Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM - How to Add an ePO Data Source to your SIEM


In this document, you will see how to add a McAfee ePolicy Orchastrator server as a device in you McAfee SIEM so that you can start receiving events from your ePO server as well as apply tags automatically from the SIEM


You can watch the steps described in this document by viewing the video below


Creating the accounts

We’ll first create the required accounts used by the SIEM to connect with ePO and the ePO SQL database.

Log into the ePO database. After you have logged in, click on Menu > Permission Sets


Now let’s create a new permission set. Click on Actions > New


We’ll call this permission set “McAfee SIEM” and after you’re done typing in the title, go ahead and click Save

Now, let’s add the required permissions for the SIEM account to work properly.

Scroll down to the Systems section and click edit to the right of it


Now, put a check next to “Wake up agents; view Agent Activity Log: view Agent Activity Log” and “Apply, exclude, and clear tags” and click save.


Great, now we have the permission set created. Let’s create a user and assign it to this permission set.

Click on Menu > Users


In the bottom left, click on New User

Let’s give this account the name SIEMSVC and we can leave the Logon status enabled.

For the ePO authentication radio button, go ahead and select a password for this user. You’ll need to remember this password for later.

Now, let’s scroll to the very bottom. Check the McAfee SIEM permission set that we had just created and click save. We can leave everything else blank.


Now that we have the user account created, we can go to the McAfee SIEM console and start setting up ePO as a data source.

To add a data source, first log into your SIEM console. In the system tree on the left of the console, select the Physical Display.

Now, just click on the Add Device icon in the top left corner of the console.


Choose the device McAfee ePolicy Orchestrator and click next


The next field will allow us to provide a name for the Device name. This displays how it will appear in the SIEM console and you can pick any name you want, but you’d probably want something like McAfee ePO.


On the next screen, you can select the receiver, which would probably be one of the receivers near the McAfee ePO server.

Enter the IP Address of your ePO server in the Application IP Address section and add the port number. This is the port number that is after the colon when you log into the ePO server via a web browser. It’ll probably be 8443 unless you've changed it from the default.

Enter the SIEMSVC as the Application Username and the password for the account.


Test the connection by clicking on the Connect button.

After the test is successful, click close and then click next

On this screen, we’ll need to put in the information for the ePO database.

Luckily for us, this information can be easily found on your ePO server if you go to the core/config page.

Let’s go back to your ePO server. In the address bar, just add /core/config right after the port number.


This will bring you to a page with all your database information and you can just enter that into the SIEM console

The IP address might already be Enterd the IP address line, but if it isn’t, go ahead and enter it.

Next, enter the port number in the Database Port section if it is different than what’s already there

Now, enter the username that you are using for ePO to access the SQL database. As I said, this is listed on the core/config page. If it is a domain user, you’ll want to use a [domain] backslash [username] format.

Enter the password for the username.

And finally, enter the database Name and the database Instance.


When all that information is entered into ePO, click on the Connect button and test your connection.

After the connection test is successful, click close and then next. It will begin to add the ePO server.

You can enable Risk Advisor for this device to assess the reputation scoring as a component of a Risk Correlation policy.


After the ePO device is added successfully, you can click Finish.

Now, let’s see if we are receiving events. To see events specifically coming from our ePO server, we just select our newly created McAfee ePO device in the system tree. After it is selected, click on the “Get Events and Flows” icon in the top left corner of the console.


That will open up the Get Events and Flows window. Just click on the Start button and the ESM will start downloading events.


When it’s done, it will tell you how many events were downloaded. Go ahead and click close.

Now, click on the refresh icon in the top middle of the SIEM console.

This will update the dashboards and now you can see the ePO events in the console.


You’ve just seen how to add an ePolicy Orchestrator data source. This will allow you to apply tags and receive events from ePO and have all of the individual products available.

Useful Links

McAfee SIEM Solution page:

McAfee SIEM Solution resources:

McAfee SIEM Solution community:

Contact sales:

Tags (1)
Version history
Revision #:
1 of 1
Last update:
‎10-21-2014 03:04 PM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community