Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

McAfee EPolicy Orchestrator

 

The JSA DSM for McAfee ePolicy Orchestrator collects events from a McAfee ePolicy Orchestrator device.

The following table identifies the specifications for the McAfee ePolicy Orchestrator DSM:

Table 1: McAfee EPolicy Orchestrator

Specification

Value

Manufacturer

McAfee

DSM name

McAfee ePolicy Orchestrator

RPM file name

DSM-McAfeeEpo-JSA_version-build_number.noarch.rpm

Supported versions

3.5 to 5.10

Protocol

JDBC - supports versions 3.5 to 5.9

SNMPv1 - supports versions 3.5 to 5.9

SNMPv2 - supports versions 3.5 to 5.9

SNMPv3 - supports versions 3.5 to 5.9

TLS Syslog - supports version 5.10

Recorded event types

AntiVirus events

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

McAfee website

To integrate McAfee ePolicy Orchestrator with JSA, complete the following steps:

  1. If automatic updates are not enabled, RPMs are available for download from the https://support.juniper.net/support/downloads/. Download and install the most recent version of the following RPMs on your JSA console.

    • JDBC Protocol RPM

    • SNMP Protocol RPM

    • TLS Syslog Protocol RPM

    • DSMCommon RPM

    • McAfee ePolicy Orchestrator DSM RPM

  2. Configure your McAfee ePolicy Orchestrator device to send events to JSA.

    1. Add a registered server. If you are using the JDBC protocol, you don't need to add a registered server. For more information about registering servers, see the following procedures:

    2. Configure SNMP notifications. If you are using the JDBC protocol or the TLS Syslog protocol, no further configuration is required.

    3. Install the Java Cryptography Extension for high-level SNMP decryption algorithms. For more informations, see the following procedures:

  3. Add a McAfee ePolicy Orchestrator log source on the JSA console. The following tables describe the SNMPv1, SNMPv2, SNMPv3, JDBC, and TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    The following table describes the SNMPv1 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 2: McAfee EPolicy Orchestrator SNMPv1 Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv1

    Log Source Identifier

    Type a unique identifier for the log source.

    The following table describes the SNMPv2 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 3: McAfee EPolicy Orchestrator SNMPv2 Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv2

    Log Source Identifier

    Type a unique identifier for the log source.

    The following table describes the SNMPv3 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 4: McAfee EPolicy Orchestrator SNMPv3 Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    SNMPv3

    Log Source Identifier

    Type a unique identifier for the log source.

    The following table describes the JDBC protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 5: McAfee EPolicy Orchestrator JDBC Log Source Parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    JDBC

    Database Type

    Select MSDE from the list.

    Table Name

    A table or view that includes the event records as follows:

    • For ePolicy Orchestrator 3.x, type Events.

    • For ePolicy Orchestrator 4.x, type EPOEvents.

    • For ePolicy Orchestrator 5.x, type EPOEvents

    The following table describes the TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 6: McAfee ePolicy Orchestrator TLS syslog log source parameters

    Parameter

    Value

    Log Source Name

    Type a unique name for the log source.

    Log Source Description (Optional)

    Type a description for the log source.

    Log Source type

    McAfee ePolicy Orchestrator

    Protocol Configuration

    TLS Syslog

Configuring SNMP Notifications on McAfee EPolicy Orchestrator

To send SNMP events from McAfee ePolicy Orchestrator to JSA, you must configure SNMP notifications on your McAfee ePolicy Orchestrator device.

You must add a registered server to McAfee ePolicy Orchestrator before you complete the following steps.

  1. Select Menu >Automation >Automatic Responses.
  2. Click New Responses, and then configure the following values.
    1. Type a name and description for the response.

    2. From the Event group list, select ePO Notification Events.

    3. From the Event type list, select Threats.

    4. From the Status list, select Enabled.

  3. Click Next.
  4. From the Value column, type a value to use for system selection, or click the ellipsis icon.
  5. Optional: From the Available Properties list, select more filters to narrow the response results.
  6. Click Next.
  7. Select Trigger this response for every event and then click Next.

    When you configure aggregation for your McAfee ePolicy Orchestrator responses, do not enable throttling.

  8. From the Actions list, select Send SNMP Trap.
  9. Configure the following values:
    1. From the list of SNMP servers, select the SNMP server that you registered when you added a registered server.

    2. From the Available Types list, select List of All Values.

    3. Click >> to add the event type that is associated with your McAfee ePolicy Orchestrator version. Use the following table as a guide:

    Available Types

    Selected Types

    ePolicy Orchestrator Version

    Detected UTC

    {listOfDetectedUTC}

    4.5, 5.9

    Received UTC

    {listOfReceivedUTC}

    4.5, 5.9

    Detecting Product IPv4 Address

    {listOfAnalyzerIPV4}

    4.5, 5.9

    Detecting Product IPv6 Address

    {listOfAnalyzerIPV6}

    4.5, 5.9

    Detecting Product MAC Address

    {listOfAnalyzerMAC}

    4.5, 5.9

    Source IPv4 Address

    {listOfSourceIPV4}

    4.5, 5.9

    Source IPv6 Address

    {listOfSourceIPV6}

    4.5, 5.9

    Source MAC Address

    {listOfSourceMAC}

    4.5, 5.9

    Source User Name

    {listOfSourceUserName}

    4.5, 5.9

    Target IPv4 Address

    {listOfTargetIPV4}

    4.5, 5.9

    Target IPv6 Address

    {listOfTargetIPV6}

    4.5, 5.9

    Target MAC

    {listOfTargetMAC}

    4.5, 5.9

    Target Port

    {listOfTargetPort}

    4.5, 5.9

    Threat Event ID

    {listOfThreatEventID}

    4.5, 5.9

    Threat Event ID

    {listOfThreatEventID}

    4.5, 5.9

    Threat Severity

    {listOfThreatSeverity}

    4.5, 5.9

    SourceComputers

     

    4.0

    AffectedComputerIPs

     

    4.0

    EventIDs

     

    4.0

    TimeNotificationSent

     

    4.0

  10. Click Next, and then click Save.
  1. Add a log source in JSA.

  2. Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

Installing the Java Cryptography Extension on McAfee EPolicy Orchestrator

The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your McAfee ePolicy Orchestrator (McAfee ePO) device.

  1. Download the latest version of the JavaTM Cryptography Extension from the following website:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

    The JavaTM Cryptography Extension version must match the version of the Java installed on your McAfee ePO device.

  2. Copy the JCE compressed file to the following directory on your McAfee ePO device:

    <installation path to McAfee ePO>/jre/lib/security

Installing the Java Cryptography Extension on JSA

The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your JSA appliance.

  1. Download the latest version of the JavaTM Cryptography Extension from the following website:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

    The JavaTM Cryptography Extension version must match the version of the Java installed on JSA.

  2. Extract the JCE file.

    The following Java archive (JAR) files are included in the JCE download:

    • local_policy.jar

    • US_export_policy.jar

  3. Log in to your JSA console or JSA Event Collector as a root user.
  4. Copy the JCE JAR files to the following directory on your JSA console or Event Collector:

    /usr/java/j2sdk/jre/lib/

    Note

    The JCE JAR files are only copied to the system that receives the AES192 or AE256 encrypted files.

  5. Restart the JSA services by typing one of the following commands:
    • If you are using JSA 2014.x, type service ecs-ec restart.

    • If you are using JSA 7.3.0, type systemctl restart ecs-ec.service.

    • If you are using JSA 7.3.1, type systemctl restart ecs-ec-ingress.service.

McAfee ePolicy Orchestrator Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

McAfee ePolicy Orchestrator sample event message when you use the JDBC protocol

The following sample event message shows that a host intrusion was detected, but not handled.

AutoID: "231426750" AutoGUID: "995F348A-4CA3-4CEF-B259-5E678106884E" ServerID: "QRADARSERVER1" ReceivedUTC: "2014-07-23 08:02:13.553" DetectedUTC: "2014-07-23 07:55:11.0" AgentGUID: "2AB7C0C3-23C5-4FBD-B0A6-9A3A9B802A9E" Analyzer: "HOSTIPS_8000" AnalyzerName: "McAfee Host Intrusion Prevention" AnalyzerVersion: "8.0.0" AnalyzerHostName: "QRADARANALYZER" AnalyzerIPV4: "739325208" AnalyzerIPV6: "[B@e00e408" AnalyzerMAC: "001cc4e0e79e" AnalyzerDATVersion: "null" AnalyzerEngineVersion: "null" AnalyzerDetectionMethod: "null" SourceHostName: "null" SourceIPV4: "739325208" SourceIPV6: "[B@7d03cef5" SourceMAC: "00005E005300" SourceUserName: "QRADAR\SYSTEM" SourceProcessName: "C:\WINNT\SYSTEM32\SERVICES.EXE" SourceURL: "file:///C:\WINNT \SYSTEM32\SERVICES.EXE" TargetHostName: "QRADAR" TargetIPV4: "739325208" TargetIPV6: "[B@cf5e07d2" TargetMAC: "00005E005300" TargetUserName: "null" TargetPort: "null" TargetProtocol: "null" TargetProcessName: "null" TargetFileName: "null" ThreatCategory: "hip.Registry" ThreatEventID: "18000" ThreatSeverity: "2" ThreatName: "915" ThreatType: "modify" ThreatActionTaken: "hip.reaction.permit" ThreatHandled: "false" TheTimestamp: "[B@6d04e225"

McAfee ePolicy Orchestrator sample message when you use the TLS Syslog protocol

The following sample event message shows that an infected file was deleted.

