McAfee ePO

Overview

Like other Virus Scan event sources, McAfee ePO data contributes to Alerts and Notable Behaviors.

Before You Begin

In order for InsightOps to ingest ePO logs as an event source, they must be forwarded from a log aggregator or SIEM.

  1. Configure McAfee ePO to forward received threat events directly to a syslog server. Follow the directions on how to do so here.
  2. Configure the log aggregator or SIEM to forward the logs in standard syslog format to InsightOps.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Virus Scan icon from the Security Data section
  4. Select your collector, and from the list of options, choose McAfee ePO
  5. Choose a timezone, or optionally choose a US timezone
  6. Optionally choose to send unfiltered logs
  7. Configure any advanced event source settings
  8. Select Listen for Syslog, and enter the port. Choose TCP as your protocol, and then check the box titles "Encrypted" to send Secure Syslog.
  9. Select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pemand will allow InsightOps and McAfee ePO to "trust" each other during log forwarding.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.

McAfee ePO and Certificates

For additional information on certificates and further configuration options, please read their documentation here.

Specifically, read sections that discuss syslog and certificates, listed below:

  • Adding SSL (page 46)
  • Authenticating with Certificates (page 146)
  • Register Syslog Servers (page 382)
  • SSL Certificates (page 389)