Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

McAfee EPolicy Orchestrator

 

The JSA DSM for McAfee ePolicy Orchestrator collects events from a McAfee ePolicy Orchestrator device.

The following table identifies the specifications for the McAfee ePolicy Orchestrator DSM:

Table 1: McAfee EPolicy Orchestrator

Specification

Value

Manufacturer

McAfee

DSM name

McAfee ePolicy Orchestrator

RPM file name

DSM-McAfeeEpo-JSA_version-build_number.noarch.rpm

Supported versions

3.5 to 5.9x

Note: Due to changes implemented by McAfee, version 5.10 is not supported by JSA.

Protocol

JDBC

SNMPv1

SNMPv2

SNMPv3

Recorded event types

AntiVirus events

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

McAfee website

To integrate McAfee ePolicy Orchestrator with JSA, complete the following steps:

  1. If automatic updates are not enabled, RPMs are available for download from the https://support.juniper.net/support/downloads/. Download and install the most recent version of the following RPMs on your JSA console.

    • JDBC Protocol RPM

    • SNMP Protocol RPM

    • DSMCommon RPM

    • McAfee ePolicy Orchestrator DSM RPM

  2. Configure your McAfee ePolicy Orchestrator device to send events to JSA.

    1. Add a registered server.

    2. Configure SNMP notifications, or the JDBC protocol.

    3. Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

  3. Add a McAfee ePolicy Orchestrator log source on the JSA console. The following tables describe the SNMPv1, SNMPv2, SNMPv3, and JDBC protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 2: McAfee EPolicy Orchestrator SNMPv1 Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv1

    Log Source Identifier

    Type a unique identifier for the log source.

    Table 3: McAfee EPolicy Orchestrator SNMPv2 Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv2

    Log Source Identifier

    Type a unique identifier for the log source.

    Community

    The SNMP community string for the SNMPv2 protocol, such as Public.

    Include OIDs in Event Payload

    To allow the McAfee ePolicy Orchestrator event payloads to be constructed as name-value pairs instead of the standard event payload format, enable the Include OIDs in Event Payload check box.

    Note: You must include OIDs in the event payload for processing SNMPv2 events for McAfee ePolicy Orchestrator.

    Table 4: McAfee EPolicy Orchestrator SNMPv3 Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv3

    Log Source Identifier

    Type a unique identifier for the log source.

    Authentication Protocol

    The algorithm that you want to use to authenticate SNMPv3 traps:

    • SHA uses Secure Hash Algorithm (SHA) as your authentication protocol.

    • MD5 uses Message Digest 5 (MD5) as your authentication protocol.

    Authentication Password

    The password to authenticate SNMPv3. Your authentication password must include a minimum of 8 characters.

    Decryption Protocol

    Select the algorithm that you want to use to decrypt the SNMPv3 traps.

    • DES

    • AES128

    • AES192

    • AES256

    Note: If you select AES192 or AES256 as your decryption algorithm, you must install the Java Cryptography Extension. For more information about installing the Java Cryptography Extension on McAfee ePolicy Orchestrator, see “Installing the Java Cryptography Extension on JSA”.

    Decryption Password

    The password to decrypt SNMPv3 traps. Your decryption password must include a minimum of 8 characters.

    User

    The user name that was used to configure SNMPv3 on your McAfee ePO appliance.

    Include OIDs in Event Payload

    To allow the McAfee ePolicy Orchestrator event payloads to be constructed as name-value pairs instead of the standard event payload format, select the Include OIDs in Event Payload check box.

    Note: You must include OIDs in the event payload for processing SNMPv3 events for McAfee ePolicy Orchestrator.

    Table 5: McAfee EPolicy Orchestrator JDBC Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    JDBC

    Log Source Identifier

    Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

    If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

    Database Type

    Select MSDE from the list.

    Database Name

    The name of the McAfee ePolicy Orchestrator database.

    IP or Hostname

    The IP address or host name of the McAfee ePolicy Orchestrator SQL Server.

    Port

    Type the port number that is used by the database server. The default port for MSDE is 1433. You must enable and verify that you can communicate by using the port that you specified in the Port field.

    The JDBC configuration port must match the listener port of the McAfee ePolicy Orchestrator database. To be able to communicate with JSA, the McAfee ePolicy Orchestrator database must have incoming TCP connections enabled.

    If you define a database instance that uses MSDE as the database type, you must leave the Port parameter blank in your configuration.

    Username

    A user account for JSA in the database.

    The user name can be up to 255 alphanumeric characters in length and can include underscore (_) characters.

