splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Mcafee EPO - Support for event time (_time) to be XML field value

Open davidbattyJDS opened this issue 2 years ago • 1 comments

Hi, currently mcafee parser uses syslog header for event time. https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-mcafee_epo.conf

The business has requested that <DetectedUTC>2022-09-30T00:06:51</DetectedUTC> be used if it exists. Alternatively all events have field <GMTTime>2022-09-30T00:06:51</GMTTime>

NOTE: these will have to be converted to the local UTC and/or the value defined in the env_file .E.g:

SC4S_DEFAULT_TIMEZONE=Australia/Sydney

Sample event below:

<29>1 2022-03-10T00:53:46.0Z wbg_mca_DetectedUTC_01 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\\2"][meta sequenceId="-1807074720"]<?xml version="1.0"?> <EPOevent><MachineInfo><MachineName>x</MachineName><AgentGUID>{21dbf920-1e81-11ed-04d1-806d970692fd}</AgentGUID><IPAddress>x</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-570</TimeZoneBias><RawMACAddress>x</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7.0.3113" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1070</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.7.0.3113</AnalyzerVersion><AnalyzerHostName>x</AnalyzerHostName><AnalyzerDetectionMethod>Exploit Prevention</AnalyzerDetectionMethod></CommonFields><Event><EventID>18060</EventID><Severity>3</Severity><GMTTime>2022-09-30T00:06:51</GMTTime><CommonFields><ThreatCategory>hip.file</ThreatCategory><ThreatEventID>18060</ThreatEventID><ThreatName>T1193-SPEARPHISHING-ATTACHMENT_Dropping_EXE</ThreatName><ThreatType>IDS_THREAT_TYPE_VALUE_BOP</ThreatType><DetectedUTC>2022-09-30T00:06:51</DetectedUTC><ThreatActionTaken>IDS_ACTION_WOULD_BLOCK</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceUserName>CORPAU\x</SourceUserName><SourceProcessName>EXCEL.EXE</SourceProcessName><TargetHostName>x</TargetHostName><TargetUserName>SYSTEM</TargetUserName><TargetFileName>C:\Users\x\AppData\Local\Microsoft\MSIP\mip\EXCEL.EXE\</TargetFileName><ThreatSeverity>2</ThreatSeverity></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentVersion>10.7.0.3113</AnalyzerContentVersion><AnalyzerRuleID>20003</AnalyzerRuleID><AnalyzerRuleName>T1193-SPEARPHISHING-ATTACHMENT_Dropping_EXE</AnalyzerRuleName><SourceProcessHash>43b0e8bcbef769a4770d1a2abe9a2cbb</SourceProcessHash><SourceProcessSigned>True</SourceProcessSigned><SourceProcessSigner>C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION</SourceProcessSigner><SourceProcessTrusted>True</SourceProcessTrusted><SourceFilePath>C:\Program Files (x86)\Microsoft Office\root\Office16</SourceFilePath><SourceFileSize>48437584</SourceFileSize><SourceModifyTime>2022-08-17T22:58:59Z</SourceModifyTime><SourceAccessTime>2022-09-30T00:06:51Z</SourceAccessTime><SourceCreateTime>2022-08-17T22:58:44Z</SourceCreateTime><SourceDescription>"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\x\OneDrive - Westpac Group\Open Every Day\Prod + OT.xlsx"</SourceDescription><SourceProcessID>7080</SourceProcessID><TargetName> </TargetName><TargetPath>C:\Users\x\AppData\Local\Microsoft\MSIP\mip\EXCEL.EXE</TargetPath><TargetDriveType>IDS_EXP_DT_FIXED</TargetDriveType><TargetSigned>False</TargetSigned><TargetTrusted>True</TargetTrusted><TargetModifyTime>2022-09-30T00:06:51Z</TargetModifyTime><TargetAccessTime>2022-09-30T00:06:51Z</TargetAccessTime><TargetCreateTime>2022-09-30T00:06:51Z</TargetCreateTime><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>3719272</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_DESC_DETECTION_APSP_4|TargetPath=C:\Users\x\AppData\Local\Microsoft\MSIP\mip\EXCEL.EXE|AnalyzerRuleName=T1193-SPEARPHISHING-ATTACHMENT_Dropping_EXE|SourceFilePath=C:\Program Files (x86)\Microsoft Office\root\Office16|SourceProcessName=EXCEL.EXE|SourceUserName=CORPAU\x</NaturalLangDescription><AccessRequested>IDS_AAC_REQ_CREATE</AccessRequested></CustomFields></Event></SoftwareInfo></EPOevent>

davidbattyJDS avatar Sep 30 '22 01:09 davidbattyJDS

Hi, speaking to the business, we would like to use GMTTime for the event time for all events.

Thanks

davidbattyJDS avatar Oct 03 '22 22:10 davidbattyJDS

@davidbattyJDS, Please check below two links for timezone issues:

  • https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/#fix-timezone
  • https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_SC4S_server/#timezone-mismatch-in-events

Please let us know in case of further queries.

bparmar-splunk avatar Jan 16 '23 06:01 bparmar-splunk