Integrate McAfee ePolicy Orchestrator · Integrate McAfee ePolicy Orchestrator Figure 50 Flex...

Integrate McAfee ePolicy Orchestrator EventTracker v8.x and above

Publication Date: March 15, 2019

1

Integrate McAfee ePolicy Orchestrator

Abstract This guide provides instructions to configure McAfee ePolicy Orchestrator to generate logs for critical events.

Once EventTracker is configured to collect and parse these logs, dashboard and reports can be configured to

monitor McAfee ePolicy Orchestrator.

Scope

The configurations detailed in this guide are consistent with EventTracker Enterprise version v8.x or above

and McAfee ePolicy Orchestrator.

Audience Administrators who are assigned the task to monitor McAfee ePolicy Orchestrator events using EventTracker.

The information contained in this document represents the current view of Netsurion. on the issues

discussed as of the date of publication. Because Netsurion must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurion

cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS OR

IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from Netsurion, if

its content is unaltered, nothing is added to the content and credit to Netsurion is provided.

Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Netsurion, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or should

be inferred.

© 2019 Netsurion. All rights reserved. The names of actual companies and products mentioned

herein may be the trademarks of their respective owners.

2


Table of Contents Abstract ............................................................................................................................................................. 1

Scope ................................................................................................................................................................. 1

Audience ............................................................................................................................................................ 1

Overview ................................................................................................................................................................ 3

Prerequisites .......................................................................................................................................................... 3

Configure McAfee ePolicy Orchestrator to forward logs to EventTracker ........................................................... 3

EventTracker Knowledge Pack .............................................................................................................................. 4

Flex Reports ....................................................................................................................................................... 5

Alerts ............................................................................................................................................................... 11

Dashboards ...................................................................................................................................................... 11

Import McAfee ePolicy Orchestrator knowledge pack into EventTracker ......................................................... 14

Category .......................................................................................................................................................... 15

Alerts ............................................................................................................................................................... 16

Token Value ..................................................................................................................................................... 17

Knowledge Objects .......................................................................................................................................... 18

Flex Reports ..................................................................................................................................................... 19

Dashboard ....................................................................................................................................................... 20

Verify McAfee ePolicy Orchestrator knowledge pack in EventTracker .............................................................. 23

Categories ........................................................................................................................................................ 23

Alerts ............................................................................................................................................................... 23

Token Value ..................................................................................................................................................... 24

Knowledge Objects .......................................................................................................................................... 24

Flex Reports ..................................................................................................................................................... 25

3


Overview The McAfee ePolicy Orchestrator (McAfee ePO) platform enables centralized policy management and

enforcement for your endpoints and enterprise security products.

EventTracker helps to monitor events from McAfee ePolicy Orchestrator. It’s knowledge object and flex reports

that will help you to analyze critical activities (e.g. Threat Management) and to monitor login/logoff events.

Prerequisites • EventTracker agent should be installed in McAfee ePO Server.

• PowerShell 5.0 and above should be installed on McAfee ePO server.

• User should have administrative privilege on McAfee ePO server.

Configure McAfee ePolicy Orchestrator to forward logs

to EventTracker 1. Contact EventTracker support for McAfee ePO Integrator.

2. Download and Run executable file “McAfeeePOIntegrator.exe”.

Figure 1

3. Select the path to install Integrator and then click ‘Install’ button to proceed.

4. Enter McAfee console URL, Username and Password.

mailto:[email protected]

4


Figure 2

5. After entering the necessary details, click Validate Credential to confirm if the entered credentials are

correct.

6. Click “Finish” button to complete the process.

Figure 3

EventTracker Knowledge Pack Once logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.

The following Knowledge Packs are available in EventTracker Enterprise to support McAfee ePolicy

Orchestrator 5.10.

5


Flex Reports

• McAfee ePO - Server Activity - This report gives the information about server activities.

Figure 4

Sample Log:

Figure 5

• McAfee ePO-Policy Details - This report gives information about details of Policy configuration

changes.

6


Figure 6

Sample Logs:

Figure 7

• McAfee ePO - Extension Installation Details - This report gives the information about extension

installation and un-installation details.

Figure 8

7


Sample Log:

Figure 9

• McAfee ePO - System Management - This report gives information about system details which were

added or removed.

Figure 10

Sample Log:

Figure 11

8


• McAfee ePO - User Management - This report gives information about user details which were

added or removed, and permission changed.

Figure 12

Sample Log:

Figure 13

• McAfee ePO - Agent Activity - This report gives information about details of Agent activities.

Figure 14

9


Sample Log:

Figure 15

• McAfee ePO - Log On and Log Off Details - This report gives information about details of User log on

and log off.

