diff --git a/decoders/0470-mcafee_decoders.xml b/decoders/0470-mcafee_decoders.xml
new file mode 100644
index 000000000..8a995caae
--- /dev/null
+++ b/decoders/0470-mcafee_decoders.xml
@@ -0,0 +1,322 @@
+<!--
+  -  McAfee EPO decoder
+  -  Updated by Wazuh, Inc.
+  -  Copyright (C) 2015-2019, Wazuh Inc.
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+<decoder name="mcafee-epo2">
+        <prematch>\pEPOEvent\p</prematch>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pMachineName\p(\.+)\p/MachineName\p</regex>
+    <order>machine_name</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAgentGUID\p(\.+)\p/AgentGUID\p</regex>
+    <order>agent_guid</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pIPAddress\p(\.+)\p/IPAddress\p</regex>
+    <order>ip.address</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pOSName\p(\.+)\p/OSName\p</regex>
+    <order>os.name</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pUserName\p(\.+)\p/UserName\p</regex>
+    <order>username</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTimeZoneBias\p(\.+)\p/TimeZoneBias\p</regex>
+    <order>timezone_bias</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pRawMACAddress\p(\.+)\p/RawMACAddress\p</regex>
+    <order>mac_address</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent"> ProductName=\p(\.+)\p ProductVersion=\p(\.+)\p ProductFamily=\p(\.+)\p</regex>
+    <order>product_name,product_version,product_family</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzer\p(\.+)\p/Analyzer\p</regex>
+    <order>Analyzer</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerName\p(\.+)\p/AnalyzerName\p</regex>
+    <order>AnalyzerName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerVersion\p(\.+)\p/AnalyzerVersion\p</regex>
+    <order>AnalyzerVersion</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerHostName\p(\.+)\p/AnalyzerHostName\p</regex>
+    <order>AnalyzerHostName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerDetectionMethod\p(\.+)\p/AnalyzerDetectionMethod\p</regex>
+    <order>AnalyzerDetectionMethod</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pEventID\p(\.+)\p/EventID\p</regex>
+    <order>EventID</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSeverity\p(\.+)\p/Severity\p</regex>
+    <order>Severity</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pGMTTime\p(\.+)\p/GMTTime\p</regex>
+    <order>GMTTime</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatCategory\p(\.+)\p/ThreatCategory\p</regex>
+    <order>ThreatCategory</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatEventID\p(\.+)\p/ThreatEventID\p</regex>
+    <order>ThreatEventID</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatName\p(\.+)\p/ThreatName\p</regex>
+    <order>ThreatName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatType\p(\.+)\p/ThreatType\p</regex>
+    <order>ThreatType</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pDetectedUTC\p(\.+)\p/DetectedUTC\p</regex>
+    <order>DetectedUTC</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatActionTaken\p(\.+)\p/ThreatActionTaken\p</regex>
+    <order>ThreatActionTaken</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatHandled\p(\.+)\p/ThreatHandled\p</regex>
+    <order>ThreatHandled</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceUserName\p(\.+)\p/SourceUserName\p</regex>
+    <order>SourceUserName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceProcessName\p(\.+)\p/SourceProcessName\p</regex>
+    <order>SourceProcessName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetHostName\p(\.+)\p/TargetHostName\p</regex>
+    <order>TargetHostName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetUserName\p(\.+)\p/TargetUserName\p</regex>
+    <order>TargetUserName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetFileName\p(\.+)\p/TargetFileName\p</regex>
+    <order>TargetFileName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pThreatSeverity\p(\.+)\p/ThreatSeverity\p</regex>
+    <order>ThreatSeverity</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pBladeName\p(\.+)\p/BladeName\p</regex>
+    <order>BladeName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerContentVersion\p(\.+)\p/AnalyzerContentVersion\p</regex>
+    <order>AnalyzerContentVersion</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerContentCreationDate\p(\.+)\p/AnalyzerContentCreationDate\p</regex>
+    <order>AnalyzerContentCreationDate</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAnalyzerRuleName\p(\.+)\p/AnalyzerRuleName\p</regex>
+    <order>AnalyzerRuleName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceProcessHash\p(\.+)\p/SourceProcessHash\p</regex>
+    <order>SourceProcessHash</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceProcessSigned\p(\.+)\p/SourceProcessSigned\p</regex>
+    <order>SourceProcessSigned</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceProcessSigner\p(\.+)\p/SourceProcessSigner\p</regex>
+    <order>SourceProcessSigner</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceProcessTrusted\p(\.+)\p/SourceProcessTrusted\p</regex>
+    <order>SourceProcessTrusted</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceFilePath\p(\.+)\p/SourceFilePath\p</regex>
+    <order>SourceFilePath</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceFileSize\p(\.+)\p/SourceFileSize\p</regex>
+    <order>SourceFileSize</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceModifyTime\p(\.+)\p/SourceModifyTime\p</regex>
+    <order>SourceModifyTime</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceAccessTime\p(\.+)\p/SourceAccessTime\p</regex>
+    <order>SourceAccessTime</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pSourceCreateTime\p(\.+)\p/SourceCreateTime\p</regex>
+    <order>SourceCreateTime</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetName\p(\.+)\p/TargetName\p</regex>
+    <order>TargetName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetPath\p(\.+)\p/TargetPath\p</regex>
+    <order>TargetPath</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetSigned\p(\.+)\p/TargetSigned\p</regex>
+    <order>TargetSigned</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTargetTrusted\p(\.+)\p/TargetTrusted\p</regex>
+    <order>TargetTrusted</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAttackVectorType\p(\.+)\p/AttackVectorType\p</regex>
+    <order>AttackVectorType</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pDurationBeforeDetection\p(\.+)\p/DurationBeforeDetection\p</regex>
+    <order>DurationBeforeDetection</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pNaturalLangDescription\p(\.+)\p/NaturalLangDescription\p</regex>
+    <order>NaturalLangDescription</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pAccessRequested\p(\.+)\p/AccessRequested\p</regex>
+    <order>AccessRequested</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pPolicyName\p(\.+)\p/PolicyName\p</regex>
+    <order>PolicyName</order>
+</decoder>
+
+<decoder name="mcafee-epo2-fields">
+    <parent>mcafee-epo2</parent>
+    <regex offset="after_parent">\pTimeSZone\p(\.+)\p/TimeSZone\p</regex>
+    <order>Timezone</order>
+</decoder>
diff --git a/rules/0625-mcafee_epo_rules.xml b/rules/0625-mcafee_epo_rules.xml
new file mode 100644
index 000000000..9c68af0cb
--- /dev/null
+++ b/rules/0625-mcafee_epo_rules.xml
@@ -0,0 +1,20 @@
+<!--
+  -  McAfee EPO rules
+  -  Updated by Wazuh, Inc.
