Configuring SNMP notifications on McAfee ePolicy Orchestrator

To send SNMP events from McAfee ePolicy Orchestrator to IBM QRadar, you must configure SNMP notifications on your McAfee ePolicy Orchestrator device.

Before you begin

You must add a registered server to McAfee ePolicy Orchestrator before you complete the following steps. For more information, see Register syslog servers (https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html).

Procedure

  1. Select Menu > Automation > Automatic Responses.
  2. Click New Responses, and then configure the following values.
    1. Type a name and description for the response.
    2. From the Event group list, select ePO Notification Events.
    3. From the Event type list, select Threats.
    4. From the Status list, select Enabled.
  3. Click Next.
  4. From the Value column, type a value to use for system selection, or click the ellipsis icon.
  5. Optional: From the Available Properties list, select more filters to narrow the response results.
  6. Click Next.
  7. Select Trigger this response for every event and then click Next.

    When you configure aggregation for your McAfee ePolicy Orchestrator responses, do not enable throttling.

  8. From the Actions list, select Send SNMP Trap.
  9. Configure the following values:
    1. From the list of SNMP servers, select the SNMP server that you registered when you added a registered server.
    2. From the Available Types list, select List of All Values.
    3. Click >> to add the event type that is associated with your McAfee ePolicy Orchestrator version. Use the following table as a guide:
    Available Types Selected Types ePolicy Orchestrator Version
    Detected UTC {listOfDetectedUTC} 4.5, 5.9
    Received UTC {listOfReceivedUTC} 4.5, 5.9
    Detecting Product IPv4 Address {listOfAnalyzerIPV4} 4.5, 5.9
    Detecting Product IPv6 Address {listOfAnalyzerIPV6} 4.5, 5.9
    Detecting Product MAC Address {listOfAnalyzerMAC} 4.5, 5.9
    Source IPv4 Address {listOfSourceIPV4} 4.5, 5.9
    Source IPv6 Address {listOfSourceIPV6} 4.5, 5.9
    Source MAC Address {listOfSourceMAC} 4.5, 5.9
    Source User Name {listOfSourceUserName} 4.5, 5.9
    Target IPv4 Address {listOfTargetIPV4} 4.5, 5.9
    Target IPv6 Address {listOfTargetIPV6} 4.5, 5.9
    Target MAC {listOfTargetMAC} 4.5, 5.9
    Target Port {listOfTargetPort} 4.5, 5.9
    Threat Event ID {listOfThreatEventID} 4.5, 5.9
    Threat Event ID {listOfThreatEventID} 4.5, 5.9
    Threat Severity {listOfThreatSeverity} 4.5, 5.9
    SourceComputers   4.0
    AffectedComputerIPs   4.0
    EventIDs   4.0
    TimeNotificationSent   4.0
  10. Click Next, and then click Save.

What to do next

  1. Add a log source in QRadar.
  2. Install the Java™ Cryptography Extension for high-level SNMP decryption algorithms.