SIEM Foundations: Creating a McAfee ePolicy Orchestrator Data Source

Version 3

    Contents

     

    Video

    Here is a short video describing how to create an ePO Data Source

     

    Creating a McAfee ePolicy Orchestrator Data Source

    The McAfee SIEM supports event collection from ePolicy Orchestrator via a connection to the ePO SQL database. To define an ePO Data Source connection, you will require a SQL account on the ePO database server with sufficient privilege to read from the ePOEvents table.

     

    The following outlines the configuration steps required on the ePO Database server.

    1. Ensure that a SQL Login account is available with appropriate privilege to the McAfee ePO database. For this example, an account named ‘epo’ has been created using SQL authentication and a Default Database set to that of the ePO database.
      SQL-Mgmt-Studio-User circle.png
    2. Configure the appropriate User Mapping, granting Public and db_datareader roles to this user.
      SQL-Login-Properties---epocircle.png

     

    Adding the ePO Data Source to the McAfee SIEM

    The following outlines the configuration steps required to add the ePO Data Source to the McAfee SIEM running version 9.2.0 or higher.

    1. With the Physical Display selected on the System Tree, click the Add Device button from the Action Toolbar located in the upper left of the interface.
      Add-ePO-Data-Sourcecircle.png
      The Add Device Wizard window will open.
    2. From the Add Device Wizard window, select McAfee ePolicy Orchestrator (v4.6 or newer) and click Next >.
      Add-Device-Wizard.png
      NOTE: Depending upon the appliance deployed in the POC, some of the device options may not be available as indicated by the device type being greyed out. This is expected in POC installations deployed using an All-in-One combo appliance.
    3. Enter a Name for this ePO Data Source.
      NOTE: Each application installed in ePO (VSE, HIPS, etc.) will be added to the ePO data source as children using this name as a prefix. Example: McAfee ePO_VirusScan, McAfee ePO_Application and Change Control, etc. To prevent these child data source names from becoming truncated, use a short descriptive name for the parent ePO data source.
      Add-Device-ePO---Name.png
    4. Click Next >.

      The ePO data source requires information relating to both the ePO Application Server and the ePO Database Server. In some ePO deployments this may be the same host however appropriate credentials must be supplied individually for each. Application credentials are used for the purposes of connecting to the ePO server to apply policy tags while database credentials are used by the SIEM to retrieve events for analysis, correlation and reporting.

      The Wizard will prompt you for both the Application details as well as the Database details on separate windows starting with the ePO Application information.
    5. Select the Receiver on which this ePO data source will reside.
    6. Enter the IP Address of the ePO Application Server.
    7. Enter the appropriate Application Port (default is 8443).
    8. Enter the Application Username.
      NOTE: The ePO user provided must have Group Admin privileges assigned within ePO.
    9. Enter the Password assigned to this ePO user.
      Add-Device-ePO---Applicatio.png
    10. Click the Connect button to test the connection to the ePO application.

      If the connection is completed successfully, a confirmation dialog box will open. Click Close.
      ePO-Test-Connection-Success.png
      If the connection test is unsuccessful, verify the ePO user credentials and privileges.
    11. Click Next >.

      The Wizard now prompts you for the ePO Database details.
    12. Enter the IP Address of the ePO Database Server.
    13. Enter the User ID of the SQL Login Account created earlier.
    14. Enter the Password assigned to the SQL Login Account.
    15. Enter the appropriate SQL Communication Port (default is 1433).
    16. Enter the ePO Database Name.
      NOTE: If the ePO Database Name contains a hyphen, the value entered MUST be surrounded by square brackets. Example: [ePO4_MCAFEE-123]
    17. If multiple SQL instances are present on this database server, enter the unique Database Instance associated with ePO.
      Add-Device-ePO---Database.png
    18. Click the Connect button to test the connection to the ePO database.

      If the connection is completed successfully, a confirmation dialog box will open. Click Close.
      ePO-Test-Connection-Success.png
      If the connection test is unsuccessful, verify the SQL credentials and privileges.
    19. Click Next >.
    20. A dialog box will open regarding the use of McAfee Risk Advisor data within the SIEM. The McAfee SIEM can utilize Risk Advisor asset reputation scoring as a component of a Risk Correlation policy. If Risk Advisor is present in the ePO installation AND if the Advanced Correlation Engine is being deployed with the SIEM, click Yes.
      ePO-Risk-Advisor.png
    21. Once complete, the Add Device Wizard will present a status window indicating that the ePO data source was successfully added and configured.
      Add-Device-ePO---Success.png
    22. Click Finish.
    23. Expand the new ePO Data Source in the Device Tree to confirm the connection to the ePolicy Orchestrator host and to identify the McAfee products that were found to be installed.
      Device-Tree---ePO.png

     

    Configuring Advanced ePO Integration

    The McAfee SIEM supports the ability to launch ePO directly from the SIEM interface to view endpoint details as defined within ePolicy Orchestrator. This advanced integration assumes that you have properly configured the Local Network settings in the Asset Manager.  Please ensure you have followed the steps to configure Local Network before continuing.

     

    NOTE: This configuration example assumes a single ePO server with a local SQL database. In configurations where the ePO server is connected to a secondary SQL DB server, please contact McAfee support for assistance.

     

     

    Testing Advanced ePO Integration

    Once the McAfee SIEM has been configured with at least one ePO data source and the Local Network value has been defined within the Network Discovery section of the Asset Manager, the SIEM will allow the operator to launch the ePO interface from within the Security Management platform to view asset details specific to a given endpoint.

     

    1. From the SIEM user interface, select an IP address representing a managed asset within ePO.
      Default-Summary.png
    2. Click the Menu button in the upper left of the Source IP Address component.
      Menu-Buttoncircle.png
    3. From the menu that appears, select Actions, then View in ePO.
      Action---View-in-ePO.png
    4. If multiple ePO servers are defined in the McAfee SIEM, an additional dialog box will open requiring the ePO server to launch. Make the appropriate selection and press OK.
      Select-ePO-Server.png
    5. The ePO interface will open in a new browser window requiring authentication. Enter the appropriate ePO credentials to log into the ePolicy Orchestrator interface.
      ePO-Login.png
    6. Once authenticated, the ePO asset information window will open displaying the information related to the endpoint selected in the McAfee SIEM.
      ePO-Asset-Details.png

     

    Assigning ePO Policy Tags

    In addition to viewing the managed endpoint within ePO, McAfee SIEM also supports the assignment of ePO policy tags directly to assets from within the SIEM console.

    1. From the SIEM user interface, select an IP address representing a managed asset within ePO.
    2. Click the Menu button in the upper left of the Source IP Address component.
      Menu-Buttoncircle.png
    3. From the menu that appears, select Actions, then ePO Tagging.
      Action---ePO-Tagging.png
    4. Select an appropriate policy tag from the list and click the Assign button.
      ePO-Tag-List.png
      Optionally, the client wakeup can be performed by the SIEM once the ePO policy tag has been assigned to the endpoint.

     

     

    « previousoutlinenext »