Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

McAfee EPolicy Orchestrator

 

The JSA DSM for McAfee ePolicy Orchestrator collects events from a McAfee ePolicy Orchestrator device.

The following table identifies the specifications for the McAfee ePolicy Orchestrator DSM:

Table 1: McAfee EPolicy Orchestrator

Specification

Value

Manufacturer

McAfee

DSM name

McAfee ePolicy Orchestrator

RPM file name

DSM-McAfeeEpo-JSA_version-build_number.noarch.rpm

Supported versions

V3.5 to V5.x

Protocol

JDBC

SNMPv1

SNMPv2

SNMPv3

Recorded event types

AntiVirus events

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

McAfee website (http://www.mcafee.com/usproducts/epolicy-orchestrator.aspx)

To integrate McAfee ePolicy Orchestrator with JSA, complete the following steps:

  1. If automatic updates are not enabled, RPMs are available for download from the Juniper Customer Suport. Download and install the most recent version of the following RPMs on your JSA console.

    • JDBC Protocol RPM

    • SNMP Protocol RPM

    • DSMCommon RPM

    • McAfee ePolicy Orchestrator DSM RPM

  2. Configure your McAfee ePolicy Orchestrator device to send events to JSA.

    1. Add a registered server.

    2. Configure SNMP notifications.

    3. Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

  3. Add a McAfee ePolicy Orchestrator log source on the JSA console. The following tables describe the SNMPv1, SNMPv2, SNMPv3, and JDBC protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 2: McAfee EPolicy Orchestrator SNMPv1 Log Source Parameters

    Parameter

    Value

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv1

    Log Source Identifier

    Type a unique identifier for the log source.

    Table 3: McAfee EPolicy Orchestrator SNMPv2 Log Source Parameters

    Parameter

    Value

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv2

    Log Source Identifier

    Type a unique identifier for the log source.

    Community

    The SNMP community string for the SNMPv2 protocol, such as Public.

    Include OIDs in Event Payload

    To allow the McAfee ePolicy Orchestrator event payloads to be constructed as name-value pairs instead of the standard event payload format, enable the Include OIDs in Event Payload check box.

    Note: You must include OIDs in the event payload for processing SNMPv2 events for McAfee ePolicy Orchestrator.

    Table 4: McAfee EPolicy Orchestrator SNMPv3 Log Source Parameters

    Parameter

    Value

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv3

    Log Source Identifier

    Type a unique identifier for the log source.

    Authentication Protocol

    The algorithm that you want to use to authenticate SNMPv3 traps:

    • SHA uses Secure Hash Algorithm (SHA) as your authentication protocol.

    • MD5 uses Message Digest 5 (MD5) as your authentication protocol.

    Authentication Password

    The password to authenticate SNMPv3. Your authentication password must include a minimum of 8 characters.

    Decryption Protocol

    Select the algorithm that you want to use to decrypt the SNMPv3 traps.

    • DES

    • AES128

    • AES192

    • AES256

    Note: If you select AES192 or AES256 as your decryption algorithm, you must install the Java Cryptography Extension. For more information about installing the Java Cryptography Extension on McAfee ePolicy Orchestrator, see Unresolved topic-ref: "127275".

    Decryption Password

    The password to decrypt SNMPv3 traps. Your decryption password must include a minimum of 8 characters.

    User

    The user name that was used to configure SNMPv3 on your McAfee ePO appliance.

    Include OIDs in Event Payload

    To allow the McAfee ePolicy Orchestrator event payloads to be constructed as name-value pairs instead of the standard event payload format, select the Include OIDs in Event Payload check box.

    Note: You must include OIDs in the event payload for processing SNMPv3 events for McAfee ePolicy Orchestrator.

    Table 5: McAfee EPolicy Orchestrator JDBC Log Source Parameters

    Parameter

    Value

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    JDBC

    Log Source Identifier

    Use the following format:

    <McAfee_ePO_Database>@ <McAfee_ePO_Database_Server_IP_or_ Host_Name>

    You must use the values of the McAfee ePolicy Orchestrator database and database server IP address or host name of the McAfee ePolicy Orchestrator Management Console.

    Database Type

    Select MSDE from the list.

    Database Name

    The name of the McAfee ePolicy Orchestrator database.

    IP or Hostname

    The IP address or host name of the McAfee ePolicy Orchestrator SQL Server.

    Port

    The port number that the database server uses. The port must match the listener port of the McAfee ePolicy Orchestrator database. The incoming TCP connections on the McAfee ePolicy Orchestrator database must be enabled to communicate with JSA.

    The default port for MSDE databases is port 1433.

    Username

    The user name can be up to 255 alphanumeric characters in length and can include underscore (_) characters.

