From c3811781c92292c33ef5ef5e9d345c65e0aa28a4 Mon Sep 17 00:00:00 2001
From: "Mahir Chavda (C)" <mchavda@splunk.com>
Date: Mon, 15 Jun 2020 11:49:16 +0530
Subject: [PATCH 1/2] Extract Source from the ProductName & Update document

---
 docs/sources/McAfee/index.md                  |  5 +-
 .../conf.d/log_paths/lp-mcafee_epo.conf.tmpl  | 10 +++
 tests/test_mcafee_epo.py                      | 68 +++++++++++++++++--
 3 files changed, 77 insertions(+), 6 deletions(-)

diff --git a/docs/sources/McAfee/index.md b/docs/sources/McAfee/index.md
index 250d6e5..c9ec15e 100644
--- a/docs/sources/McAfee/index.md
+++ b/docs/sources/McAfee/index.md
@@ -19,8 +19,9 @@
 
 | source     | notes                                                                                                   |
 |----------------|---------------------------------------------------------------------------------------------------------|
-| Future        | source field will be updated in the future to identify record types                 |
-
+| policy_auditor_vulnerability_assessment        | Policy Auditor Vulnerability Assessment events |
+| mcafee_agent                                   | McAfee Agent events | 
+| mcafee_endpoint_security                       | McAfee Endpoint Security events |
 ### Index Configuration
 
 | key            | index      | notes          |
diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
index 36419fb..b56d8ed 100644
--- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
@@ -21,6 +21,16 @@ log {
         };
     };
 
+    if {
+        filter {
+            message('ProductName="([^"]+)"' flags(store-matches));
+        };
+        rewrite {
+            set("$(lowercase $1)" value(".mcafee.product"));
+            subst('\s', '_', value(".mcafee.product") flags("global"));
+            r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav"), source("${.mcafee.product}"))
+        };
+    };
 
     rewrite {
         set("mcafee_epo", value("fields.sc4s_vendor_product"));
diff --git a/tests/test_mcafee_epo.py b/tests/test_mcafee_epo.py
index 8d8df32..e9e17e6 100644
--- a/tests/test_mcafee_epo.py
+++ b/tests/test_mcafee_epo.py
@@ -12,16 +12,76 @@
 import pytest
 
