cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
xStevex
Level 9
Report Inappropriate Content
Message 1 of 10
‎07-15-2022 08:27 AM

How to reduce noise in Threat Events?

Jump to solution

For example, my domain controller generating a lot of events ~60% of all McAfee events about GPO activity. I don't want to see those events in my Threat Events, because I know for sure 100% that it's legitimate.

How can I reduce those noise? Whitelist or exclude specific events to not log it?

I tried some exclusions, but as I understand it relates to block vs not blocking the processing activity.

Maybe you know any best practices on how to reduce the noise in Threat Events? I want to not miss any important events during my analysis/threat hunting.

0 Kudos
Reply
1 Solution

Accepted Solutions
FalkPapajewski
Level 8
Report Inappropriate Content
Message 10 of 10
‎07-28-2022 02:22 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi,

it's not possible 😞
The exclusion for this AccessProtectRule is only for the source process, not for the threat Target file.

If you want to monitor this scenario the McAfee/Trellix ENS AcessProtection is not the optimal product.

But you can build a Workaround if you want to monitor this with this AccessProtection Rule:

1. A Table Query:
Detecting Product Host Name: your DC
Event ID: 1095
Threat Target File Path: .....\gpi.ini (or some like this)

2. A Servertask:
Purge Threat Event Log
     Purge by Query: the query from 1
     Schedule: so often you want

So you delete the Events, you don't want to have in the ePO and the Rest you can monitor

View solution in original post

Reply
9 Replies
harshgautam
Employee
Employee
Report Inappropriate Content
Message 2 of 10
‎07-17-2022 01:30 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi @xStevex ,

Greeting from Trellix (formerly McAfee). Thank you for contacting us through Community channel. 

Since you have not highlighted the ePO event ID or a screenshot of the event seen which you want to reduce, so my answer will be generic.

Event Filtering is a single global configuration that affects all agents, regardless of managed product or platform. Use the following steps within the ePO console and enable or disable events. Or, send the event to SIEM (send to a syslog server).

  1. Log on to the ePO console.
  2. Click Menu, Configuration, Server Settings.
  3. Click Event Filtering under the Setting Categories column, and click Edit.
  4. Select or deselect the Event IDs, as needed. Or, choose to store them only in ePO, in SIEM, or both, and then click Save.

After a change has been made to the list of enabled or disabled events, this change is saved on the ePO Server. The clients then download it using a file named EvtFiltr.ini. The EvtFiltr.ini file contains a list of all events that have been disabled within the Event Filtering configuration in ePO. If the copy of the EvtFiltr.ini file stored on the client doesn’t contain a specific event ID, this event can be generated on the client.

The EvtFiltr.ini file is located under the McAfee Agent Data directory. That location differs depending on the operating system:

  • For Windows: C:\ProgramData\McAfee\Agent\
  • For Linux and macOS: /var/McAfee/agent/scratch

General list of Event IDs sent to ePolicy Orchestrator

If the issue still persists, kindly log a Service request with ePO Team.

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Reply
xStevex
Level 9
Report Inappropriate Content
Message 3 of 10
‎07-19-2022 08:16 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi @harshgautam!
Let me provide more details.

For example, I'm receiving a lot of such events:

Event ID: 1095

Threat Name: Remotely accessing local files or folders

Target Name: gpt.ini

 

And as I said before, it's around 60% of all events.

I checked the Event Filtering option and as I understand - I can only disable the whole rule to not store any events with ID 1095.

In my case, I need to store events with ID 1095 but not store specific activities with ID 1095.

For example, I don't want to store the events if:

  1. Target Host is DC
  2. Threat Name is Remotely accessing local files or folders
  3. Target Name is gpt.ini
  4. etc

Do you understand what I mean?

0 Kudos
Reply
harshgautam
Employee
Employee
Report Inappropriate Content
Message 4 of 10
‎07-19-2022 08:29 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi @xStevex ,

Kindly, Thank you for sharing the details. Details of the event you have shared.

1095 Access Protection rule violation detected and NOT blocked Threat Prevention

To avoid getting event entries, Kindly follow the below step.

1) Login to ePO and go to Policy Catlogue

2) In the Endpoint Security Threat Prevention Policy for Access Protection.

3) Click on Edit on the applied policy and uncheck only the Report Tab from it. (Screenshot Attached for your reference.

4) Save the policy and do a wakeup agent or wait for couple of hours and monitor. 

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

0 Kudos
Reply
xStevex
Level 9
Report Inappropriate Content
Message 5 of 10
‎07-19-2022 08:41 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi @harshgautam,

If I will follow your guide I will not receive any events with ID 1095, but this is not my case.

I need to receive events with ID 1095, but if the "Target Name" contains "gpt.ini" I don't want to store it.

 

0 Kudos
Reply
harshgautam
Employee
Employee
Report Inappropriate Content
Message 6 of 10
‎07-19-2022 09:00 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi @xStevex ,

Please understand, the step suggested earlier will only stop the event related to "Remotely accessing local files or folders" Access protection rule. 

You will still get other events details for 1095 event. I hope you get now.

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
xStevex
Level 9
Report Inappropriate Content
Message 7 of 10
‎07-19-2022 10:32 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Yes, I got t it now.

In this case, I need to rephrase my question 😅

It is possible to edit somehow "Remotely accessing local files or folders" to not report events where "Target Name" contains "gpt.ini", but to report the rest events?

0 Kudos
Reply
harshgautam
Employee
Employee
Report Inappropriate Content
Message 8 of 10
‎07-19-2022 07:25 PM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi @xStevex ,

Could you kindly give a try. Steps added in the Attachment.

Also, i would like you to check something on the system Event viewer. If you see Event ID 1058: Processing of Group Policy failed.Windows attempted to read file \\domain.com\SysVol\ domain.com \Policies\{xx}\gpt.ini from domain controller and was not successful.  In That case disable the Rule for sure.

Example of the Event String:
The processing of Group Policy failed. Windows attempted to read the file \\petcad1100\SysVol\petcad1100\Policies{GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 07/20/2022 07:51:56

Was my reply helpful?

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

0 Kudos
Reply
xStevex
Level 9
Report Inappropriate Content
Message 9 of 10
‎07-20-2022 08:59 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Event ID 1058: Processing of Group Policy failed.Windows attempted to read file

There are no errors. Anyway, my subrule is not configured to block any activity.

I did as you wrote in the Comunity.pdf guide and it didn't help me. Do you understand why it not working?

Maybe there are any guides on how to troubleshoot it?

0 Kudos
Reply
FalkPapajewski
Level 8
Report Inappropriate Content
Message 10 of 10
‎07-28-2022 02:22 AM

Re: How to reduce noise in Threat Events?

Jump to solution

Hi,

it's not possible 😞
The exclusion for this AccessProtectRule is only for the source process, not for the threat Target file.

If you want to monitor this scenario the McAfee/Trellix ENS AcessProtection is not the optimal product.

But you can build a Workaround if you want to monitor this with this AccessProtection Rule:

1. A Table Query:
Detecting Product Host Name: your DC
Event ID: 1095
Threat Target File Path: .....\gpi.ini (or some like this)

2. A Servertask:
Purge Threat Event Log
     Purge by Query: the query from 1
     Schedule: so often you want

So you delete the Events, you don't want to have in the ePO and the Rest you can monitor

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC