Acasă Explorează Ajutor
Înregistrare Autentificare
AFS
/
infrastructure-notes
2
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: 883a468866
Ramuri Etichete
infrastructure-...
/
ePO Syslog Notes.md

ePO Syslog Notes.md 53 KB
Istoric Crud

McAfee ePO syslog over TLS

"Modern" versions of ePO support syslog over TLS as a way of delivering threat events.
This is in lieu of the normal Splunk supported DB connect methodology.

Syslog-ng server configuration

Generate a certificate / certificate request

I'm not going to go into full detail here. Customer requirements (aka Nessus) may dictate a "real customer cert" or they may be fine with a self-signed cert. The actual ePO server seems to not care if the certificate is self-signed or what. Here, I'll use a self-signed in order to get the job done. If a customer demands an accurate certificate generated by either and external CA or their internal private CA, then we should do the needful there.

The syslog-ng docs can be helpful here. Note that we do not (yet) attempt to protect the private key using a password. The syslog-ng product has some support for this, but I do not yet know how to automate it.

Also, if you're making a "real cert" you'll probably want to include subject alt names for all possible DNS names that could have the cert. You can google how to do that.

cd /etc/syslog-ng/
mkdir tls
cd tls
openssl req -new -x509 -days 3650 -genkey rsa:2048
openssl req -new -x509 -days 3650 -key epo.key -out epo.pem -outform pem

Brad's Alternate

openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 3650 -key key.pem -in csr.csr -out certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate will stop working in 2017! You must update OpenSSL to generate a widely-compatible certificate"

Answer the questions, with things like "US", "Virginia", "Fairfax", "AFS", "XDR", "foo-bar.defpoint.com", "john.reuther@accenturefederal.com" . This should make a self-signed certificate good for 10 years. Be sure to include John's email because we love that guy.

In an actual customer environment, you might do this a little differently? Like putting it inside of the customer's syslog configuration in the msoc-infrastructure repo, or wherever that customer's salt states related to syslog configuration live.

Configure syslog-ng to use the cert

In the "correct" nnn-xxxyyy.conf config file for syslog-ng, we have to make a few changes. Basically, should look not far from:

source s_mcafeeepo {
    network(
        ip(0.0.0.0)
        transport("tls")
        tls(
                key-file("/etc/syslog-ng/tls/epo.key")
                cert-file("/etc/syslog-ng/tls/epo.pem")
                peer-verify(no)
        )
        port(4013)
        so-rcvbuf(4194304)
        max-connections(100)
        log-iw-size(500000)
    );
};

destination d_mcafeeepo {
file("/opt/syslog-ng/mcafeeepo/$LOGHOST/log/$R_YEAR-$R_MONTH-$R_DAY/$HOST_FROM/$HOST/$FACILITY.log"
        dir-owner("splunk") dir-group("splunk") dir-perm(0750)
        owner("splunk") group("splunk") perm(0640));
};

log { source(s_mcafeeepo); destination(d_mcafeeepo); flags(final); };

The transport("tls") combined with the tls(...) block enables TLS mode. Other than this, it's pretty identical to any other syslog-ng config we have. You need to remove the UDP port (because we can't do syslog over tls on UDP) and make the key-file and cert-file references point to the ones we made above.

Do a syslog-ng -s to see if any errors are picked up, and if so fix them. Then restart syslog-ng. You should see it listening on the port.

Sending a test event from the CLI

Use openssl to send a test event. Something like:

echo "this is a test yay" | openssl s_client -connect 127.0.0.1:4013

ePO configuration

This is not our problem, but the general notes for the ePO admin are googleable. If they are struggling to find it, this is a good link.

Recommended Splunk config

We don't have a perfect TA for this yet. Recommend we configure Splunk to strip off the leading "syslog header" and leave just the XML data. Basically everything we need in _raw is in the XML data. An incomplete props.conf stanza is below.

[mcafee:epo:syslog]
KV_MODE = xml
SEDCMD-stripheader = s/^[^<]+<\?[^?]+\?>//

Sample Event

Here's some sample events:


Dec 12 04:29:08 172.28.126.100 1 2018-12-12T04:29:08.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><MachineName>VAGRANT-8N2Q9U4</MachineName><RawMACAddress>080027C82903</RawMACAddress><IPAddress>172.28.126.102</IPAddress><AgentVersion>5.5.1.342</AgentVersion><OSName>Windows Server 2016</OSName><TimeZoneBias>0</TimeZoneBias><UserName>vagrant</UserName></MachineInfo><McAfeeCommonUpdater ProductName="McAfee Agent" ProductVersion="5.0.0" ProductFamily="TVD"><UpdateEvent><EventID>2401</EventID><Severity>0</Severity><GMTTime>2018-12-12T04:00:37</GMTTime><ProductID>AMCORDAT2000</ProductID><Locale>0409</Locale><Error>0</Error><Type>AMCore</Type><Version>3555.0</Version><InitiatorID>EPOAGENT3000</InitiatorID><InitiatorType>UpdateTask</InitiatorType><SiteName>ePO_VAGRANT-8N2Q9U4</SiteName></UpdateEvent></McAfeeCommonUpdater></UpdateEvents> 
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1280</EventID><Severity>3</Severity><GMTTime>2018-12-12T04:54:48</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1280</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>W97M/Downloader.ga</ThreatName><ThreatType>trojan</ThreatType><DetectedUTC>2018-12-12T04:54:48Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a\WordDocument</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>True</ThreatDetectedOnCreation><TargetName>WordDocument</TargetName><TargetPath>C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a</TargetPath><TargetHash>5e6ed43d10765e36afd6721a4761f8d2</TargetHash><TargetFileSize>138368</TargetFileSize><TargetModifyTime>2018-12-12T04:54:48Z</TargetModifyTime><TargetAccessTime>2018-12-11T12:10:00Z</TargetAccessTime><TargetCreateTime>2018-12-11T12:10:00Z</TargetCreateTime><Cleanable>True</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>0</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=WordDocument|TargetPath=C:\Users\vagrant\Downloads\VirusShare_5e6ed43d10765e36afd6721a4761f8d2\d634cdc4b920a2b7430e26994cbf126df5c84b6159fd253e97f0291b21f2844a|ThreatName=W97M/Downloader.ga|SourceProcessName=C:\Windows\explorer.exe|ThreatType=trojan|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T04:54:22</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T04:54:22Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.exe</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.exe</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:25:02Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:25:02Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>41360</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.exe|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 04:55:42 172.28.126.100 1 2018-12-12T04:55:42.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T04:54:22</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T04:54:22Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\bar.exe</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>bar.exe</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T18:01:53Z</TargetAccessTime><TargetCreateTime>2018-12-11T18:01:53Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>39149</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=bar.exe|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:19</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:19Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo2.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo2.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:19Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:19Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:19Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43080</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo2.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:19</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:19Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fooe.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fooe.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:07:04Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:07:04Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:07:04Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>42915</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=fooe.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\eicar.com</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>eicar.com</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>44d88612fea8a8f36de82e1278abb02f</TargetHash><TargetFileSize>68</TargetFileSize><TargetModifyTime>2018-12-11T18:39:07Z</TargetModifyTime><TargetAccessTime>2018-12-11T18:39:07Z</TargetAccessTime><TargetCreateTime>2018-12-11T18:39:07Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>37393</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=eicar.com|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fhjfhks.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fhjfhks.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T20:55:47Z</TargetModifyTime><TargetAccessTime>2018-12-11T20:55:47Z</TargetAccessTime><TargetCreateTime>2018-12-11T20:55:47Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>29193</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=fhjfhks.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.doc</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.doc</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:25:00Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:25:00Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>41840</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo.doc|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Demand Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1290</EventID><Severity>4</Severity><GMTTime>2018-12-12T05:02:20</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1290</ThreatEventID><ThreatSeverity>1</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:20Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_CONT</ThreatActionTaken><ThreatHandled>False</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>On-Demand Scan</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:10Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:10Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_ODS_TASK_NAME_RIGHT_CLICK</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_CON</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43090</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_ODS_DETECTION_GENERIC|TargetName=foo.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|ThreatType=test|ThreatActionTaken=IDS_ALERT_ACT_TAK_CONT|TaskName=IDS_ODS_TASK_NAME_RIGHT_CLICK|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:32</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:32Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\eicar.com</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>eicar.com</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>44d88612fea8a8f36de82e1278abb02f</TargetHash><TargetFileSize>68</TargetFileSize><TargetModifyTime>2018-12-11T18:39:07Z</TargetModifyTime><TargetAccessTime>2018-12-11T18:39:07Z</TargetAccessTime><TargetCreateTime>2018-12-11T18:39:07Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>37405</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=eicar.com|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:44</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:44Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fooe.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fooe.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:07:04Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:07:04Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:07:04Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>42940</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=fooe.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:51</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:51Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo2.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo2.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:19Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:19Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:19Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43112</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo2.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:04:04 172.28.126.100 1 2018-12-12T05:04:04.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:58</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:58Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\explorer.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.doc</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.doc</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:25:00Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:25:00Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>41878</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.doc|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\explorer.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:09:03 172.28.126.100 1 2018-12-12T05:09:03.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:03:06</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:03:06Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\fhjfhks.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>fhjfhks.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T20:55:47Z</TargetModifyTime><TargetAccessTime>2018-12-11T20:55:47Z</TargetAccessTime><TargetCreateTime>2018-12-11T20:55:47Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>29239</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=fhjfhks.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>
Dec 12 05:09:03 172.28.126.100 1 2018-12-12T05:09:03.0Z VAGRANT-8N2Q9U4 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>VAGRANT-8N2Q9U4</MachineName><AgentGUID>{92d6da85-d653-4176-a509-4de59489a78c}</AgentGUID><IPAddress>172.28.126.102</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>0</TimeZoneBias><RawMACAddress>080027c82903</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>VAGRANT-8N2Q9U4</AnalyzerHostName><AnalyzerEngineVersion>6000.8403</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3555.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>2018-12-12T05:02:59</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>2018-12-12T05:02:59Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>VAGRANT-8N2Q9U4</SourceHostName><SourceProcessName>C:\Windows\System32\notepad.exe</SourceProcessName><TargetHostName>VAGRANT-8N2Q9U4</TargetHostName><TargetUserName>VAGRANT-8N2Q9U4\vagrant</TargetUserName><TargetFileName>C:\Users\vagrant\Documents\foo.txt</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2018-12-11T14:38:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>False</ThreatDetectedOnCreation><TargetName>foo.txt</TargetName><TargetPath>C:\Users\vagrant\Documents</TargetPath><TargetHash>d7b77d5a647e8bf4a3796d5e36f7c28a</TargetHash><TargetFileSize>69</TargetFileSize><TargetModifyTime>2018-12-11T17:04:10Z</TargetModifyTime><TargetAccessTime>2018-12-11T17:04:10Z</TargetAccessTime><TargetCreateTime>2018-12-11T17:04:10Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>43129</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=foo.txt|TargetPath=C:\Users\vagrant\Documents|ThreatName=EICAR test file|SourceProcessName=C:\Windows\System32\notepad.exe|ThreatType=test|TargetUserName=VAGRANT-8N2Q9U4\vagrant</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3555.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>