 env = Environment()
-testdata = [
+
+mcafee_endpoint_security_testdata = [
     r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] ?<?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>DESKTOP-00001</MachineName><AgentGUID>0011aacc-eeee-0000-0000-000011223311</AgentGUID><IPAddress>10.222.22.131</IPAddress><OSName>Windows 10 Server</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-330</TimeZoneBias><RawMACAddress>000011223311</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.1.1607" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_GS_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.1.1607</AnalyzerVersion><AnalyzerHostName>DESKTOP-00001</AnalyzerHostName><AnalyzerDATVersion></AnalyzerDATVersion><AnalyzerEngineVersion></AnalyzerEngineVersion></CommonFields><Event><EventID>1120</EventID><Severity>0</Severity><GMTTime>{{ iso }}</GMTTime><CommonFields><AnalyzerDetectionMethod></AnalyzerDetectionMethod><ThreatName>_</ThreatName><ThreatType></ThreatType><ThreatCategory>ops.update</ThreatCategory><ThreatHandled>1</ThreatHandled><ThreatActionTaken>none</ThreatActionTaken><ThreatSeverity>6</ThreatSeverity></CommonFields></Event></SoftwareInfo></EPOEvent>',
     r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] ?<?xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>DESKTOP-00001</MachineName><AgentGUID>0011aacc-eeee-0000-0000-000011223311</AgentGUID><IPAddress>10.222.22.83</IPAddress><OSName>Windows 10 Server</OSName><UserName>%CTX_DOMAIN_USER%</UserName><TimeZoneBias>-330</TimeZoneBias><RawMACAddress>000011223311</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.7.0.1285" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_GS_1070</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.7.0.1285</AnalyzerVersion><AnalyzerHostName>DESKTOP-00001</AnalyzerHostName><AnalyzerDATVersion></AnalyzerDATVersion><AnalyzerEngineVersion></AnalyzerEngineVersion></CommonFields><Event><EventID>1118</EventID><Severity>0</Severity><GMTTime>{{ iso }}</GMTTime><CommonFields><AnalyzerDetectionMethod></AnalyzerDetectionMethod><ThreatName>_</ThreatName><ThreatType></ThreatType><ThreatCategory>ops.update.end</ThreatCategory><ThreatHandled>1</ThreatHandled><ThreatActionTaken>none</ThreatActionTaken><ThreatSeverity>6</ThreatSeverity></CommonFields></Event></SoftwareInfo></EPOEvent>',
     r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] ?<?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>DESKTOP-00001</MachineName><AgentGUID>0011aacc-eeee-0000-0000-000011223311</AgentGUID><IPAddress>10.222.22.45</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-330</TimeZoneBias><RawMACAddress>000011223311</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.1" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_WP_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.1</AnalyzerVersion><AnalyzerHostName>DESKTOP-00001</AnalyzerHostName><AnalyzerDetectionMethod>URL navigation</AnalyzerDetectionMethod></CommonFields><Event><EventID>18600</EventID><Severity>3</Severity><GMTTime>{{ iso }}</GMTTime><CommonFields><ThreatCategory>wp.detect.url</ThreatCategory><ThreatEventID>18600</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>Web Control Violation</ThreatName><ThreatType>IDS_THREAT_TYPE_URL</ThreatType><DetectedUTC>{{ iso }}Z</DetectedUTC><ThreatActionTaken>blocked</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceIPV4>213.211.198.58</SourceIPV4><SourceURL>http://2222.aaaaa.org/download/eicarcom2.zip</SourceURL><SourceUserName>DESKTOP-00001\admin</SourceUserName><SourceProcessName>C:\Program Files\McAfee\Endpoint Security\Web Control\McChHost.exe</SourceProcessName><TargetUserName>DESKTOP-00001\admin</TargetUserName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_WP</BladeName><AnalyzerGTIQuery>True</AnalyzerGTIQuery><SourceProcessHash>03e33bcdd99853ea8c83407c3ab4599c</SourceProcessHash><SourceParentProcessName>C:\Program Files\Google\Chrome\Application\chrome.exe</SourceParentProcessName><SourceParentProcessHash>a1902e39f3a1610751b707a6742082c3</SourceParentProcessHash><SourceParentProcessSigned>True</SourceParentProcessSigned><SourceParentProcessSigner>Google LLC</SourceParentProcessSigner><SourceFileSize>0</SourceFileSize><SourceSigned>False</SourceSigned><SourceURLRatingCode>IDS_SECUIRTY_RATING_SA_RED</SourceURLRatingCode><SourceURLWebCategory>IDS_SAE_CONTENT_MS</SourceURLWebCategory><AttackVectorType>1</AttackVectorType><NaturalLangDescription>IDS_WC_NLD_URL_RATING|SourceURL=http://2222.aaaaa.org/download/eicarcom2.zip|SourceProcessName=C:\Program Files\McAfee\Endpoint Security\Web Control\McChHost.exe|SourceUserName=DESKTOP-00001\admin|ThreatActionTaken=blocked|AnalyzerName=McAfee Endpoint Security|SourceURLRatingCode=IDS_SECUIRTY_RATING_SA_RED</NaturalLangDescription></CustomFields><CustomFields target="WP_EventInfoMT"><EventTypeId>18600</EventTypeId><DomainName>2222.aaaaa.org</DomainName><URL>http://2222.aaaaa.org/download/eicarcom2.zip</URL><Count>1</Count><ObserverMode>0</ObserverMode><ActionID>4</ActionID><ReasonID>1</ReasonID><RatingID>3</RatingID><ListID>1</ListID><PhishingRatingID>4</PhishingRatingID><DownloadRatingID>3</DownloadRatingID><SpamRatingID>4</SpamRatingID><PopupRatingID>4</PopupRatingID><BadLinkRatingID>4</BadLinkRatingID><ExploitRatingID>4</ExploitRatingID><ContentID>130</ContentID><ContentCategories>00000100000000000000000011000000</ContentCategories></CustomFields></Event></SoftwareInfo></EPOevent>',