<29>1 2018-06-29T10:53:33.0Z mcafee.epo.test EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1"tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="UTF-

8"?><EPOEvent><MachineInfo>

<MachineName>mcafee.epo.test</MachineName><AgentGUID>{890cc45c-7b89-11e8-1cd6-

005056afc747}</AgentGUID><IPAddress>10.254.35.131<

/IPAddress><OSName>Windows Server 2012 R2</OSName><UserName>>SYSTEM</UserName>

<TimeZoneBias>-330</TimeZoneBias><RawMACAddress>00-00-5E-00-53-00 through 00-00-5E-00-53-FF<//RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint Security" ProductVersion="10.6.0"ProductFamily=

"TVD"><CommonFields><Analyzer>ENDP_AM_1060<//Analyzer<AnalyzerName>McAfee EndpointSecurity</AnalyzerName<AnalyzerVersion>10.6.0</ AnalyzerVersion>

<AnalyzerHostName>mcafee.epo.test</AnalyzerHostName>

<AnalyzerEngineVersion>5900.7806>/AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access Scan</AnalyzerDetectionMethod>

<AnalyzerDATVersion

>3389.03389.0>

</CommonFields><Event><EventID>1027</EventID><Severity

>3/Severity<GMTTime>2018-06-29

T10:52:58</

GMTTime><CommonFields>

<ThreatCategory>av.

detect</ThreatCategory><ThreatEventID>1027

</ThreatEventID>

<ThreatSeverity>2</ThreatSeverity>

<ThreatName>Elspy.worm</ThreatName><ThreatType><virus

</ThreatType>

<DetectedUTC>

2018-06-29T10:52:58Z</DetectedUTC>

<ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatAction

Taken<ThreatHandled>True<

/ThreatHandled>

<SourceHostName

>mcafee.epo.test</

SourceHostName<SourceProcessName>c:\Program

Files\QRadar\

file1.ext\QRadar\file1.ext/

SourceProcessName<TargetHostName

>mcafee.epo.

test</TargetHostName><TargetUserName>domain\admindomain

\admin<TargetFileName>c:\Program

Files\QRadar_v1\91</TargetFileName></CommonFields><CustomFieldstarget="EPExtendedEventMT>

<BladeName>IDS_BLADE_NAME_SPB</

BladeName><AnalyzerContentCreationDate>2018-06-28T02:04:00Z</AnalyzerContentCreationDate

<AnalyzerGTIQuery>False</AnalyzerGTIQuery><ThreatDetectedOnCreation>T

rue</ThreatDetectedOnCreation><TargetName>

91</TargetName><TargetPath>c:\Program Files\QRadar_v2\Desktop</TargetPath><TargetHash>ed066136978a05009cf30c35de92e08e</TargetHash><TargetFileSize>

70</TargetFileSize><TargetModifyTime>2018-06-29T10:52:57Z</TargetModifyTime><

TargetAccessTime>2018-06-29T10:52:57Z<

/TargetAccessTime><TargetCreateTime>2018-06-29T10:52:57Z</TargetCreateTime>

<Cleanable>True</

Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName>

<FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE<

/FirstAttemptedAction>

<FirstActionStatus>True</FirstActionStatus>

<SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL<

/SecondAttemptedAction>

<SecondActionStatus>False<

/SecondActionStatus><AttackVectorType

>4</AttackVectorType><DurationBeforeDetection>

1</DurationBefore

Detection><NaturalLangDescription>

IDS_NATURAL_LANG_OAS_DETECTION_DEL|TargetName=91

|TargetPath=c:\Program Files\QRadar_v2\

Desktop|ThreatName=Elspy.worm|SourceProcessName=c:\ProgramFiles\QRadar\file1.ext|ThreatType=virus|

TargetUserName=domain\admin</NaturalLangDescription>AccessRequested></AccessRequested><DetectionMessage>

IDS_OAS_DEFAULT_THREAT_MESSAGE</DetectionMessage><AMCoreContentVersion>3389.03389.0</AMCoreContentVersion>

</CustomFields></Event>/SoftwareInfo><//EPOEvent>