McAfee EPolicy Orchestrator
The JSA DSM for McAfee ePolicy Orchestrator collects events from a McAfee ePolicy Orchestrator device.
The following table identifies the specifications for the McAfee ePolicy Orchestrator DSM:
Specification |
Value |
|---|---|
Manufacturer |
McAfee |
DSM name |
McAfee ePolicy Orchestrator |
RPM file name |
DSM-McAfeeEpo-JSA_version-build_number.noarch.rpm |
Supported versions |
3.5 to 5.10 |
Protocol |
JDBC - supports versions 3.5 to 5.9 SNMPv1 - supports versions 3.5 to 5.9 SNMPv2 - supports versions 3.5 to 5.9 SNMPv3 - supports versions 3.5 to 5.9 TLS Syslog - supports version 5.10 |
Recorded event types |
AntiVirus events |
Automatically discovered? |
No |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
To integrate McAfee ePolicy Orchestrator with JSA, complete the following steps:
If automatic updates are not enabled, RPMs are available for download from the https://support.juniper.net/support/downloads/. Download and install the most recent version of the following RPMs on your JSA console.
JDBC Protocol RPM
SNMP Protocol RPM
TLS Syslog Protocol RPM
DSMCommon RPM
McAfee ePolicy Orchestrator DSM RPM
Configure your McAfee ePolicy Orchestrator device to send events to JSA.
Add a registered server. If you are using the JDBC protocol, you don't need to add a registered server. For more information about registering servers, see the following procedures:
Configure SNMP notifications. If you are using the JDBC protocol or the TLS Syslog protocol, no further configuration is required.
Install the Java Cryptography Extension for high-level SNMP decryption algorithms. For more informations, see the following procedures:
Add a McAfee ePolicy Orchestrator log source on the JSA console. The following tables describe the SNMPv1, SNMPv2, SNMPv3, JDBC, and TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
The following table describes the SNMPv1 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 2: McAfee EPolicy Orchestrator SNMPv1 Log Source Parameters Parameter
Value
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source.
Log Source type
McAfee ePolicy Orchestrator
Protocol Configuration
SNMPv1
Log Source Identifier
Type a unique identifier for the log source.
The following table describes the SNMPv2 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 3: McAfee EPolicy Orchestrator SNMPv2 Log Source Parameters Parameter
Value
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source
Log Source type
McAfee ePolicy Orchestrator
Protocol Configuration
SNMPv2
Log Source Identifier
Type a unique identifier for the log source.
The following table describes the SNMPv3 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 4: McAfee EPolicy Orchestrator SNMPv3 Log Source Parameters Parameter
Value
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source.
Log Source type
McAfee ePolicy Orchestrator
Protocol Configuration
SNMPv3
Log Source Identifier
Type a unique identifier for the log source.
The following table describes the JDBC protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 5: McAfee EPolicy Orchestrator JDBC Log Source Parameters Parameter
Value
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source.
Log Source type
McAfee ePolicy Orchestrator
Protocol Configuration
JDBC
Database Type
Select MSDE from the list.
Table Name
A table or view that includes the event records as follows:
For ePolicy Orchestrator 3.x, type Events.
For ePolicy Orchestrator 4.x, type EPOEvents.
For ePolicy Orchestrator 5.x, type EPOEvents
The following table describes the TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 6: McAfee ePolicy Orchestrator TLS syslog log source parameters Parameter
Value
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source.
Log Source type
McAfee ePolicy Orchestrator
Protocol Configuration
TLS Syslog
Configuring SNMP Notifications on McAfee EPolicy Orchestrator
To send SNMP events from McAfee ePolicy Orchestrator to JSA, you must configure SNMP notifications on your McAfee ePolicy Orchestrator device.
You must add a registered server to McAfee ePolicy Orchestrator before you complete the following steps.
Select Menu >Automation >Automatic Responses.
Click New Responses, and then configure the following values.
Type a name and description for the response.
From the Event group list, select ePO Notification Events.
From the Event type list, select Threats.
From the Status list, select Enabled.
Click Next.
From the Value column, type a value to use for system selection, or click the ellipsis icon.
Optional: From the Available Properties list, select more filters to narrow the response results.
Click Next.
Select Trigger this response for every event and then click Next.
When you configure aggregation for your McAfee ePolicy Orchestrator responses, do not enable throttling.
From the Actions list, select Send SNMP Trap.
Configure the following values:
From the list of SNMP servers, select the SNMP server that you registered when you added a registered server.
From the Available Types list, select List of All Values.