    Password

    The password that is required to connect to the database.

    Authentication Domain

    If you did not select Use Microsoft JDBC, Authentication Domain is displayed.

    The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.

    Database Instance

    The database instance, if required, MSDE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or acccess is blocked to port 1433 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.

    Predefined Query (Optional)

    Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select the none option.

    Table Name

    A table or view that includes the event records as follows:

    • For ePolicy Orchestrator 3.x, type Events.

    • For ePolicy Orchestrator 4.x, type EPOEvents.

    • For ePolicy Orchestrator 5.x, type EPOEvents

    Select List

    The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.

    Compare Field

    A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.

    Use Prepared Statements

    Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements

    Start Date and Time (Optional)

    Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

    Polling Interval

    Enter the amount of time between queries to the event table. To define a longer polling interval, append H for hours or M for minutes to the numeric value.

    EPS Throttle

    The number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20,000.

    Use Named Pipe Communication

    If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.

    Clear the Use Named Pipe Communication check box.

    When a Named Pipe connection is used, the user name and password must be the appropriate Windows authentication user name and password, not the MSDE database user name and password.

    Database Cluster Name

    If you selected Use Named Pipe Communication, the Database Cluster Name parameter is displayed.

    If you are running your SQL server in a cluster environment, define the cluster name to ensure that named pipe communication functions properly.

    Use NTLMv2

    If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.

    Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

    Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

    Use Microsoft JDBC

    If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.

    Use SSL

    Select this option if your connection supports SSL. This option appears only for MSDE.

    Microsoft SQL Server Hostname

    If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.

    You must type the host name for the Microsoft SQL server.

  4. Verify that JSA is configured correctly.

    The following table shows a sample normalized event message from McAfee ePolicy Orchestrator:

    Table 6: McAfee EPolicy Orchestrator Sample Message

    Event name

    Low level category

    Sample log message

    Device Unplug

    Information

    AutoID: "41210078" AutoGUID: "B3B25537-38F2-4F88-9D62-FD1620159C 75" ServerID:"CALASUR01" ReceivedUT C: "2016-04-11 20:34:09.913"Detecte dUTC: "2016-04-11 17:18:02.0" Agent GUID: "8EFDD3B5-FFC6-49A3-B3FC-9676C A7E0B66" Analyzer: "DATALOSS2000" AnalyzerName: "Data Loss Prevention" AnalyzerVersion: "9.3.500.15" Analyz erHostName: "CALASUR01" AnalyzerIPV4 : "0000000000" AnalyzerIPV6: "[AAAAA AAAAA" AnalyzerMAC: "null" AnalyzerD ATVersion: "null" AnalyzerEngineVers ion: "null" AnalyzerDetectionMethod : "null" SourceHostName: "4506-00-C- 101" SourceIPV4: "-0000000000" Sourc eIPV6: "[AAAAAAAAAA" SourceMAC: "000 000000000" SourceUserName: "CAJAMAR\ telefonica" SourceProcessName: "" So urceURL: "null" TargetHostName: "4 506-00-C-101" TargetIPV4: "-000000 0000"TargetIPV6: "[AAAAAAAAAA" Tar getMAC: "000000000000" TargetUser Name: "username" TargetPort: "null " TargetProtocol: "null" TargetPro cessName: "" TargetFileName: "null " ThreatCategory: "policy" Threat EventID: "19116" ThreatSeverity: "5" ThreatName: "Politica 1: Audi tar USB de Almacenamiento" Threat Type: "DEVICE_UNPLUG" Threat ActionTaken: "MON|ON" ThreatHandled : "null" TheTimestamp: "[B@cd76718a " TenantId: "1"

Adding a Registered Server to McAfee EPolicy Ochestrator

To configure McAfee ePolicy Orchestrator to forward SNMP events, you must add a registered server to your McAfee ePolicy Orchestrator device.

  1. Log in to your McAfee ePolicy Orchestrator device.
  2. Select Menu >Configuration >Registered Servers.
  3. Click New Server.
  4. From the Server Type menu, select SNMP Server.
  5. Type the name and any additional notes about the SNMP server, and then click Next.
  6. From the Address list, select the type of server address that you are using and type the name or IP address.
  7. From the SNMP Version list, select the SNMP version that you want to use:
    • If you use SNMPv2c, provide the Community name.

    • If you use SNMPv3, provide the SNMPv3 Security details.

  8. To verify the SNMP configuration, click Send Test Trap.
  9. Click Save.

Configure SNMP notifications on your McAfee ePolicy Orchestrator device.

