For various reasons we don't use DB Connect or heavy forwarders in our environment, but I'd like to evaluate this app.
I've managed to extract the SQL query from the app and have exported the data into splunk with the sourcetype of mcafee:epo. I have configured field extractions in the tranforms.conf that look like this:
FIELDS = timestamp,AutoID,signature,threat_type,signature_id,category,severity_id,event_description,detected_timestamp,file_name,detection_method,vendor_action,threat_handled,logon_user,user,dest_nt_domain,dest_dns,dest_nt_host,fqdn,dest_ip,dest_netmask,dest_mac,os,sp,os_version,os_build,timezone,src_dns,src_ip,src_mac,process,url,source_logon_user,is_laptop,product,product_version,engine_version,dat_version,vse_dat_version,vse_engine64_version,vse_engine_version,vse_hotfix,vse_product_version,vse_sp
Then I installed the app. From what I can tell, the app should then work, since the data is already in there.
Should this work? There is no app listed in the apps view even though I can see the app in the Manage Apps view. Does it have any dashboards or view etc?
↧