Click >> to add the event type that is associated with your McAfee ePolicy Orchestrator version. Use the following table as a guide:
Available Types
Selected Types
ePolicy Orchestrator Version
Detected UTC
{listOfDetectedUTC}
4.5, 5.9
Received UTC
{listOfReceivedUTC}
4.5, 5.9
Detecting Product IPv4 Address
{listOfAnalyzerIPV4}
4.5, 5.9
Detecting Product IPv6 Address
{listOfAnalyzerIPV6}
4.5, 5.9
Detecting Product MAC Address
{listOfAnalyzerMAC}
4.5, 5.9
Source IPv4 Address
{listOfSourceIPV4}
4.5, 5.9
Source IPv6 Address
{listOfSourceIPV6}
4.5, 5.9
Source MAC Address
{listOfSourceMAC}
4.5, 5.9
Source User Name
{listOfSourceUserName}
4.5, 5.9
Target IPv4 Address
{listOfTargetIPV4}
4.5, 5.9
Target IPv6 Address
{listOfTargetIPV6}
4.5, 5.9
Target MAC
{listOfTargetMAC}
4.5, 5.9
Target Port
{listOfTargetPort}
4.5, 5.9
Threat Event ID
{listOfThreatEventID}
4.5, 5.9
Threat Event ID
{listOfThreatEventID}
4.5, 5.9
Threat Severity
{listOfThreatSeverity}
4.5, 5.9
SourceComputers
4.0
AffectedComputerIPs
4.0
EventIDs
4.0
TimeNotificationSent
4.0
Click Next, and then click Save.
Add a log source in JSA.
Install the Java Cryptography Extension for high-level SNMP decryption algorithms.
Installing the Java Cryptography Extension on McAfee EPolicy Orchestrator
The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your McAfee ePolicy Orchestrator (McAfee ePO) device.
Download the latest version of the JavaTM Cryptography Extension from the following website:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
The JavaTM Cryptography Extension version must match the version of the Java installed on your McAfee ePO device.
Copy the JCE compressed file to the following directory on your McAfee ePO device:
<installation path to McAfee ePO>/jre/lib/security
Installing the Java Cryptography Extension on JSA
The Java Cryptography Extension (JCE) is a Java framework that is required for JSA to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your JSA appliance.
Download the latest version of the JavaTM Cryptography Extension from the following website:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk
The JavaTM Cryptography Extension version must match the version of the Java installed on JSA.
Extract the JCE file.
The following Java archive (JAR) files are included in the JCE download:
local_policy.jar
US_export_policy.jar
Log in to your JSA console or JSA Event Collector as a root user.
Copy the JCE JAR files to the following directory on your JSA console or Event Collector:
/usr/java/j2sdk/jre/lib/
Note:The JCE JAR files are only copied to the system that receives the AES192 or AE256 encrypted files.
Restart the JSA services by typing one of the following commands:
If you are using JSA 2014.x, type service ecs-ec restart.
If you are using JSA 7.3.0, type systemctl restart ecs-ec.service.
If you are using JSA 7.3.1, type systemctl restart ecs-ec-ingress.service.
McAfee ePolicy Orchestrator Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
McAfee ePolicy Orchestrator sample event message when you use the JDBC protocol
The following sample event message shows that a host intrusion was detected, but not handled.
AutoID: "231426750" AutoGUID: "995F348A-4CA3-4CEF-B259-5E678106884E" ServerID: "QRADARSERVER1" ReceivedUTC: "2014-07-23 08:02:13.553" DetectedUTC: "2014-07-23 07:55:11.0" AgentGUID: "2AB7C0C3-23C5-4FBD-B0A6-9A3A9B802A9E" Analyzer: "HOSTIPS_8000" AnalyzerName: "McAfee Host Intrusion Prevention" AnalyzerVersion: "8.0.0" AnalyzerHostName: "QRADARANALYZER" AnalyzerIPV4: "739325208" AnalyzerIPV6: "[B@e00e408" AnalyzerMAC: "001cc4e0e79e" AnalyzerDATVersion: "null" AnalyzerEngineVersion: "null" AnalyzerDetectionMethod: "null" SourceHostName: "null" SourceIPV4: "739325208" SourceIPV6: "[B@7d03cef5" SourceMAC: "00005E005300" SourceUserName: "QRADAR\SYSTEM" SourceProcessName: "C:\WINNT\SYSTEM32\SERVICES.EXE" SourceURL: "file:///C:\WINNT\SYSTEM32\SERVICES.EXE" TargetHostName: "QRADAR" TargetIPV4: "739325208" TargetIPV6: "[B@cf5e07d2" TargetMAC: "00005E005300" TargetUserName: "null" TargetPort: "null" TargetProtocol: "null" TargetProcessName: "null" TargetFileName: "null" ThreatCategory: "hip.Registry" ThreatEventID: "18000" ThreatSeverity: "2" ThreatName: "915" ThreatType: "modify" ThreatActionTaken: "hip.reaction.permit" ThreatHandled: "false" TheTimestamp: "[B@6d04e225"
McAfee ePolicy Orchestrator sample message when you use the TLS Syslog protocol
The following sample event message shows that an infected file was deleted.
