icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading System Tagger for McAfee ePO
SHA256 checksum (system-tagger-for-mcafee-epo_12.tgz) 7b6046ed0832789c07ffc3c0fbdd510aab96fa7fb6bf118905768de718e638c1 SHA256 checksum (system-tagger-for-mcafee-epo_11.tgz) cbdcd93c492df3e8d4acb8d14fc2c47be52cdb86e0cf1f21eca024088e410a27 SHA256 checksum (system-tagger-for-mcafee-epo_101.tgz) 74449a87c86e1e6b29b4d2b5332b98254414f175c5d5f65b4ec7eea821b8c980
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


System Tagger for McAfee ePO

Splunk Labs
This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
The System Tagger for McAfee ePO add-on allows Splunk users who are also using McAfee ePolicy Orchestrator (ePO) for endpoint security management to apply or remove ePO tags to systems in ePO as the result of a search. Once the system is tagged in ePO, new endpoint policies can be automatically applied and/or new tasks can be assigned in ePO. E.g., if a Splunk query detects an endpoint communicating with a malicious host (e.g. via proxy logs with threat intel), the add-on can tag that system as "compromised" in ePO. ePO can automatically run tag-specific tasks such as AV scans, and/or apply policies like blocking outbound communications via the endpoint firewall on the compromised host. This enables automation between any data in Splunk and McAfee endpoint security.

This add-on works as both a custom alert action in Splunk Enterprise 6.3+, and as an Adaptive Response Framework action in Splunk Enterprise Security 4.5+. It also includes inputs and dashboard panels to list/search systems and tags in ePO.


PLEASE NOTE: Users of older versions of this add-on may need to remove and re-install the app due to the a required re-name of the app.

Installation and Setup

To install this app, simply deploy it to your search head(s) or deploy via normal search head cluster deployer mechanisms. The search head(s) will need network connectivity to the McAfee ePO server over the ePO port in use in your environment (default 8000 or 8443). Minimum ePO version is 4.6.

Once installed, you will need to confiugure it with ePO server information and access credentials. From the Splunk launcher or the app drop down menu, select the "System Tagger for McAfee ePO" App. First, configure your ePO server details by clicking "Configuration" and then "Add-on Settings" from within the app.

Besides logging level and any required proxies between Splunk search heads and the ePO server (which you can configure on other tabs), you will need to specify 4 data points. You :
- ePO Server: This is a resolvable hostname or IP address of your McAfee ePolicy Orchestrator server
- ePO Port: This is the port of ePO server communications, usually 8000 (clear text, not recommended) or 8443 (encrypted, secure). This setting defaults to 8443, but change it if necessary.
- ePO User Name: This is the name of an existing account in McAfee ePO with permissions to apply system tags.
- ePO User Password: This is the above user's password. It is stored securely on the search head.

Save your changes, and you should be ready to use the add-on for apply and removing tags in ePO. You should also create any tags in McAfee ePO that you want to apply from within Splunk. Consult ePO documentation for instructions on how to do this.

You may also want to add data inputs at this point to collect data about available tags and systems from ePO. You do this from within the System Tagger for McAfee ePO App by clicking "Inputs" (the defaul view in the app) and then clicking "Create New Input" on the upper right. There are 2 types of inputs - tags and systems. You should create 1 for each type of input, specifying the frequency in seconds (this shouldn't need to more than a few times per day in most cases), index, and a unique name for the input. ePO server location and credentials used for these inputs are taken from the previous configuration step.

Add-On Usage

There are 2 ways to use this add-on: 1) as a custom alert action in Splunk Enterprise 6.3+ or, 2) as an Adaptive Response Framework action (automated or ad-hoc) in Splunk Enterprise Security 4.5+.

To configure a custom alert action, simply create a Splunk search that results in data indicating that there are systems that you want to tag or untag. Note which field in the search results contains the value of the system name you want to tag in ePO (e.g. host, dest, src, dvc, ComputerName, etc.). Save your search as an Alert, schedule it in the normal way, and then under the actions section, Add Action - McAfee ePO System Tagger. You should also set it to trigger "for each result" instead of just once, so that each system in the search results will be tagged properly.

The Alert Action will ask for 3 mandatory items:
- Action: You can either apply a tag to a system in ePO or remove a tag if the system already has that tag applied.
- Tag to Apply: This tag must already exist in ePO and the spelling must match the tag as it exists in ePO. This tag will be applied to the systems in ePO that come back in the search results.
- Field for System Name: This is the search results field from which the action will derive the system name as it matches the system name in ePO. You must use specify it in token format meaning $result.<yourField>$. Common examples might be $result.host$, $result.src$ or $result.dest$. Use whichever field in your search results provides the desired system name to be matched in ePO.

To use this add-on as an Adaptive Response Framework action in Splunk Enterprise Security 4.5 or higher, the instructions are essentially the same, except you will add the alert action when you configure the Correlation Search in Enterprise Security. It can be set to automatically tag or untag the system when the Correlation Search returns a result, or you can expose the ability to tag systems ad hoc to analysts as they review a Notable Event in the Incident Review Dashboard. In either case, the user will have to supply the tag name and field for system name as described above.

Search and Dashboard Panels

If you have configured the inputs as described above in the Installation and Setup section, you will be able to search for ePO tag or system data using "sourcetype=mcafee:epo:tag OR sourceptype=mcafee:epo:systems", respectively.

The add-on also includes 4 pre-build dashboard panels, which you can add to any new or existing dashboard in Splunk. These can be added when editing a dashboard (in edit panels mode) by clicking the "Add Panel" button, expanding the "Pre-Build Panel" section on the right, and choosing one of the panels that begins with "System Tagger." The 4 include panels return a list select fields for all tags, all systems, and allow free-form text search for any tag or system name.

The purpose of adding these inputs and pre-built panels into this add-on is to give admins a clear picture of the available tags and system names in ePO that can be used in the custom alert actions and/or Adaptive Response actions. Additionally, system admins and security analysts might find the available ePO system information valuable for other purposes.


If systems are not getting tagged/untagged in ePO as expected, there could be several causes: network connectivity, permissions, typos in or failure to configure the setup screen, referencing tags that don't exist in ePO, mismatch on system name between Splunk and ePO, etc.

As a general troubleshooting method you can use Splunk to look at the logs. An admin, you can run:
index=_internal sourcetype=splunkd component=sendmodalert action="mfe_epo_system_tagger"

In addition, anyone with access to the main index can find the add-on script's logging by searching:
index=main sourcetype=epotagger

Another good method to troubleshoot is to attempt to tag a system manually using Curl or a similar command line tool from the Splunk search head itself. It will look something like this:


A positive result from the curl command say "OK: 1" to indicate 1 tag was applied. "OK: 0" could be a problem or could simply indicate that the system is already tagged with that tag. Anything else indicates an issue.

Release Notes

Version 1.2
April 3, 2017

The previous update changes the underlying app ID, so you may have to REMOVE the old version and install (and reconfigure) this version, if you had the old version installed.

New Features in 1.2:
- Includes data inputs to pull information about systems and tags that exist on the ePO server
- Includes modular dashboard panels to review and search systems and tags from ePO

New Features in 1.1:
- Includes the ability to apply as well as remove tags from systems with a custom alert

Version 1.1
March 30, 2017

This update changes the underlying app ID, so you will have to REMOVE the old version and install (and reconfigure) this version, if you had the old version installed.

In addition, this version adds the ability to remove tags from ePO systems that have a particular tag applied. It offers this through an Action dropdown item when you configure an alert action.

Version 1.0.1
Nov. 3, 2016

App name change to clarify authorship.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.