Initiating intelligence efforts are McAfee ePO's host DLP, initially for exfiltration and then expand to include deep-scans for various indicators.

After review of data, planning to bring in DLP_EventView's ComputerName, FocusDisplay, EventRowID, EventTypeDisplayName, OriginalEvidenceListSize, Online, Policy_Name, ProcessInfo_FileName, ProcessInfo_Product, RuleIDSet_DisplayName, UTCTime, UserName, and the file location and size from the XmlEvidence.

Appreciate any insight, lessons, etc. if you've already have integrated this data source with Securonix.

Thanks in advance, Jason

asked 13 Nov '14, 22:40

JasonBlue's gravatar image

accept rate: 0%

These are the fields I have received from McAfee EPO for hDLP.

EventTypeDisplayName Focus FocusDisplay RuleIDSet RuleIDSet_DisplayName LocalTimeOfDay LocalDayOfWeek InsertionTime EventType_LocalizationKey ComputerName UserName LocalTime UTCDayOfWeek UTCTimeOfDay Evidence DEVICE_CLASS_GUID CLASS_DISPLAY_NAME DISPLAY_NAME BUS_TYPE VENDOR_ID PRODUCT_ID SERIAL_NUMBER DATETIME COMPATIBLE_ID INSTANCE_ID

I see that you have some additional fields - OrignalEvidenceListSize, Processing_product, processing_filename . These should be very valuable for profiling.


answered 14 Nov '14, 02:21

tgulati's gravatar image

tgulati ♦♦
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 13 Nov '14, 22:40

Seen: 1,182 times

Last updated: 14 Nov '14, 02:21