In this document, you will see how to add a McAfee ePolicy Orchastrator server as a device in you McAfee SIEM so that you can start receiving events from your ePO server as well as apply tags automatically from the SIEM
You can watch the steps described in this document by viewing the video below
Creating the accounts
We’ll first create the required accounts used by the SIEM to connect with ePO and the ePO SQL database.
Log into the ePO database. After you have logged in, click on Menu > Permission Sets
Now let’s create a new permission set. Click on Actions > New
We’ll call this permission set “McAfee SIEM” and after you’re done typing in the title, go ahead and click Save
Now, let’s add the required permissions for the SIEM account to work properly.
Scroll down to the Systems section and click edit to the right of it
Now, put a check next to “Wake up agents; view Agent Activity Log: view Agent Activity Log” and “Apply, exclude, and clear tags” and click save.
Great, now we have the permission set created. Let’s create a user and assign it to this permission set.
Click on Menu > Users
In the bottom left, click on New User
Let’s give this account the name SIEMSVC and we can leave the Logon status enabled.
For the ePO authentication radio button, go ahead and select a password for this user. You’ll need to remember this password for later.
Now, let’s scroll to the very bottom. Check the McAfee SIEM permission set that we had just created and click save. We can leave everything else blank.
Now that we have the user account created, we can go to the McAfee SIEM console and start setting up ePO as a data source.
To add a data source, first log into your SIEM console. In the system tree on the left of the console, select the Physical Display.
Now, just click on the Add Device icon in the top left corner of the console.
Choose the device McAfee ePolicy Orchestrator and click next
The next field will allow us to provide a name for the Device name. This displays how it will appear in the SIEM console and you can pick any name you want, but you’d probably want something like McAfee ePO.
On the next screen, you can select the receiver, which would probably be one of the receivers near the McAfee ePO server.
Enter the IP Address of your ePO server in the Application IP Address section and add the port number. This is the port number that is after the colon when you log into the ePO server via a web browser. It’ll probably be 8443 unless you've changed it from the default.
Enter the SIEMSVC as the Application Username and the password for the account.
Test the connection by clicking on the Connect button.
After the test is successful, click close and then click next
On this screen, we’ll need to put in the information for the ePO database.
Luckily for us, this information can be easily found on your ePO server if you go to the core/config page.
Let’s go back to your ePO server. In the address bar, just add /core/config right after the port number.
This will bring you to a page with all your database information and you can just enter that into the SIEM console
The IP address might already be Enterd the IP address line, but if it isn’t, go ahead and enter it.
Next, enter the port number in the Database Port section if it is different than what’s already there
Now, enter the username that you are using for ePO to access the SQL database. As I said, this is listed on the core/config page. If it is a domain user, you’ll want to use a [domain] backslash [username] format.
Enter the password for the username.
And finally, enter the database Name and the database Instance.
When all that information is entered into ePO, click on the Connect button and test your connection.
After the connection test is successful, click close and then next. It will begin to add the ePO server.
You can enable Risk Advisor for this device to assess the reputation scoring as a component of a Risk Correlation policy.
After the ePO device is added successfully, you can click Finish.
Now, let’s see if we are receiving events. To see events specifically coming from our ePO server, we just select our newly created McAfee ePO device in the system tree. After it is selected, click on the “Get Events and Flows” icon in the top left corner of the console.
That will open up the Get Events and Flows window. Just click on the Start button and the ESM will start downloading events.
When it’s done, it will tell you how many events were downloaded. Go ahead and click close.
Now, click on the refresh icon in the top middle of the SIEM console.
This will update the dashboards and now you can see the ePO events in the console.
You’ve just seen how to add an ePolicy Orchestrator data source. This will allow you to apply tags and receive events from ePO and have all of the individual products available.
McAfee SIEM Solution page: http://www.mcafee.com/us/products/siem/index.aspx
McAfee SIEM Solution resources: https://community.mcafee.com/community/business/expertcenter/products/siem
McAfee SIEM Solution community: https://community.mcafee.com/community/business/siem
Contact sales: http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales