diff --git a/decoders/0470-mcafee_decoders.xml b/decoders/0470-mcafee_decoders.xml
new file mode 100644
index 000000000..8a995caae
--- /dev/null
+++ b/decoders/0470-mcafee_decoders.xml
@@ -0,0 +1,322 @@
+
+
+ \pEPOEvent\p
+
+
+
+ mcafee-epo2
+ \pMachineName\p(\.+)\p/MachineName\p
+ machine_name
+
+
+
+ mcafee-epo2
+ \pAgentGUID\p(\.+)\p/AgentGUID\p
+ agent_guid
+
+
+
+ mcafee-epo2
+ \pIPAddress\p(\.+)\p/IPAddress\p
+ ip.address
+
+
+
+ mcafee-epo2
+ \pOSName\p(\.+)\p/OSName\p
+ os.name
+
+
+
+ mcafee-epo2
+ \pUserName\p(\.+)\p/UserName\p
+ username
+
+
+
+ mcafee-epo2
+ \pTimeZoneBias\p(\.+)\p/TimeZoneBias\p
+ timezone_bias
+
+
+
+ mcafee-epo2
+ \pRawMACAddress\p(\.+)\p/RawMACAddress\p
+ mac_address
+
+
+
+ mcafee-epo2
+ ProductName=\p(\.+)\p ProductVersion=\p(\.+)\p ProductFamily=\p(\.+)\p
+ product_name,product_version,product_family
+
+
+
+ mcafee-epo2
+ \pAnalyzer\p(\.+)\p/Analyzer\p
+ Analyzer
+
+
+
+ mcafee-epo2
+ \pAnalyzerName\p(\.+)\p/AnalyzerName\p
+ AnalyzerName
+
+
+
+ mcafee-epo2
+ \pAnalyzerVersion\p(\.+)\p/AnalyzerVersion\p
+ AnalyzerVersion
+
+
+
+ mcafee-epo2
+ \pAnalyzerHostName\p(\.+)\p/AnalyzerHostName\p
+ AnalyzerHostName
+
+
+
+ mcafee-epo2
+ \pAnalyzerDetectionMethod\p(\.+)\p/AnalyzerDetectionMethod\p
+ AnalyzerDetectionMethod
+
+
+
+ mcafee-epo2
+ \pEventID\p(\.+)\p/EventID\p
+ EventID
+
+
+
+ mcafee-epo2
+ \pSeverity\p(\.+)\p/Severity\p
+ Severity
+
+
+
+ mcafee-epo2
+ \pGMTTime\p(\.+)\p/GMTTime\p
+ GMTTime
+
+
+
+ mcafee-epo2
+ \pThreatCategory\p(\.+)\p/ThreatCategory\p
+ ThreatCategory
+
+
+
+ mcafee-epo2
+ \pThreatEventID\p(\.+)\p/ThreatEventID\p
+ ThreatEventID
+
+
+
+ mcafee-epo2
+ \pThreatName\p(\.+)\p/ThreatName\p
+ ThreatName
+
+
+
+ mcafee-epo2
+ \pThreatType\p(\.+)\p/ThreatType\p
+ ThreatType
+
+
+
+ mcafee-epo2
+ \pDetectedUTC\p(\.+)\p/DetectedUTC\p
+ DetectedUTC
+
+
+
+ mcafee-epo2
+ \pThreatActionTaken\p(\.+)\p/ThreatActionTaken\p
+ ThreatActionTaken
+
+
+
+ mcafee-epo2
+ \pThreatHandled\p(\.+)\p/ThreatHandled\p
+ ThreatHandled
+
+
+
+ mcafee-epo2
+ \pSourceUserName\p(\.+)\p/SourceUserName\p
+ SourceUserName
+
+
+
+ mcafee-epo2
+ \pSourceProcessName\p(\.+)\p/SourceProcessName\p
+ SourceProcessName
+
+
+
+ mcafee-epo2
+ \pTargetHostName\p(\.+)\p/TargetHostName\p
+ TargetHostName
+
+
+
+ mcafee-epo2
+ \pTargetUserName\p(\.+)\p/TargetUserName\p
+ TargetUserName
+
+
+
+ mcafee-epo2
+ \pTargetFileName\p(\.+)\p/TargetFileName\p
+ TargetFileName
+
+
+
+ mcafee-epo2
+ \pThreatSeverity\p(\.+)\p/ThreatSeverity\p
+ ThreatSeverity
+
+
+
+ mcafee-epo2
+ \pBladeName\p(\.+)\p/BladeName\p
+ BladeName
+
+
+
+ mcafee-epo2
+ \pAnalyzerContentVersion\p(\.+)\p/AnalyzerContentVersion\p
+ AnalyzerContentVersion
+
+
+
+ mcafee-epo2
+ \pAnalyzerContentCreationDate\p(\.+)\p/AnalyzerContentCreationDate\p
+ AnalyzerContentCreationDate
+
+
+
+ mcafee-epo2
+ \pAnalyzerRuleName\p(\.+)\p/AnalyzerRuleName\p
+ AnalyzerRuleName
+
+
+
+ mcafee-epo2
+ \pSourceProcessHash\p(\.+)\p/SourceProcessHash\p
+ SourceProcessHash
+
+
+
+ mcafee-epo2
+ \pSourceProcessSigned\p(\.+)\p/SourceProcessSigned\p
+ SourceProcessSigned
+
+
+
+ mcafee-epo2
+ \pSourceProcessSigner\p(\.+)\p/SourceProcessSigner\p
