAR test filetest2018-12-12T05:02:44ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\System32\notepad.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\fooe.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefooe.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:07:04Z2018-12-11T17:07:04Z2018-12-11T17:07:04ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue442940IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=fooe.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T05:02:51av.detect12782EICAR test filetest2018-12-12T05:02:51ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\System32\notepad.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo2.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo2.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:19Z2018-12-11T17:04:19Z2018-12-11T17:04:19ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue443112IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo2.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T05:02:58av.detect12782EICAR test filetest2018-12-12T05:02:58ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\explorer.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo.docIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo.docC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:10Z2018-12-11T17:25:00Z2018-12-11T17:25:00ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue441878IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.doc|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 05:09:03 172.28.126.100 1 2018-12-12T05:09:03.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T05:03:06av.detect12782EICAR test filetest2018-12-12T05:03:06ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\System32\notepad.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\fhjfhks.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefhjfhks.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T20:55:47Z2018-12-11T20:55:47Z2018-12-11T20:55:47ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue429239IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=fhjfhks.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
Dec 12 05:09:03 172.28.126.100 1 2018-12-12T05:09:03.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] VAGRANT-8N2Q9U4{92d6da85-d653-4176-a509-4de59489a78c}172.28.126.102Windows 10 ServerSYSTEM0080027c82903ENDP_AM_1060McAfee Endpoint Security10.6.0VAGRANT-8N2Q9U46000.8403On-Access Scan3555.0127832018-12-12T05:02:59av.detect12782EICAR test filetest2018-12-12T05:02:59ZIDS_ALERT_ACT_TAK_DELTrueVAGRANT-8N2Q9U4C:\Windows\System32\notepad.exeVAGRANT-8N2Q9U4VAGRANT-8N2Q9U4\vagrantC:\Users\vagrant\Documents\foo.txtIDS_BLADE_NAME_SPB2018-12-11T14:38:00ZFalseFalsefoo.txtC:\Users\vagrant\Documentsd7b77d5a647e8bf4a3796d5e36f7c28a692018-12-11T17:04:10Z2018-12-11T17:04:10Z2018-12-11T17:04:10ZFalseIDS_OAS_TASK_NAMEIDS_ALERT_THACT_ATT_CLEFalseIDS_ALERT_THACT_ATT_DELTrue443129IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrantIDS_OAS_DEFAULT_THREAT_MESSAGE3555.0
```