Configuring SNMP Notifications on McAfee EPolicy Orchestrator

To send SNMP events from McAfee ePolicy Orchestrator to JSA, you must configure SNMP notifications on your McAfee ePolicy Orchestrator device.

You must add a registered server to McAfee ePolicy Orchestrator before you complete the following steps.

  1. Select Menu >Automation >Automatic Responses.
  2. Click New Responses, and then configure the following values.
    1. Type a name and description for the response.

    2. From the Event group list, select ePO Notification Events.

    3. From the Event type list, select Threats.

    4. From the Status list, select Enabled.

  3. Click Next.
  4. From the Value column, type a value to use for system selection, or click the ellipsis icon.
  5. Optional: From the Available Properties list, select more filters to narrow the response results.
  6. Click Next.
  7. Select Trigger this response for every event and then click Next.

    When you configure aggregation for your McAfee ePolicy Orchestrator responses, do not enable throttling.

  8. From the Actions list, select Send SNMP Trap.
  9. Configure the following values:
    1. From the list of SNMP servers, select the SNMP server that you registered when you added a registered server.

    2. From the Available Types list, select List of All Values.

    3. Click >> to add the event type that is associated with your McAfee ePolicy Orchestrator version. Use the following table as a guide:

    Available Types

    Selected Types

    ePolicy Orchestrator Version

    Detected UTC

    {listOfDetectedUTC}

    4.5, 5.9.x

    Received UTC

    {listOfReceivedUTC}

    4.5, 5.9.x

    Detecting Product IPv4 Address

    {listOfAnalyzerIPV4}

    4.5, 5.9.x

    Detecting Product IPv6 Address

    {listOfAnalyzerIPV6}

    4.5, 5.9.x

    Detecting Product MAC Address

    {listOfAnalyzerMAC}

    4.5, 5.9.x

    Source IPv4 Address

    {listOfSourceIPV4}

    4.5, 5.9.x

    Source IPv6 Address

    {listOfSourceIPV6}

    4.5, 5.9.x

    Source MAC Address

    {listOfSourceMAC}

    4.5, 5.9.x

    Source User Name

    {listOfSourceUserName}

    4.5, 5.9.x

    Target IPv4 Address

    {listOfTargetIPV4}

    4.5, 5.9.x

    Target IPv6 Address

    {listOfTargetIPV6}

    4.5, 5.9.x

    Target MAC

    {listOfTargetMAC}

    4.5, 5.9.x

    Target Port

    {listOfTargetPort}

    4.5, 5.9.x

    Threat Event ID

    {listOfThreatEventID}

    4.5, 5.9.x

    Threat Event ID

    {listOfThreatEventID}

    4.5, 5.9.x

    Threat Severity

    {listOfThreatSeverity}

    4.5, 5.9.x

    SourceComputers

     

    4.0

    AffectedComputerIPs

     

    4.0

    EventIDs

     

    4.0

    TimeNotificationSent

     

    4.0

  10. Click Next, and then click Save.
  1. Add a log source in JSA.

  2. Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

Installing the Java Cryptography Extension on McAfee EPolicy Orchestrator

The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your McAfee ePolicy Orchestrator (McAfee ePO) device.

  1. Download the latest version of the JavaTM Cryptography Extension from the following website:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

    The JavaTM Cryptography Extension version must match the version of the Java installed on your McAfee ePO device.

  2. Copy the JCE compressed file to the following directory on your McAfee ePO device:

    <installation path to McAfee ePO>/jre/lib/security

Installing the Java Cryptography Extension on JSA

The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your JSA appliance.

  1. Download the latest version of the JavaTM Cryptography Extension from the following website:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

    The JavaTM Cryptography Extension version must match the version of the Java installed on JSA.

  2. Extract the JCE file.

    The following Java archive (JAR) files are included in the JCE download:

    • local_policy.jar

    • US_export_policy.jar

  3. Log in to your JSA console or JSA Event Collector as a root user.
  4. Copy the JCE JAR files to the following directory on your JSA console or Event Collector:

    /usr/java/j2sdk/jre/lib/

    Note

    The JCE JAR files are only copied to the system that receives the AES192 or AE256 encrypted files.

  5. Restart the JSA services by typing one of the following commands:
    • If you are using JSA 2014.x, type service ecs-ec restart.

    • If you are using JSA 7.3.0, type systemctl restart ecs-ec.service.

    • If you are using JSA 7.3.1, type systemctl restart ecs-ec-ingress.service.