McAfee ePolicy Orchestrator
The IBM® QRadar® DSM for McAfee ePolicy Orchestrator collects events from a McAfee ePolicy Orchestrator device.
Specification | Value |
---|---|
Manufacturer | McAfee |
DSM name | McAfee ePolicy Orchestrator |
RPM file name | DSM-McAfeeEpo-QRadar_version-build_number.noarch.rpm |
Supported versions | 3.5 to 5.10 |
Protocol |
JDBC- supports versions 3.5 to 5.9 SNMPv1 - supports versions 3.5 to 5.9 SNMPv2 - supports versions 3.5 to 5.9 SNMPv3 - supports versions 3.5 to 5.9 TLS Syslog - supports version 5.10 |
Recorded event types | AntiVirus events |
Automatically discovered? | No |
Includes identity? | No |
Includes custom properties? | No |
More information | McAfee website (http://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html) |
- If automatic updates are not enabled, RPMs are available for download from the IBM support website
(http://www.ibm.com/support). Download and install the most recent version of the following RPMs on
your QRadar
Console.
- JDBC Protocol RPM
- SNMP Protocol RPM
- TLS Syslog Protocol RPM
- DSMCommon RPM
- McAfee ePolicy Orchestrator DSM RPM
- Configure your McAfee ePolicy Orchestrator device to send events to QRadar.
- Add a registered server. If you are using the JDBC protocol, you don't
need to add a registered server. For more information about registering servers, see the following procedures:
- Register syslog servers (https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html
- Register SNMP servers (https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-F37CFF4C-B227-4545-8BC5-2DDC46504F90.html)
- Configure SNMP notifications. If you are using the JDBC protocol or the TLS Syslog protocol, no further configuration is required. For more information about configuring SNMP notifications, see Configuring SNMP notifications on McAfee ePolicy Orchestrator.
- Install the Java™ Cryptography Extension for high-level SNMP decryption algorithms. For more information, see the following procedures:
- Add a registered server. If you are using the JDBC protocol, you don't
need to add a registered server. For more information about registering servers, see the following procedures:
- Add a McAfee ePolicy Orchestrator log source on the QRadar
Console. The following tables
describe the SNMPv1, SNMPv2, SNMPv3, JDBC, and TLS syslog protocol log source parameters that
require specific values to collect events from McAfee ePolicy Orchestrator.
The following table describes the SNMPv1 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 2. McAfee ePolicy Orchestrator SNMPv1 log source parameters Parameter Value Log Source Name Type a unique name for the log source. Log Source Description (Optional) Type a description for the log source. Log Source type McAfee ePolicy Orchestrator Protocol Configuration SNMPv1 Log Source Identifier Type a unique identifier for the log source. The following table describes the SNMPv2 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 3. McAfee ePolicy Orchestrator SNMPv2 log source parameters Parameter Value Log Source Name Type a unique name for the log source. Log Source Description (Optional) Type a description for the log source. Log Source type McAfee ePolicy Orchestrator Protocol Configuration SNMPv2 Log Source Identifier Type a unique identifier for the log source. For a complete list of SNMPv2 protocol log source parameters and their values, see SNMPv2 protocol configuration options.
The following table describes the SNMPv3 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 4. McAfee ePolicy Orchestrator SNMPv3 log source parameters Parameter Value Log Source Name Type a unique name for the log source. Log Source Description (Optional) Type a description for the log source. Log Source type McAfee ePolicy Orchestrator Protocol Configuration SNMPv3 Log Source Identifier Type a unique identifier for the log source. For a complete list of SNMPv3 protocol log source parameters and their values, see SNMPv3 protocol configuration options.
The following table describes the JDBC protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 5. McAfee ePolicy Orchestrator JDBC log source parameters Parameter Value Log Source Name Type a unique name for the log source. Log Source Description (Optional) Type a description for the log source. Log Source type McAfee ePolicy Orchestrator Protocol Configuration JDBC Database Type Select MSDE from the list. Table Name A table or view that includes the event records as follows: - For ePolicy Orchestrator 3.x, type Events.
- For ePolicy Orchestrator 4.x, type EPOEvents.
- For ePolicy Orchestrator 5.x, type EPOEvents.
For a complete list of JDBC protocol log source parameters and their values, see JDBC protocol configuration options.
The following table describes the TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.
Table 6. McAfee ePolicy Orchestrator TLS syslog log source parameters Parameter Value Log Source Name Type a unique name for the log source. Log Source Description (Optional) Type a description for the log source. Log Source type McAfee ePolicy Orchestrator Protocol Configuration TLS Syslog For a complete list of TLS syslog log source parameters and their values, see TLS syslog protocol configuration options.