McAfee ePO

Like other Virus Scan event sources, McAfee ePO data contributes to Alerts and Notable Behaviors.

Before You Begin

You must configure McAfee ePO to send syslog to the InsightIDR collector.

To configure syslog:

  1. From the top left corner of your main McAfee console, select Menu > Configuration > Registered Servers.
  1. Click the New Server button.
  2. From the Server type dropdown, select the **Syslog Server ** option. Specify a unique name and any details and click the Next button.
  3. On the Registered Server Builder page, use the "Server Name" field to provide the domain name, such as mycompany.com and the FQDN or IP address of the InsightIDR collector.
  4. In "TCP port number," provide the unique TCP port you have open for syslog.
  5. Check the Event Forwarding box to enable syslog event forwarding from the McAfee Agent Handler to the InsightIDR collector.
  6. To test the connection between McAfee ePO and the Collector, click the Test Connection button to verify the connection to your Collector.
  7. Click the Save button.

After you register the syslog server, you must set McAfee ePO to send specific events to your syslog server.

  1. Navigate to Menu > Policy > Server Settings.
  2. Select the Event Filtering option and click the Edit button in the bottom right of the page.
  1. To tell the McAfee Agent what to forward, select the only selected events to the server button to choose from all available event IDs.
  1. While InsightIDR will only parse events related to Malware or virus scanning, you can choose to send whichever events you want.
  2. In "Where to store events," keep the the Store selected in both option to forward information to a SIEM and to keep the data in your ePO database.
  3. In "Event source," select the Events from any source option.
  4. Click the Save button.

For more information, you can read the McAfee ePO instruction manual here: https://kc.mcafee.com/corporate/index?page=content&id=PD27630&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

Syslog information is located on page 325. SIEM event forwarding information is on page 184.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for McAfee ePO in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the McAfee ePO event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select a collection method and specify a port.
  9. Since this event source must be encrypted, select TCP as your protocol and check the Encrypted box.
  10. Download the Rapid7 Certificate and install it on the machine or VM that hosts the McAfee ePO software as a trusted root certificate authority, such as the Microsoft Management Console (MMC).
  11. Click the Save button.

You must complete Step 10!

If you do not download the Rapid7 Certificate onto the machine that hosts the ePO software, this configuration will fail.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.