"Modern" versions of ePO support syslog over TLS as a way of delivering threat events.
This is in lieu of the normal Splunk supported DB connect methodology.
I'm not going to go into full detail here. Customer requirements (aka Nessus) may dictate a "real customer cert" or they may be fine with a self-signed cert. The actual ePO server seems to not care if the certificate is self-signed or what. Here, I'll use a self-signed in order to get the job done. If a customer demands an accurate certificate generated by either and external CA or their internal private CA, then we should do the needful there.
The syslog-ng docs can be helpful here. Note that we do not (yet) attempt to protect the private key using a password. The syslog-ng product has some support for this, but I do not yet know how to automate it.
Also, if you're making a "real cert" you'll probably want to include subject alt names for all possible DNS names that could have the cert. You can google how to do that.
cd /etc/syslog-ng/
mkdir tls
cd tls
openssl req -new -x509 -days 3650 -genkey rsa:2048
openssl req -new -x509 -days 3650 -key epo.key -out epo.pem -outform pem
Brad's Alternate
openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 3650 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"
Answer the questions, with things like "US", "Virginia", "Fairfax", "AFS", "XDR", "foo-bar.defpoint.com", "john.reuther@accenturefederal.com" . This should make a self-signed certificate good for 10 years. Be sure to include John's email because we love that guy.
In an actual customer environment, you might do this a little differently? Like putting it inside of the customer's syslog configuration in the msoc-infrastructure repo, or wherever that customer's salt states related to syslog configuration live.
In the "correct" nnn-xxxyyy.conf config file for syslog-ng, we have to make a few changes. Basically, should look not far from:
source s_mcafeeepo {
network(
ip(0.0.0.0)
transport("tls")
tls(
key-file("/etc/syslog-ng/tls/epo.key")
cert-file("/etc/syslog-ng/tls/epo.pem")
peer-verify(no)
)
port(4013)
so-rcvbuf(4194304)
max-connections(100)
log-iw-size(500000)
);
};
destination d_mcafeeepo {
file("/opt/syslog-ng/mcafeeepo/$LOGHOST/log/$R_YEAR-$R_MONTH-$R_DAY/$HOST_FROM/$HOST/$FACILITY.log"
dir-owner("splunk") dir-group("splunk") dir-perm(0750)
owner("splunk") group("splunk") perm(0640));
};
log { source(s_mcafeeepo); destination(d_mcafeeepo); flags(final); };
The transport("tls")
combined with the tls(...)
block enables TLS mode.
Other than this, it's pretty identical to any other syslog-ng config we have.
You need to remove the UDP port (because we can't do syslog over tls on UDP)
and make the key-file
and cert-file
references point to the ones we made
above.
Do a syslog-ng -s
to see if any errors are picked up, and if so fix them. Then
restart syslog-ng. You should see it listening on the port.
Use openssl to send a test event. Something like:
echo "this is a test yay" | openssl s_client -connect 127.0.0.1:4013
This is not our problem, but the general notes for the ePO admin are googleable. If they are struggling to find it, this is a good link.
We don't have a perfect TA for this yet. Recommend we configure Splunk to strip off
the leading "syslog header" and leave just the XML data. Basically everything we need
in _raw
is in the XML data. An incomplete props.conf
stanza is below.
[mcafee:epo:syslog]
KV_MODE = xml
SEDCMD-stripheader = s/^[^<]+<\?[^?]+\?>//
Here's some sample events:
Dec 12 04:29:08 172.28.126.100 1 2018-12-12T04:29:08.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><MachineName>VAGRANT-8N2Q9U4</MachineName><RawMACAddress>080027C82903</RawMACAddress><IPAddress>172.28.126.102</IPAddress><AgentVersion>5.5.1.342</AgentVersion><OSName>Windows Server 2016</OSName><TimeZoneBias>0</TimeZoneBias><UserName>vagrant</UserName></MachineInfo><McAfeeCommonUpdater ProductName="McAfee Agent" ProductVersion="5.0.0" ProductFamily="TVD"><UpdateEvent><EventID>2401</EventID><Severity>0</Severity><GMTTime>2018-12-12T04:00:37</GMTTime><ProductID>AMCORDAT2000</ProductID><Locale>0409</Locale><Error>0</Error><Type>AMCore</Type><Version>3555.0</Version><InitiatorID>EPOAGENT3000</InitiatorID><InitiatorType>UpdateTask</InitiatorType><SiteName>ePO_VAGRANT-8N2Q9U4</SiteName></UpdateEvent></McAfeeCommonUpdater></UpdateEvents>
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1280</EventID><Severity>3</Severity><GMTTime>2018-12-12T04:54:48</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1280</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>W97M/Downloader.ga</ThreatName><ThreatType>trojan</ThreatType><DetectedUTC>2018-12-12T04:54:48Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a\WordDocument</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>True</ThreatDetectedOnCreation><TargetName>WordDocument</TargetName><TargetPath>C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a</TargetPath><TargetHash>5e6ed43d10765e36afd6721a4761f8d2</TargetHash><TargetFileSize>138368</TargetFileSize><TargetModifyTime>2018-12-12T04:54:48Z</TargetModifyTime><TargetAccessTime>2018-12-11T12:10:00Z</TargetAccessTime><TargetCreateTime>2018-12-11T12:10:00Z</TargetCreateTime><Cleanable>True</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>0</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=WordDocument|TargetPath=C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a|ThreatName=W97M/Downloader.ga|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T04:54:22</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T04:54:22Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.exe</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.exe</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:25:02Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:25:02Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>41360</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.exe|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T04:54:22</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T04:54:22Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\bar.exe</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>bar.exe</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T18:01:53Z</TargetAccessTime><TargetCreateTime>2018-12-11T18:01:53Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>39149</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=bar.exe|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:19</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:19Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo2.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo2.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:19Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:19Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:19Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43080</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo2.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:19</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:19Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fooe.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fooe.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:07:04Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:07:04Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:07:04Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>42915</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=fooe.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\eicar.com</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>eicar.com</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>44d88612fea8a8f36de82e1278abb02f</TargetHash><TargetFileSize>68</TargetFileSize><TargetModifyTime>2018-12-11T18:39:07Z</TargetModifyTime><TargetAccessTime>2018-12-11T18:39:07Z</TargetAccessTime><TargetCreateTime>2018-12-11T18:39:07Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>37393</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=eicar.com|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fhjfhks.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fhjfhks.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T20:55:47Z</TargetModifyTime><TargetAccessTime>2018-12-11T20:55:47Z</TargetAccessTime><TargetCreateTime>2018-12-11T20:55:47Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>29193</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=fhjfhks.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.doc</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.doc</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:25:00Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:25:00Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>41840</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo.doc|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:10Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:10Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43090</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:32</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:32Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\eicar.com</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>eicar.com</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>44d88612fea8a8f36de82e1278abb02f</TargetHash><TargetFileSize>68</TargetFileSize><TargetModifyTime>2018-12-11T18:39:07Z</TargetModifyTime><TargetAccessTime>2018-12-11T18:39:07Z</TargetAccessTime><TargetCreateTime>2018-12-11T18:39:07Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>37405</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=eicar.com|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:44</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:44Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fooe.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fooe.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:07:04Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:07:04Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:07:04Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>42940</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=fooe.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:51</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:51Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo2.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo2.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:19Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:19Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:19Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43112</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo2.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:58</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:58Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.doc</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.doc</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:25:00Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:25:00Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>41878</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.doc|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:09:03 172.28.126.100 1 2018-12-12T05:09:03.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:03:06</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:03:06Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fhjfhks.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fhjfhks.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T20:55:47Z</TargetModifyTime><TargetAccessTime>2018-12-11T20:55:47Z</TargetAccessTime><TargetCreateTime>2018-12-11T20:55:47Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>29239</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=fhjfhks.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:09:03 172.28.126.100 1 2018-12-12T05:09:03.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:59</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:59Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:10Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:10Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43129</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>