+  -  Copyright (C) 2015-2019, Wazuh Inc.
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+<group name="mcafee_epo,">
+
+    <rule id="65500" level="0">
+        <decoded_as>mcafee-epo2</decoded_as>
+        <description>Mcafee EPO2</description>
+    </rule>
+    <rule id="65501" level="3">
+        <if_sid>65500</if_sid>
+        <description>$(ThreatName)</description>
+    </rule>
+
+</group>
diff --git a/tools/rules-testing/tests/mcafee_epo.ini b/tools/rules-testing/tests/mcafee_epo.ini
new file mode 100644
index 000000000..28be0c60b
--- /dev/null
+++ b/tools/rules-testing/tests/mcafee_epo.ini
@@ -0,0 +1,5 @@
+[mcafee_epo]
+log 1 pass = 2019-07-03T13:49:44.0Z RH1WVEPO1 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0"encoding="UTF-8"?><EPOevent><MachineInfo><MachineName>WAW-URSZULAL1</MachineName><AgentGUID>{11f929ca-65ce-11e9-2e63-34e6d73c4809}</AgentGUID><IPAddress>10.150.10.237</IPAddress><OSName>Windows 10 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-120</TimeZoneBias><RawMACAddress>34e6d73c4809</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.1.1128" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</Analyzer><AnalyzerName>McAfee Endpoint Security</AnalyzerName><AnalyzerVersion>10.6.1.1128</AnalyzerVersion><AnalyzerHostName>WAW-URSZULAL1</AnalyzerHostName><AnalyzerDetectionMethod>Self Protection</AnalyzerDetectionMethod></CommonFields><Event><EventID>1092</EventID><Severity>0</Severity><GMTTime>2019-07-03T13:42:03</GMTTime><CommonFields><ThreatCategory>hip.registry</ThreatCategory><ThreatEventID>1092</ThreatEventID><ThreatName>Threat Prevention - Protect McAfee core registry keys and values</ThreatName><ThreatType>IDS_THREAT_TYPE_VALUE_SP</ThreatType><DetectedUTC>2019-07-03T13:42:03</DetectedUTC><ThreatActionTaken>blocked</ThreatActionTaken><ThreatHandled>True</ThreatHandled><SourceUserName>VERIFONE\UrszulaL1</SourceUserName><SourceProcessName>IEXPLORE.EXE</SourceProcessName><TargetHostName>WAW-URSZULAL1</TargetHostName><TargetUserName>SYSTEM</TargetUserName><TargetFileName>HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\</TargetFileName><ThreatSeverity>6</ThreatSeverity></CommonFields><CustomFields target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</BladeName><AnalyzerContentVersion>10.6.0000</AnalyzerContentVersion><AnalyzerContentCreationDate>2016-02-17T10:02:00Z</AnalyzerContentCreationDate><AnalyzerRuleName>IDS_SP_TP_RULE_PROTECT_MCAFEE_REG_KEY_VAL</AnalyzerRuleName><SourceProcessHash>c6e2e43dc922be346dbe3636d8711d5b</SourceProcessHash><SourceProcessSigned>True</SourceProcessSigned><SourceProcessSigner>C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATION</SourceProcessSigner><SourceProcessTrusted>True</SourceProcessTrusted><SourceFilePath>C:\PROGRAM FILES\INTERNET EXPLORER</SourceFilePath><SourceFileSize>824584</SourceFileSize><SourceModifyTime>2018-03-30  06:50:19</SourceModifyTime><SourceAccessTime>2019-04-24  09:09:52</SourceAccessTime><SourceCreateTime>2019-04-24  09:09:52</SourceCreateTime><TargetName> </TargetName><TargetPath>HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\</TargetPath><TargetSigned>False</TargetSigned><TargetTrusted>False</TargetTrusted><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>6071531</DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_DESC_DETECTION_APSP_1|TargetPath=HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\|AnalyzerRuleName=IDS_SP_TP_RULE_PROTECT_MCAFEE_REG_KEY_VAL|SourceProcessName=IEXPLORE.EXE|SourceUserName=VERIFONE\UrszulaL1</NaturalLangDescription><AccessRequested>IDS_AAC_REQ_CREATE</AccessRequested></CustomFields></Event></SoftwareInfo></EPOevent>
+rule = 65501
+alert = 3
+decoder = mcafee-epo2