    To track database access for audit purposes, create a specific user on the database for JSA.

    Password

    The password can be up to 255 characters in length.

    Authentication Domain

    If you select MSDE from the Database Type list and the database is configured for Windows authentication, you must define this parameter. Otherwise, leave this parameter blank.

    Database Instance

    MDSE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or acccess is blocked to port 1433 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.

    Predefined Query

    Select a predefined query for the log source. If a predefined query is not available for the log source type, administrators can select none.

    Table Name

    A table or view that includes the event records as follows:

    • For ePolicy Orchestrator 3.x, type Events.

    • For ePolicy Orchestrator 4.x, type EPOEvents.

    • For ePolicy Orchestrator 5.x, type EPOEvents

    Select List

    Use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.

    Compare Field

    To identify new events added between queries to the table, type AutoID.

    Use Prepared Statements

    Allows the JDBC protocol source to set up the SQL statement once, and then run the SQL statement many times with different parameters. For security and performance reasons, use prepared statements. If you clear this check box, use an alternative query method that does not use pre-compiled statements.

    Start Date and Time

    Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm. Use a 24-hour clock to specify HH. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Polling Interval

    The amount of time between queries to the event table. The default polling interval is 10 seconds. To define a longer polling interval, append H for hours or M for minutes to the numeric value. The maximum polling interval is one week in any time format. Numeric values that are entered without an H or M poll in seconds.

    EPS Throttle

    The number of events per second (EPS) that you do not want this protocol to exceed.

    Use Named Pipe Communication

    Clear the Use Named Pipe Communication check box.

    When a Named Pipe connection is used, the user name and password must be the appropriate Windows authentication user name and password, not the MSDE database user name and password.

    Database Cluster Name

    The Database Cluster Name parameter displays when the Use Named Pipe Communication parameter is enabled.

    If you are running your SQL server in a cluster environment, define the cluster name to ensure that named pipe communication functions properly.

    Use NTLMv2

    If you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication, select this option. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

    Use SSL

    You must enable this parameter if your connection supports SSL, even if your connection does not require it. This option requires extra configuration on your database and requires you to configure certificates on both appliances.

  4. Verify that JSA is configured correctly.

    The following table shows a sample normalized event message from McAfee ePolicy Orchestrator:

    Table 6: McAfee EPolicy Orchestrator Sample Message

    Event name

    Low level category

    Sample log message

    Device Unplug

    Information

    AutoID: "41210078" AutoGUID: "B3B25537-38F2-4F88-9D62-FD1620159C 75" ServerID:"CALASUR01" ReceivedUT C: "2016-04-11 20:34:09.913"Detecte dUTC: "2016-04-11 17:18:02.0" Agent GUID: "8EFDD3B5-FFC6-49A3-B3FC-9676C A7E0B66" Analyzer: "DATALOSS2000" AnalyzerName: "Data Loss Prevention" AnalyzerVersion: "9.3.500.15" Analyz erHostName: "CALASUR01" AnalyzerIPV4 : "0000000000" AnalyzerIPV6: "[AAAAA AAAAA" AnalyzerMAC: "null" AnalyzerD ATVersion: "null" AnalyzerEngineVers ion: "null" AnalyzerDetectionMethod : "null" SourceHostName: "4506-00-C- 101" SourceIPV4: "-0000000000" Sourc eIPV6: "[AAAAAAAAAA" SourceMAC: "000 000000000" SourceUserName: "CAJAMAR\ telefonica" SourceProcessName: "" So urceURL: "null" TargetHostName: "4 506-00-C-101" TargetIPV4: "-000000 0000"TargetIPV6: "[AAAAAAAAAA" Tar getMAC: "000000000000" TargetUser Name: "username" TargetPort: "null " TargetProtocol: "null" TargetPro cessName: "" TargetFileName: "null " ThreatCategory: "policy" Threat EventID: "19116" ThreatSeverity: "5" ThreatName: "Politica 1: Audi tar USB de Almacenamiento" Threat Type: "DEVICE_UNPLUG" Threat ActionTaken: "MON|ON" ThreatHandled : "null" TheTimestamp: "[B@cd76718a " TenantId: "1"

Adding a Registered Server to McAfee EPolicy Ochestrator

To configure McAfee ePolicy Orchestrator to forward SNMP events, you must add a registered server to your McAfee ePolicy Orchestrator device.

  1. Log in to your McAfee ePolicy Orchestrator device.
  2. Select Menu >Configuration >Registered Servers.
  3. Click New Server.
  4. From the Server Type menu, select SNMP Server.
  5. Type the name and any additional notes about the SNMP server, and then click Next.
  6. From the Address list, select the type of server address that you are using and type the name or IP address.
  7. From the SNMP Version list, select the SNMP version that you want to use:
    • If you use SNMPv2c, provide the Community name.