<29>1 2018-06-29T10:53:33.0Z mcafee.epo.test EPOEvents - EventFwd [agentInfo@3401 tenantId="1"
bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?
xml version="1.0" encoding="UTF-8"?><EPOEvent><MachineInfo><MachineName>mcafee.epo.test</
MachineName><AgentGUID>{890cc45c-7b89-11e8-1cd6-005056afc747}</
AgentGUID><IPAddress>10.254.35.131</IPAddress><OSName>Windows Server
2012 R2</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-330</
TimeZoneBias><RawMACAddress>00-00-5E-00-53-00 through 00-00-5E-00-53-
FF</RawMACAddress></MachineInfo><SoftwareInfo ProductName="McAfee Endpoint
Security" ProductVersion="10.6.0" ProductFamily="TVD"><CommonFields><Analyzer>ENDP_AM_1060</
Analyzer><AnalyzerName>McAfee Endpoint Security</
AnalyzerName><AnalyzerVersion>10.6.0</AnalyzerVersion><AnalyzerHostName>mcafee.epo.test</
AnalyzerHostName><AnalyzerEngineVersion>5900.7806</
AnalyzerEngineVersion><AnalyzerDetectionMethod>On-Access
Scan</AnalyzerDetectionMethod><AnalyzerDATVersion>3389.0</AnalyzerDATVersion></
CommonFields><Event><EventID>1027</EventID><Severity>3</Severity><GMTTime>2018-06-29T10:52:58</
GMTTime><CommonFields><ThreatCategory>av.detect</ThreatCategory><ThreatEventID>1027</
ThreatEventID><ThreatSeverity>2</ThreatSeverity><ThreatName>Elspy.worm</
ThreatName><ThreatType>virus</ThreatType><DetectedUTC>2018-06-29T10:52:58Z</
DetectedUTC><ThreatActionTaken>IDS_ALERT_ACT_TAK_DEL</ThreatActionTaken><ThreatHandled>True</
ThreatHandled><SourceHostName>mcafee.epo.test</SourceHostName><SourceProcessName>c:\Program
Files\QRadar\file1.ext</SourceProcessName><TargetHostName>mcafee.epo.test</
TargetHostName><TargetUserName>domain\admin</TargetUserName><TargetFileName>c:\Program
Files\QRadar_v1\91</TargetFileName></CommonFields><CustomFields
target="EPExtendedEventMT"><BladeName>IDS_BLADE_NAME_SPB</
BladeName><AnalyzerContentCreationDate>2018-06-28T02:04:00Z</
AnalyzerContentCreationDate><AnalyzerGTIQuery>False</
AnalyzerGTIQuery><ThreatDetectedOnCreation>True</ThreatDetectedOnCreation><TargetName>91</
TargetName><TargetPath>c:\Program
Files\QRadar_v2\Desktop</TargetPath><TargetHash>ed066136978a05009cf30c35de92e08e</
TargetHash><TargetFileSize>70</TargetFileSize><TargetModifyTime>2018-06-29T10:52:57Z</
TargetModifyTime><TargetAccessTime>2018-06-29T10:52:57Z</
TargetAccessTime><TargetCreateTime>2018-06-29T10:52:57Z</TargetCreateTime><Cleanable>True</
Cleanable><TaskName>IDS_OAS_TASK_NAME</TaskName><FirstAttemptedAction>IDS_ALERT_THACT_ATT_CLE</
FirstAttemptedAction><FirstActionStatus>True</
FirstActionStatus><SecondAttemptedAction>IDS_ALERT_THACT_ATT_DEL</
SecondAttemptedAction><SecondActionStatus>False</
SecondActionStatus><AttackVectorType>4</AttackVectorType><DurationBeforeDetection>1</
DurationBeforeDetection><NaturalLangDescription>IDS_NATURAL_LANG_OAS_DETECTION_DEL|
TargetName=91|TargetPath=c:\Program Files\QRadar_v2\Desktop|
ThreatName=Elspy.worm|SourceProcessName=c:\Program Files\QRadar\file1.ext|
ThreatType=virus|TargetUserName=domain\admin</NaturalLangDescription><AccessRequested></
AccessRequested><DetectionMessage>IDS_OAS_DEFAULT_THREAT_MESSAGE</
DetectionMessage><AMCoreContentVersion>3389.0</AMCoreContentVersion></CustomFields></Event></
SoftwareInfo></EPOEvent>