EVID 20720...20846 : McAfee Ep
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
EVID 20720, 20748, 20761, 20776, 20778, 20795, 20831, 20846 : McAfee Ep | Base Rule | General Information Log Message | Information |
ePO - AC - Execution Denied | Sub Rule | Command Execution Failure | Access Failure |
ePO - AC - Registry Write Denied | Sub Rule | Delete/Remove Object Failure | Access Failure |
ePO - AC - Inventory Corrupt | Sub Rule | General Error Message | Error |
ePO - AC - File Modified | Sub Rule | Object Modified | Access Success |
ePO - AC - File Renamed | Sub Rule | Object Renamed | Access Success |
ePO - AC - Package Install Denied | Sub Rule | Application Blocked | Failed Activity |
ePO - AC - Cache Throttling | Sub Rule | General Warning Log Message | Warning |
ePO - AC - General Event | Sub Rule | General Information Log Message | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| N/A | N/A | N/A | N/A |
| Machinename | <dname> | Text/String | Name of the system hosting the detecting product. |
| AgentGUID | N/A | N/A | Unique identifier of the agent that forwarded the event. |
| IPAddress | <dip> | IP Address | IP address of the system hosting the detecting product (if given in the event). |
| OSName | N/A | N/A | N/A |
| UserName | <account> <domainimpacted> | Text/String | N/A |
| TimeZoneBias | N/A | N/A | N/A |
| RawMACAddress | <dmac> | Text/String/Number | MAC address of the system hosting the detecting product. |
| ProductName | <vendorinfo> | Text/String | Name of the detecting managed product. |
| ProductVersion | <version> | Text/String/Number | Version number of the detecting product. |
| ProductFamily | N/A | N/A | N/A |
| EventID | <vmid> | Number | Unique identifier of the event class. |
| Severity | <severity> | Text/String/Number | N/A |
| GMTTime | N/A | N/A | N/A |
| SCORevent_name | <action> | Text/String | N/A |
| SCORevt_id | N/A | N/A | N/A |
| SCORevt_type | N/A | N/A | N/A |
| SCORevt_sink | N/A | N/A | N/A |
| SCORseq_no | N/A | N/A | N/A |
| SCORtime_stamp | N/A | N/A | N/A |
| SCORserver_state | N/A | N/A | N/A |
| SCORuser_name | <domainorigin> <login> | Text/String | N/A |
| SCORprocess_name | <process> | Text/String | N/A |
| SCORprocess_id | <processid> | Text/String/Number | N/A |
| SCORreputation_score | N/A | N/A | N/A |
| SCORparent_process_name | <parentprocesspath> <parentprocessname> | Text/String | N/A |
| SCORfile_name | <object> | Text/String | N/A |
| SCORfile_sha1 | <hash> | Text/String | N/A |
| SCORfile_md5 | N/A | N/A | N/A |
| SCORfile_sha256 | N/A | N/A | N/A |
| SCORfile_type | <objecttype> | Text/String | N/A |
| SCORdeny_reason | <reason> | Text/String | N/A |
| SCORdeny_reason_code | N/A | N/A | N/A |