+ SourceProcessSigner
+
+
+
+ mcafee-epo2
+ \pSourceProcessTrusted\p(\.+)\p/SourceProcessTrusted\p
+ SourceProcessTrusted
+
+
+
+ mcafee-epo2
+ \pSourceFilePath\p(\.+)\p/SourceFilePath\p
+ SourceFilePath
+
+
+
+ mcafee-epo2
+ \pSourceFileSize\p(\.+)\p/SourceFileSize\p
+ SourceFileSize
+
+
+
+ mcafee-epo2
+ \pSourceModifyTime\p(\.+)\p/SourceModifyTime\p
+ SourceModifyTime
+
+
+
+ mcafee-epo2
+ \pSourceAccessTime\p(\.+)\p/SourceAccessTime\p
+ SourceAccessTime
+
+
+
+ mcafee-epo2
+ \pSourceCreateTime\p(\.+)\p/SourceCreateTime\p
+ SourceCreateTime
+
+
+
+ mcafee-epo2
+ \pTargetName\p(\.+)\p/TargetName\p
+ TargetName
+
+
+
+ mcafee-epo2
+ \pTargetPath\p(\.+)\p/TargetPath\p
+ TargetPath
+
+
+
+ mcafee-epo2
+ \pTargetSigned\p(\.+)\p/TargetSigned\p
+ TargetSigned
+
+
+
+ mcafee-epo2
+ \pTargetTrusted\p(\.+)\p/TargetTrusted\p
+ TargetTrusted
+
+
+
+ mcafee-epo2
+ \pAttackVectorType\p(\.+)\p/AttackVectorType\p
+ AttackVectorType
+
+
+
+ mcafee-epo2
+ \pDurationBeforeDetection\p(\.+)\p/DurationBeforeDetection\p
+ DurationBeforeDetection
+
+
+
+ mcafee-epo2
+ \pNaturalLangDescription\p(\.+)\p/NaturalLangDescription\p
+ NaturalLangDescription
+
+
+
+ mcafee-epo2
+ \pAccessRequested\p(\.+)\p/AccessRequested\p
+ AccessRequested
+
+
+
+ mcafee-epo2
+ \pPolicyName\p(\.+)\p/PolicyName\p
+ PolicyName
+
+
+
+ mcafee-epo2
+ \pTimeSZone\p(\.+)\p/TimeSZone\p
+ Timezone
+
diff --git a/rules/0625-mcafee_epo_rules.xml b/rules/0625-mcafee_epo_rules.xml
new file mode 100644
index 000000000..9c68af0cb
--- /dev/null
+++ b/rules/0625-mcafee_epo_rules.xml
@@ -0,0 +1,20 @@
+
+
+
+
+
+ mcafee-epo2
+ Mcafee EPO2
+
+
+ 65500
+ $(ThreatName)
+
+
+
diff --git a/tools/rules-testing/tests/mcafee_epo.ini b/tools/rules-testing/tests/mcafee_epo.ini
new file mode 100644
index 000000000..28be0c60b
--- /dev/null
+++ b/tools/rules-testing/tests/mcafee_epo.ini
@@ -0,0 +1,5 @@
+[mcafee_epo]
+log 1 pass = 2019-07-03T13:49:44.0Z RH1WVEPO1 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] WAW-URSZULAL1{11f929ca-65ce-11e9-2e63-34e6d73c4809}10.150.10.237Windows 10 WorkstationSYSTEM-12034e6d73c4809ENDP_AM_1060McAfee Endpoint Security10.6.1.1128WAW-URSZULAL1Self Protection109202019-07-03T13:42:03hip.registry1092Threat Prevention - Protect McAfee core registry keys and valuesIDS_THREAT_TYPE_VALUE_SP2019-07-03T13:42:03blockedTrueVERIFONE\UrszulaL1IEXPLORE.EXEWAW-URSZULAL1SYSTEMHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\6IDS_BLADE_NAME_SPB10.6.00002016-02-17T10:02:00ZIDS_SP_TP_RULE_PROTECT_MCAFEE_REG_KEY_VALc6e2e43dc922be346dbe3636d8711d5bTrueC=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, OU=MOPR, CN=MICROSOFT CORPORATIONTrueC:\PROGRAM FILES\INTERNET EXPLORER8245842018-03-30 06:50:192019-04-24 09:09:522019-04-24 09:09:52 HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\FalseFalse46071531IDS_NATURAL_LANG_DESC_DETECTION_APSP_1|TargetPath=HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\|AnalyzerRuleName=IDS_SP_TP_RULE_PROTECT_MCAFEE_REG_KEY_VAL|SourceProcessName=IEXPLORE.EXE|SourceUserName=VERIFONE\UrszulaL1IDS_AAC_REQ_CREATE
+rule = 65501
+alert = 3
+decoder = mcafee-epo2