McAfee ePO

Like other Virus Scan event sources, McAfee ePO data contributes to Alerts and Notable Behaviors.

Before You Begin

You must configure McAfee ePO to send syslog to the InsightIDR collector.

To configure syslog:

  1. From the top left corner of your main McAfee console, select Menu > Configuration > Registered Servers.
  1. Click the New Server button.
  2. From the Server type dropdown, select the **Syslog Server ** option. Specify a unique name and any details and click the Next button.
  3. On the Registered Server Builder page, use the "Server Name" field to provide the domain name, such as mycompany.com and the FQDN or IP address of the InsightIDR collector.
  4. In "TCP port number," provide the unique TCP port you have open for syslog.
  5. Check the Event Forwarding box to enable syslog event forwarding from the McAfee Agent Handler to the InsightIDR collector.
  6. To test the connection between McAfee ePO and the Collector, click the Test Connection button to verify the connection to your Collector.
  7. Click the Save button.

After you register the syslog server, you must set McAfee ePO to send specific events to your syslog server.

  1. Navigate to Menu > Policy > Server Settings.
  2. Select the Event Filtering option and click the Edit button in the bottom right of the page.
  1. To tell the McAfee Agent what to forward, select the only selected events to the server button to choose from all available event IDs.
  1. While InsightIDR will only parse events related to Malware or virus scanning, you can choose to send whichever events you want.
  2. In "Where to store events," keep the the Store selected in both option to forward information to a SIEM and to keep the data in your ePO database.
  3. In "Event source," select the Events from any source option.
  4. Click the Save button.

For more information, you can read the McAfee ePO instruction manual here: https://kc.mcafee.com/corporate/index?page=content&id=PD27630&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

Syslog information is located on page 325. SIEM event forwarding information is on page 184.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Virus Scan icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select a collection method and specify a port.
  9. Since this event source must be encrypted, select TCP as your protocol and check the Encrypted box.
  10. Download the Rapid7 Certificate and install it on the machine or VM that hosts the McAfee ePO software as a trusted root certificate authority, such as the Microsoft Management Console (MMC).
  11. Click the Save button.

You must complete Step 10!

If you do not download the Rapid7 Certificate onto the machine that hosts the ePO software, this configuration will fail.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.