McAfee ePolicy Orchestrator

The IBM® QRadar® DSM for McAfee ePolicy Orchestrator collects events from a McAfee ePolicy Orchestrator device.

The following table identifies the specifications for the McAfee ePolicy Orchestrator DSM:
Table 1. McAfee ePolicy Orchestrator
Specification Value
Manufacturer McAfee
DSM name McAfee ePolicy Orchestrator
RPM file name DSM-McAfeeEpo-QRadar_version-build_number.noarch.rpm
Supported versions 3.5 to 5.10
Protocol

JDBC- supports versions 3.5 to 5.9

SNMPv1 - supports versions 3.5 to 5.9

SNMPv2 - supports versions 3.5 to 5.9

SNMPv3 - supports versions 3.5 to 5.9

TLS Syslog - supports version 5.10
Recorded event types AntiVirus events
Automatically discovered? No
Includes identity? No
Includes custom properties? No
More information McAfee website (http://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html)
To integrate McAfee ePolicy Orchestrator with QRadar, complete the following steps:
  1. If automatic updates are not enabled, RPMs are available for download from the IBM support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console.
    • JDBC Protocol RPM
    • SNMP Protocol RPM
    • TLS Syslog Protocol RPM
    • DSMCommon RPM
    • McAfee ePolicy Orchestrator DSM RPM
  2. Configure your McAfee ePolicy Orchestrator device to send events to QRadar.
    1. Add a registered server. If you are using the JDBC protocol, you don't need to add a registered server. For more information about registering servers, see the following procedures:
      • Register syslog servers (https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-5C5332B3-837A-4DDA-BE5C-1513A230D90A.html
      • Register SNMP servers (https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-F37CFF4C-B227-4545-8BC5-2DDC46504F90.html)
    2. Configure SNMP notifications. If you are using the JDBC protocol or the TLS Syslog protocol, no further configuration is required. For more information about configuring SNMP notifications, see Configuring SNMP notifications on McAfee ePolicy Orchestrator.
    3. Install the Java™ Cryptography Extension for high-level SNMP decryption algorithms. For more information, see the following procedures:
  3. Add a McAfee ePolicy Orchestrator log source on the QRadar Console. The following tables describe the SNMPv1, SNMPv2, SNMPv3, JDBC, and TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    The following table describes the SNMPv1 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 2. McAfee ePolicy Orchestrator SNMPv1 log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type McAfee ePolicy Orchestrator
    Protocol Configuration SNMPv1
    Log Source Identifier Type a unique identifier for the log source.

    The following table describes the SNMPv2 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 3. McAfee ePolicy Orchestrator SNMPv2 log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type McAfee ePolicy Orchestrator
    Protocol Configuration SNMPv2
    Log Source Identifier Type a unique identifier for the log source.

    For a complete list of SNMPv2 protocol log source parameters and their values, see SNMPv2 protocol configuration options.

    The following table describes the SNMPv3 protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 4. McAfee ePolicy Orchestrator SNMPv3 log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type McAfee ePolicy Orchestrator
    Protocol Configuration SNMPv3
    Log Source Identifier Type a unique identifier for the log source.

    For a complete list of SNMPv3 protocol log source parameters and their values, see SNMPv3 protocol configuration options.

    The following table describes the JDBC protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 5. McAfee ePolicy Orchestrator JDBC log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type McAfee ePolicy Orchestrator
    Protocol Configuration JDBC
    Database Type Select MSDE from the list.
    Table Name A table or view that includes the event records as follows:
    • For ePolicy Orchestrator 3.x, type Events.
    • For ePolicy Orchestrator 4.x, type EPOEvents.
    • For ePolicy Orchestrator 5.x, type EPOEvents.

    For a complete list of JDBC protocol log source parameters and their values, see JDBC protocol configuration options.

    The following table describes the TLS syslog protocol log source parameters that require specific values to collect events from McAfee ePolicy Orchestrator.

    Table 6. McAfee ePolicy Orchestrator TLS syslog log source parameters
    Parameter Value
    Log Source Name Type a unique name for the log source.
    Log Source Description (Optional) Type a description for the log source.
    Log Source type McAfee ePolicy Orchestrator
    Protocol Configuration TLS Syslog

    For a complete list of TLS syslog log source parameters and their values, see TLS syslog protocol configuration options.