     r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] ?<?xml version="1.0" encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>DESKTOP-00001</MachineName><AgentGUID>0011aacc-eeee-0000-0000-000011223311</AgentGUID><IPAddress>10.222.22.131</IPAddress><OSName>Windows 10 Server</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-330</TimeZoneBias><RawMACAddress>000011223311</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.1" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.1</AnalyzerVersion><AnalyzerHostName>DESKTOP-00001</AnalyzerHostName><AnalyzerEngineVersion>6010.8670</AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3811.0</AnalyzerDATVersion></CommonFields><Event><EventID>1278</EventID><Severity>3</Severity><GMTTime>{{ iso }}</GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1278</ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>EICAR test file</ThreatName><ThreatType>test</ThreatType><DetectedUTC>{{ iso }}Z</DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceHostName>DESKTOP-00001</SourceHostName><SourceProcessName>C:\Users\admin123.WIN-QFN79SPC5U4.000\Desktop\Tops.exe</SourceProcessName><TargetHostName>DESKTOP-00001</TargetHostName><TargetUserName>DESKTOP-00001\admin123</TargetUserName><TargetFileName>C:\Users\admin123.WIN-QFN79SPC5U4.000\Desktop\TEST_SAMPLES_MVS\Standard Test Set\eicar</TargetFileName></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentCreationDate>2019-08-25T02:22:00Z</AnalyzerContentCreationDate><AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>True</ThreatDetectedOnCreation><TargetName>eicar</TargetName><TargetPath>C:\Users\admin123.WIN-QFN79SPC5U4.000\Desktop\TEST_SAMPLES_MVS\Standard Test Set</TargetPath><TargetHash>e7e5fa40569514ec442bbdf755d89c2f</TargetHash><TargetFileSize>70</TargetFileSize><TargetModifyTime>2000-10-24T05:13:46Z</TargetModifyTime><TargetAccessTime>2019-08-26T05:32:39Z</TargetAccessTime><TargetCreateTime>2019-08-26T05:32:39Z</TargetCreateTime><Cleanable>False</Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</FirstAttemptedAction><FirstActionStatus>False</FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</SecondAttemptedAction><SecondActionStatus>True</SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>10</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=eicar|TargetPath=C:\Users\admin123.WIN-QFN79SPC5U4.000\Desktop\TEST_SAMPLES_MVS\Standard Test Set|ThreatName=EICAR test file|SourceProcessName=C:\Users\admin123.WIN-QFN79SPC5U4.000\Desktop\Tops.exe|ThreatType=test|TargetUserName=DESKTOP-00001\admin123</NaturalLangDescription><AccessRequested></AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3811.0</AMCoreContentVersion></CustomFields></Event></SoftwareInfo></EPOevent>',
+]
+mcafee_agent_testdata = [
     r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@4444 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{0011aacc-eeee-0000-0000-000011223311}</AgentGUID><MachineName>THEMBP1</MachineName><RawMACAddress>000011223311</RawMACAddress><IPAddress>172.16.23.123</IPAddress><AgentVersion>1.1.1.103</AgentVersion><OSName>Windows 10</OSName><TimeZoneBias>240</TimeZoneBias><UserName></UserName></MachineInfo><McAfeeCommonUpdater ProductName="McAfee Agent" ProductVersion="1.0.0" ProductFamily="TVD"><UpdateEvent><EventID>2422</EventID><Severity>4</Severity><GMTTime>{{ iso }}</GMTTime><ProductID>POLICYAU6000</ProductID><Locale>0409</Locale><Error>59</Error><Type>Policy Enforcement</Type><Version>N/A</Version><InitiatorID>EPOAGENT3000</InitiatorID><InitiatorType>N/A</InitiatorType><SiteName>N/A</SiteName><Description>N/A</Description></UpdateEvent></McAfeeCommonUpdater></UpdateEvents>',
+]
+policy_auditor_vulnerability_assessment_testdata = [
     r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@4444 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><AssessmentResultEvent><MachineInfo><AgentGUID>{0011aacc-eeee-0000-0000-000011223311}</AgentGUID><MachineName>THEMBP1</MachineName><RawMACAddress>000011223311</RawMACAddress><IPAddress>172.16.23.123</IPAddress><AgentVersion>1.1.1.103</AgentVersion><OSName>Linux</OSName><TimeZoneBias>0</TimeZoneBias><UserName>GARY</UserName></MachineInfo><PhoenixEngine ProductName="Policy Auditor Vulnerability Assessment" ProductVersion="1.1.0" ProductFamily="Security" EngineVersion="1.1.0"><InventoryAssessmentResultInfo><EventID>18905</EventID><Severity>0</Severity><GMTTime>{{ iso }}</GMTTime><ProductName>Policy Auditor Vulnerability Assessment</ProductName><ProductVersion>1.1.0</ProductVersion><ProductFamily>Security</ProductFamily><EngineVersion>0</EngineVersion><TaskId>20</TaskId><Result>eJx1jjELgzAUhPf+ipCpBYWoS+smOHYQHEuR1xjKK+YZzEupiP+9j+7d7o7vuNs0gXe61l2jmhgd qxYYVG+BCOmprkjpo45N1/UnnemUcBS4NKIZvYsMPvyC0uSmyouLKqramLo8C7G4mCYeeA2ysGkI YUILjDMN8+PlLEsTyS7OO2KY9J6JfYuel3UY5ce/1u2+74cvff89lg==</Result></InventoryAssessmentResultInfo></PhoenixEngine></AssessmentResultEvent>',
 ]
-@pytest.mark.parametrize("event", testdata)
-def test_mcafee_epo_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+
+@pytest.mark.parametrize("event", mcafee_endpoint_security_testdata)
+def test_mcafee_epo_structured_mcafee_endpoint_security(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+    host = get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<29>1", iso=iso, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string('search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="mcafee_endpoint_security"')
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+@pytest.mark.parametrize("event", mcafee_agent_testdata)
+def test_mcafee_epo_structured_mcafee_agent(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
+    host = get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(event + "\n")
+    message = mt.render(mark="<29>1", iso=iso, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string('search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="mcafee_agent"')
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
+
+@pytest.mark.parametrize("event", policy_auditor_vulnerability_assessment_testdata)
+def test_mcafee_epo_structured_policy_auditor_vulnerability_assessment(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event):
     host = get_host_key
 
