Initiating intelligence efforts are McAfee ePO's host DLP, initially for exfiltration and then expand to include deep-scans for various indicators.
After review of data, planning to bring in DLP_EventView's ComputerName, FocusDisplay, EventRowID, EventTypeDisplayName, OriginalEvidenceListSize, Online, Policy_Name, ProcessInfo_FileName, ProcessInfo_Product, RuleIDSet_DisplayName, UTCTime, UserName, and the file location and size from the XmlEvidence.
Appreciate any insight, lessons, etc. if you've already have integrated this data source with Securonix.
Thanks in advance, Jason
asked 13 Nov '14, 22:40
These are the fields I have received from McAfee EPO for hDLP.
EventTypeDisplayName Focus FocusDisplay RuleIDSet RuleIDSet_DisplayName LocalTimeOfDay LocalDayOfWeek InsertionTime EventType_LocalizationKey ComputerName UserName LocalTime UTCDayOfWeek UTCTimeOfDay Evidence DEVICE_CLASS_GUID CLASS_DISPLAY_NAME DISPLAY_NAME BUS_TYPE VENDOR_ID PRODUCT_ID SERIAL_NUMBER DATETIME COMPATIBLE_ID INSTANCE_ID
I see that you have some additional fields - OrignalEvidenceListSize, Processing_product, processing_filename . These should be very valuable for profiling.
answered 14 Nov '14, 02:21