    • If you use SNMPv3, provide the SNMPv3 Security details.

  8. To verify the SNMP configuration, click Send Test Trap.
  9. Click Save.

Configure SNMP notifications on your McAfee ePolicy Orchestrator device.

Configuring SNMP Notifications on McAfee EPolicy Orchestrator

To send SNMP events from McAfee ePolicy Orchestrator to JSA, you must configure SNMP notifications on your McAfee ePolicy Orchestrator device.

You must add a registered server to McAfee ePolicy Orchestrator before you complete the following steps.

  1. Select Menu >Automation >Automatic Responses.
  2. Click New Responses, and then configure the following values.
    1. Type a name and description for the response.

    2. From the Event group list, select ePO Notification Events.

    3. From the Event type list, select Threats.

    4. From the Status list, select Enabled.

  3. Click Next.
  4. From the Value column, type a value to use for system selection, or click the ellipsis icon.
  5. From the Available Properties list, select more filters to narrow the response results.
  6. Click Next.
  7. Select Trigger this response for every event and then click Next.

    When you configure aggregation for your McAfee ePolicy Orchestrator responses, do not enable throttling.

  8. From the Actions list, select Send SNMP Trap.
  9. Configure the following values:
    1. From the list of SNMP servers, select the SNMP server that you registered when you added a registered server.

    2. From the Available Types list, select List of All Values.

    3. Click >> to add the event type that is associated with your McAfee ePolicy Orchestrator version. Use the following table as a guide:

    Available Types

    Selected Types

    ePolicy Orchestrator Version

    Detected UTC

    {listOfDetectedUTC}

    4.5, 5.1

    Received UTC

    {listOfReceivedUTC}

    4.5, 5.1

    Detecting Product IPv4 Address

    {listOfAnalyzerIPV4}

    4.5, 5.1

    Detecting Product IPv6 Address

    {listOfAnalyzerIPV6}

    4.5, 5.1

    Detecting Product MAC Address

    {listOfAnalyzerMAC}

    4.5, 5.1

    Source IPv4 Address

    {listOfSourceIPV4}

    4.5, 5.1

    Source IPv6 Address

    {listOfSourceIPV6}

    4.5, 5.1

    Source MAC Address

    {listOfSourceMAC}

    4.5, 5.1

    Source User Name

    {listOfSourceUserName}

    4.5, 5.1

    Target IPv4 Address

    {listOfTargetIPV4}

    4.5, 5.1

    Target IPv6 Address

    {listOfTargetIPV6}

    4.5, 5.1

    Target MAC

    {listOfTargetMAC}

    4.5, 5.1

    Target Port

    {listOfTargetPort}

    4.5, 5.1

    Threat Event ID

    {listOfThreatEventID}

    4.5, 5.1

    Threat Event ID

    {listOfThreatEventID}

    4.5, 5.1

    Threat Severity

    {listOfThreatSeverity}

    4.5, 5.1

    SourceComputers

     

    4.0

    AffectedComputerIPs

     

    4.0

    EventIDs

     

    4.0

    TimeNotificationSent

     

    4.0

  10. Click Next, and then click Save.
  1. Add a log source in JSA.

  2. Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

Installing the Java Cryptography Extension on McAfee EPolicy Orchestrator

The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your McAfee ePolicy Orchestrator (McAfee ePO) device.

  1. Download the latest version of the JavaTM Cryptography Extension from the following website:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

    The JavaTM Cryptography Extension version must match the version of the Java™ installed on your McAfee ePO device.

  2. Copy the JCE compressed file to the following directory on your McAfee ePO device:

    <installation path to McAfee ePO>/jre/lib/security

Installing the Java Cryptography Extension on JSA

The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your JSA appliance.

  1. Download the latest version of the JavaTM Cryptography Extension from the following website:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

    The JavaTM Cryptography Extension version must match the version of the Java™ installed on JSA.

  2. Extract the JCE file.

    The following Java archive (JAR) files are included in the JCE download:

    • local_policy.jar

    • US_export_policy.jar

  3. Log in to your JSA console or JSA Event Collector as a root user.
  4. Copy the JCE JAR files to the following directory on your JSA console or Event Collector:

    /usr/java/j2sdk/jre/lib/

    Note

    The JCE JAR files are only copied to the system that receives the AES192 or AE256 encrypted files.

  5. Restart the JSA services by typing one of the following commands:
    • If you are using JSA 2014.x, type service ecs-ec restart.

    • If you are using JSA 7.3.0, type systemctl restart ecs-ec.service.

    • If you are using JSA 7.3.1, type systemctl restart ecs-ec-ingress.service.