     dt = datetime.datetime.now(datetime.timezone.utc)
@@ -36,7 +96,7 @@ def test_mcafee_epo_structured(record_property, setup_wordlist, get_host_key, se
 
     sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
 
-    st = env.from_string("search _time={{ epoch }} index=epav host=\"{{ host }}\" sourcetype=\"mcafee:epo:syslog\"")
+    st = env.from_string('search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="policy_auditor_vulnerability_assessment"')
     search = st.render(epoch=epoch, host=host)
 
     resultCount, eventCount = splunk_single(setup_splunk, search)

From d00266675fa4212d7112ff054c776e6db6bda3f0 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Mon, 15 Jun 2020 09:01:00 -0400
Subject: [PATCH 2/2] Update for syntax changes in develop

Remove use of the index macro and ensure the source is set if not provided
---
 .../etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl  | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
index b56d8ed..74b590d 100644
--- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
@@ -28,16 +28,17 @@ log {
         rewrite {
             set("$(lowercase $1)" value(".mcafee.product"));
             subst('\s', '_', value(".mcafee.product") flags("global"));
-            r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav"), source("${.mcafee.product}"))
-        };
+            r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("${.mcafee.product}"))
+        };    
+    } else {
+            # If the product is not provided by EPO we will just use a constant for the value
+	    rewrite {
+		set("mcafee_epo", value("fields.sc4s_vendor_product"));
+		r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("epo"))
+	    };    
     };
 
-    rewrite {
-        set("mcafee_epo", value("fields.sc4s_vendor_product"));
-        r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav"))
-    };
     parser {p_add_context_splunk(key("mcafee_epo")); };
-
     parser (compliance_meta_by_source);
     rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };