Here is a short video describing how to create an ePO Data Source
The McAfee SIEM supports event collection from ePolicy Orchestrator via a connection to the ePO SQL database. To define an ePO Data Source connection, you will require a SQL account on the ePO database server with sufficient privilege to read from the ePOEvents table.
The following outlines the configuration steps required on the ePO Database server.
The following outlines the configuration steps required to add the ePO Data Source to the McAfee SIEM running version 9.2.0 or higher.
The McAfee SIEM supports the ability to launch ePO directly from the SIEM interface to view endpoint details as defined within ePolicy Orchestrator. This advanced integration assumes that you have properly configured the Local Network settings in the Asset Manager. Please ensure you have followed the steps to configure Local Network before continuing.
NOTE: This configuration example assumes a single ePO server with a local SQL database. In configurations where the ePO server is connected to a secondary SQL DB server, please contact McAfee support for assistance.
Once the McAfee SIEM has been configured with at least one ePO data source and the Local Network value has been defined within the Network Discovery section of the Asset Manager, the SIEM will allow the operator to launch the ePO interface from within the Security Management platform to view asset details specific to a given endpoint.
In addition to viewing the managed endpoint within ePO, McAfee SIEM also supports the assignment of ePO policy tags directly to assets from within the SIEM console.