cancel
Showing results for 
Search instead for 
Did you mean: 
rickrick
Level 7

How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

Hello Team,

How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

I tried ForeFront guide; the link is below but this is pulling sql DB and configured as supposed to be but did not work even after Firewall change and everything.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24940/en_US/...

If I am not wrong, can we use ESM SIEM collector agent using "Generic Log Tail" to collect the ForeFront Endpoint logs.

If so, please show me the steps to configure or any knowledge base article to help me out. Please advise!

Thank you.

0 Kudos
12 Replies
sssyyy
Level 12

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

We've configured ESM to pull via SQL DB, you have to make sure the correct DB instance is selected.

0 Kudos
rickrick
Level 7

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

Thanks sssyyy.

What firewall rule should be open - TCP port 1433 and UDP port 1434? or anything else!

Do you have any sample image to show the configuration? Any help will be much appreciated.

Cheers!

0 Kudos
sssyyy
Level 12

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

our EP sits within SCCM, so we just connect to the DB table that has EP data.

Microsoft EP.JPG

0 Kudos
rickrick
Level 7

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

Thanks sssyyy.

I have the same configuration but still having the issue pulling data. I even enabled Firewall rule allow for UDP port 1434 outbound from reciever to mssql db and also TCP port 1433 default outbound from the receiver to mssql db.

Called mcafee support engineer and told me that it might not support forefront Endpoint 2016, which I doubt now because your endpoint 2016 is working. Not sure what I am missing here.

0 Kudos
sssyyy
Level 12

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

What kind of issue are you having? Unable to connect or connection OK, but can't pull back any data? I think TCP1433 is sufficient as the SQL server listen on 1433. Do a telnet from your ERC to the DB to make sure the FW is not blocking you.

0 Kudos
rickrick
Level 7

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

Test connection is successful and account has read permission to db. Not sure what I am missing here.

Getting this error below.

Sample IPs

receiver ip 192.10.1.2.

Endpoint ip 10.10.10.1

McAfee-ERC-1260 ~ # tcpdump -nni eth0 host 10.10.10.1 -vv

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16:25:29.863295 IP (tos 0x0, ttl 126, id 2838, offset 0, flags [DF], proto TCP (6), length 41)

10.10.10.1.1433 > 192.10.1.2.43110: Flags [.], cksum 0xaea5 (correct), seq 948722877:948722878, ack 2577839236, win 256, length 1

16:25:29.863314 IP (tos 0x0, ttl 64, id 30973, offset 0, flags [DF], proto TCP (6), length 40)

172.26.1.3.43110 > 192.10.1.2..1433: Flags [.], cksum 0x6ed4 (incorrect -> 0xaf8e), seq 1, ack 1, win 23, length 0

16:25:59.864328 IP (tos 0x0, ttl 126, id 2839, offset 0, flags [DF], proto TCP (6), length 41)

10.10.10.1.1433 > 192.10.1.2..43110: Flags [.], cksum 0xaea5 (correct), seq 0:1, ack 1, win 256, length 1

16:25:59.864337 IP (tos 0x0, ttl 64, id 30974, offset 0, flags [DF], proto TCP (6), length 40)

192.10.1.2..43110 > 10.10.10.1.1433: Flags [.], cksum 0x6ed4 (incorrect -> 0xaf8e), seq 1, ack 1, win 23, length 0

16:26:29.864155 IP (tos 0x0, ttl 126, id 2840, offset 0, flags [DF], proto TCP (6), length 41)

0 Kudos
rickrick
Level 7

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

Hi ,

Quick question, what version of Forefront Endpoint you are using? 2016 ?

Kind regards,

0 Kudos
sssyyy
Level 12

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

We are using 2012, but i doubt 2016 won't work unless the underlying SQL DB table structure has changed.

The user account that you specified in data source configuration, does it have both db_datareader and public rights? Connect successful only means that the credential is valid on SQL, and privilege may not be sufficient to pull back data. Also make sure you roll out policy at the default level.

McAfee Corporate KB - How to troubleshoot when no events are received from a new data source KB82387

rickrick
Level 7

Re: How to add as data source in the ESM; System Center Endpoint Protection 2016 also known as ForeFront Endpoint?

Thanks sssyyy ,

I will check the db_datareader, not sure whether it has public rights.

Kind regards,

0 Kudos