To send SNMP events from McAfee ePolicy Orchestrator to IBM
QRadar, you must configure SNMP
notifications on your McAfee ePolicy Orchestrator device.
Before you begin
You must add a registered server to McAfee ePolicy Orchestrator before you complete the
following steps. For more information, see Register syslog servers
(https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html).
Procedure
-
Select .
-
Click New Responses, and then configure the following values.
- Type a name and description for the response.
- From the Event group list, select ePO Notification
Events.
- From the Event type list, select Threats.
- From the Status list, select Enabled.
-
Click Next.
-
From the Value column, type a value to use for system selection, or
click the ellipsis icon.
- Optional:
From the Available Properties list, select more filters to narrow the
response results.
-
Click Next.
-
Select Trigger this response for every event and then click
Next.
When you configure aggregation for your McAfee ePolicy Orchestrator responses, do not enable
throttling.
-
From the Actions list, select Send SNMP Trap.
-
Configure the following values:
- From the list of SNMP servers, select the SNMP server that you registered when you added a
registered server.
- From the Available Types list, select List of All
Values.
- Click >> to add the event type that is associated with your McAfee
ePolicy Orchestrator version. Use the following table as a guide:
Available Types |
Selected Types |
ePolicy Orchestrator Version |
Detected UTC |
{listOfDetectedUTC} |
4.5, 5.9 |
Received UTC |
{listOfReceivedUTC} |
4.5, 5.9 |
Detecting Product IPv4 Address |
{listOfAnalyzerIPV4} |
4.5, 5.9 |
Detecting Product IPv6 Address |
{listOfAnalyzerIPV6} |
4.5, 5.9 |
Detecting Product MAC Address |
{listOfAnalyzerMAC} |
4.5, 5.9 |
Source IPv4 Address |
{listOfSourceIPV4} |
4.5, 5.9 |
Source IPv6 Address |
{listOfSourceIPV6} |
4.5, 5.9 |
Source MAC Address |
{listOfSourceMAC} |
4.5, 5.9 |
Source User Name |
{listOfSourceUserName} |
4.5, 5.9 |
Target IPv4 Address |
{listOfTargetIPV4} |
4.5, 5.9 |
Target IPv6 Address |
{listOfTargetIPV6} |
4.5, 5.9 |
Target MAC |
{listOfTargetMAC} |
4.5, 5.9 |
Target Port |
{listOfTargetPort} |
4.5, 5.9 |
Threat Event ID |
{listOfThreatEventID} |
4.5, 5.9 |
Threat Event ID |
{listOfThreatEventID} |
4.5, 5.9 |
Threat Severity |
{listOfThreatSeverity} |
4.5, 5.9 |
SourceComputers |
|
4.0 |
AffectedComputerIPs |
|
4.0 |
EventIDs |
|
4.0 |
TimeNotificationSent |
|
4.0 |
-
Click Next, and then click Save.
What to do next
- Add a log source in QRadar.
- Install the Java™ Cryptography Extension for high-level SNMP decryption algorithms.