Figure 16

Sample Log:

Figure 17

10


• McAfee ePO - Logon Failure - This report gives information about details of User log on failure.

Figure 18

Sample Log:

Figure 19

• Malware Log Alerts - This report gives information on all the Malware events captured by McAfee ePO.

Figure 20

11


Figure 21

Alerts

• McAfee ePO – Log-On Failure - This alert will generate when the user fails to logon attempt.

• McAfee ePO - Policy Changes - This alert will generate when the policy configuration changes.

• McAfee ePO – Threat Detected – This alert will generate when the threat is detected on McAfee

Agent systems.

Dashboards

• McAfee ePO – Logon Failure:

Figure 22

12


• McAfee ePO – System Management

Figure 23

• McAfee ePO – Server Activity

Figure 24

13


• McAfee ePO – Log On and Log Off Details:

Figure 25

• McAfee ePO – Policy Details:

Figure 26

• McAfee ePO – Agent Activity:

Figure 27

14


• McAfee ePO – User Management:

Figure 28

• McAfee ePO - Threat Activities:

Figure 29

Import McAfee ePolicy Orchestrator knowledge pack

into EventTracker NOTE: Import knowledge pack items in the following sequence:

15


• Categories

• Alerts

• Token Values

• Knowledge Objects

• Flex Reports

• Dashboard

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility.

Figure 30

3. Click the Import tab.

Category

1. Click Category option, and then click the browse button.

16


Figure 31

2. Locate “.iscat” file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message:

Figure 32

4. Click OK, and then click the Close button.

Alerts

1. Click Alert option, and then click the browse button.

17


Figure 33

2. Locate “.isalt” file, and then click the Open button.

3. To import alerts, click the Import button.

Token Value

1. Click Token Value option, and then click the browse button.

Figure 34

2. Locate “.istoken” file, and then click the Open button.

3. To import alerts, click the Import button.

18


Knowledge Objects 1. Click Knowledge objects under Admin option in the EventTracker manager page.

2. Locate the “.etko” file.

Figure 35

3. Click the ‘Upload’ option.

4. Now select all the check box and then click ‘Import’ option.

Figure 36

19


5. Knowledge objects are now imported successfully.

Flex Reports On EventTracker Control Panel,

1. Click Reports option, and select new (*.etcrx) from the option.

Figure 38

2. Locate the “.etcrx” file, and select all the check box.

Figure 37

20


Figure 39

3. Click the Import button to import the reports. EventTracker displays success message.

Figure 40

Dashboard 1. Logon to EventTracker Enterprise.

2. Navigate to Dashboard → My Dashboard.

21


Figure 41

3. In “My Dashboard”, Click Import Button:

Figure 42

4. Select the browse button and navigate to file path where Dashboard file is saved

Figure 43

5. Once completed, click “Upload” Button.

6. Next, click “Customize dashlet” button as shown below:

22


Figure 44

7. Now, put a text on Search bar: “McAfee” and then select the McAfee dashlets and then click “Add”

button.

Figure 45

8. Once the dashlets gets populating, it will look like the below figure:

Figure 46

23


Verify McAfee ePolicy Orchestrator knowledge pack in

EventTracker

Categories 1. Logon to EventTracker Enterprise.

2. Click Admin dropdown, and then click Categories.

3. In Category Tree to view imported categories, scroll down and expand McAfee ePolicy Orchestrator

group folder to view the imported categories

Figure 47

Alerts 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Alerts.

2. In search box enter McAfee ePolicy Orchestrator and then click the Search button.

EventTracker displays alert of McAfee ePolicy Orchestrator.

24


Figure 48

Token Value 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Parsing rules.

2. On Parsing Rule tab, click the McAfee ePolicy Orchestrator group folder to view the imported Token

Values.

Figure 49

Knowledge Objects 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Knowledge

Objects.

2. In the Knowledge Object tree, expand McAfee ePolicy Orchestrator group folder to view the imported

Knowledge objects.

25


Figure 50

Flex Reports 1. In the EventTracker Enterprise web interface, click the Reports menu, and then select Report

Configuration.

Figure 51

2. In Reports Configuration pane, select Defined option.

3. Click the McAfee ePolicy Orchestrator group folder to view the imported McAfee ePolicy Orchestrator

reports.

26


Figure 52

Integrate McAfee ePolicy Orchestrator · Integrate McAfee ePolicy Orchestrator Figure 50 Flex...

Documents

Transcript of Integrate McAfee ePolicy Orchestrator · Integrate McAfee ePolicy Orchestrator Figure 50 Flex...