McAfee SIEM - How to Add an ePO Data Source to your SIEM

Version 1

    Overview

    In this document, you will see how to add a McAfee ePolicy Orchastrator server as a device in you McAfee SIEM so that you can start receiving events from your ePO server as well as apply tags automatically from the SIEM

     

    Video


    You can watch the steps described in this document by viewing the video below

     

    Procedure


    Creating the accounts

    We’ll first create the required accounts used by the SIEM to connect with ePO and the ePO SQL database.

    Log into the ePO database. After you have logged in, click on Menu > Permission Sets

    01.png

     

    Now let’s create a new permission set. Click on Actions > New

    02.png

     

    We’ll call this permission set “McAfee SIEM” and after you’re done typing in the title, go ahead and click Save

    Now, let’s add the required permissions for the SIEM account to work properly.

    Scroll down to the Systems section and click edit to the right of it

    03.png

     

     

    Now, put a check next to “Wake up agents; view Agent Activity Log: view Agent Activity Log” and “Apply, exclude, and clear tags” and click save.

    05.png

     

    Great, now we have the permission set created. Let’s create a user and assign it to this permission set.

    Click on Menu > Users

    06.png

     

    In the bottom left, click on New User

    Let’s give this account the name SIEMSVC and we can leave the Logon status enabled.

    For the ePO authentication radio button, go ahead and select a password for this user. You’ll need to remember this password for later.

    Now, let’s scroll to the very bottom. Check the McAfee SIEM permission set that we had just created and click save. We can leave everything else blank.

    07.png

     

    Now that we have the user account created, we can go to the McAfee SIEM console and start setting up ePO as a data source.

    To add a data source, first log into your SIEM console. In the system tree on the left of the console, select the Physical Display.

    Now, just click on the Add Device icon in the top left corner of the console.

    08.png

     

    Choose the device McAfee ePolicy Orchestrator and click next

    09.png

     

    The next field will allow us to provide a name for the Device name. This displays how it will appear in the SIEM console and you can pick any name you want, but you’d probably want something like McAfee ePO.

    10.png

     

    On the next screen, you can select the receiver, which would probably be one of the receivers near the McAfee ePO server.

    Enter the IP Address of your ePO server in the Application IP Address section and add the port number. This is the port number that is after the colon when you log into the ePO server via a web browser. It’ll probably be 8443 unless you've changed it from the default.

    Enter the SIEMSVC as the Application Username and the password for the account.

    11.png

     

    Test the connection by clicking on the Connect button.

    After the test is successful, click close and then click next

    On this screen, we’ll need to put in the information for the ePO database.

    Luckily for us, this information can be easily found on your ePO server if you go to the core/config page.

    Let’s go back to your ePO server. In the address bar, just add /core/config right after the port number.

    12.png

     

    This will bring you to a page with all your database information and you can just enter that into the SIEM console

    The IP address might already be Enterd the IP address line, but if it isn’t, go ahead and enter it.

    Next, enter the port number in the Database Port section if it is different than what’s already there

    Now, enter the username that you are using for ePO to access the SQL database. As I said, this is listed on the core/config page. If it is a domain user, you’ll want to use a [domain] backslash [username] format.

    Enter the password for the username.

    And finally, enter the database Name and the database Instance.

    13.png

     

    When all that information is entered into ePO, click on the Connect button and test your connection.

    After the connection test is successful, click close and then next. It will begin to add the ePO server.

    You can enable Risk Advisor for this device to assess the reputation scoring as a component of a Risk Correlation policy.

    14.png

     

    After the ePO device is added successfully, you can click Finish.

    Now, let’s see if we are receiving events. To see events specifically coming from our ePO server, we just select our newly created McAfee ePO device in the system tree. After it is selected, click on the “Get Events and Flows” icon in the top left corner of the console.

    15.png

     

    That will open up the Get Events and Flows window. Just click on the Start button and the ESM will start downloading events.

    16.png

     

    When it’s done, it will tell you how many events were downloaded. Go ahead and click close.

    Now, click on the refresh icon in the top middle of the SIEM console.

     

    This will update the dashboards and now you can see the ePO events in the console.

     

    Conclusion

     

    You’ve just seen how to add an ePolicy Orchestrator data source. This will allow you to apply tags and receive events from ePO and have all of the individual products available.


    Useful Links

     

    McAfee SIEM Solution page: http://www.mcafee.com/us/products/siem/index.aspx

     

    McAfee SIEM Solution resources: https://community.mcafee.com/community/business/expertcenter/products/siem

     

    McAfee SIEM Solution community: https://community.mcafee.com/community/business/siem

     

    Contact sales: http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-sales