RSA Admin

query McAfee ePO for Agent events

Discussion created by RSA Admin Employee on Sep 23, 2013

For those of you whom work in Incident Response, you know how critical mapping a username or hostname to an IP address is. if you are running McAfee ePO, the McAfee agent does a wonderful job of obtaining this information, and keeping it updated. If you have ePO, you are already likely pulling this information into enVision; the attached files will let you query the agent checkin information directly, and place the information into the 'database' table 'Info' field.

 

The 'GenericDB' device type will let you query ANY database with ANY query, and simply stuff the information into the 'database' table 'Info' column.

 

The attached text file is the config information necessary to create a custom ODBC type to query the proper ePO 4.6 tables.

Outcomes