Configuring profiles for the McAfee ePO integration

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuring profiles for the McAfee ePO integration

    This guide explains how to configure capability profiles in ServiceNow AI Platform® Security Incident Response (SIR) to integrate with McAfee ePO. Configuring profiles enables automatic or controlled execution of McAfee ePO capabilities—such as host isolation and malware scanning—based on specific security incident conditions that you define. This targeted approach enhances incident response efficiency by triggering relevant actions only when appropriate.

    Show full answer Show less

    Configuring Profiles

    Profiles are set up to run based on defined triggering conditions related to security incidents. You can specify:

    • Alternate Configuration Item (CI) Trigger Field: Allows selecting a different field on the security incident if the default CI field is empty or unmatched, improving accuracy in identifying related assets.
    • Security Tags: Optional tags track and display the status of host isolation and malware scans on related security incidents, providing clear visibility on action initiation, approval, completion, and reversal.
    • Auto-trigger Based on Incident: Enables automatic profile execution based on filter conditions you define (e.g., incidents categorized as malicious code with critical business impact), reducing unnecessary triggers and focusing on high-priority threats.
    • Approvals: Adds a control layer requiring approval before executing sensitive actions like host isolation or network return. Approvals are routed to designated users or groups with the appropriate roles and are tracked via audit logs and security tags.

    Audit Logging in McAfee ePO Console

    Starting with McAfee ePO version 5.10.0, a dedicated ServiceNow tab in the McAfee ePO console logs all commands initiated from ServiceNow AI Platform® profiles. This audit log allows you to view and verify the timing and completion status of actions performed on specific endpoints, ensuring transparency and accountability.

    Practical Benefits for ServiceNow Customers

    • Customizable Automation: Automate McAfee ePO actions only when incidents meet your exact criteria, improving response relevance.
    • Enhanced Incident Tracking: Use security tags to monitor the progress and status of isolation and scan actions directly from related incidents.
    • Controlled Execution: Implement approval workflows to safeguard sensitive operations, aligning with your organizational policies.
    • Comprehensive Auditing: Leverage integrated logging in McAfee ePO to audit all ServiceNow-initiated commands for compliance and troubleshooting.

    Next Steps

    To maximize the integration, configure profiles with appropriate trigger conditions and enable optional features like tagging and approvals as needed. Test profiles using example scenarios to ensure they behave as expected before deploying in production environments.

    After you create a profile and select the McAfee ePO capabilities that you want the profile to run, configure the settings so that the profile is invoked only under the specific conditions that you define.

    Configuring a profile

    In this step, you configure a capability profile so that it runs only when the conditions you specify are fulfilled. You define which conditions on security incidents automatically trigger the McAfee ePO capabilities that you selected for the profile. You also have the option to select an alternate input field for the Configuration Item (CI) field and set filtering conditions so that only those security incidents that are related to your triggering event automatically launch the profile. The configuration step includes the following settings on the configuration form for the profile.

    Alternate configuration item (CI) trigger field

    In cases when the Configuration item (CI) field on the ServiceNow AI Platform® Security Incident Response (SIR) security incident is not populated with a value, or a match cannot be found in the database, you can select an alternate field on the security incident to display any matching CI enrichment data found during the scan of your assets. For more information about the Configuration item and the Alternate configuration item fields on a security incident, see Defining triggering conditions with a Configuration item (CI) field for a McAfee ePO profile.

    Security tags

    To help you track the status of isolated host machines and when malware scans are initiated, an optional tagging feature is available. By default, this option is disabled on the configuration form for profiles. If this option is enabled during the configuration step, security tag names are displayed on the configuration form. These are the names of the tags that are displayed on related security incidents. These tags inform you when a host isolation action is successfully initiated and when it is approved. After a host is successfully returned to the network, the security tag is automatically removed from the security incident. For malware scans, a tag is displayed on the related security incident when a scan is scheduled. After the scan is finished, the scheduled tag is automatically replaced by a tag that indicates that the scan is successfully completed.

    Auto-trigger based on incident

    When the Auto-trigger based on incident option is enabled, the filter condition builder is available, and you are required to set filtering conditions that specify when the profile runs automatically. A common filter is Category is malicious code activity™ and Business impact is 1 - Critical™. With these filters, only security incidents that are related to malicious code and that have a critical business impact launch the profile. Using the Auto-trigger option can reduce the number of security incidents that automatically invoke the profile.

    Approvals

    If your organization wants an extra level of control over actions such as isolating host machines and initiating malware scans, you can enable the Require approval option during the configuration step for a profile.

    For example, if both the approval and tagging features are enabled for a profile, after a request to isolate a host machine or to return it to the network is submitted for approval, the associated security incident is tagged automatically that the action is initiated. Requests are sent for approval to a user with the sn_si.admin role by default, but this approval can be reassigned to another individual or an approval group to fit the needs of your organization. Approvers process requests in My Approvals in their ServiceNow AI Platform® instances. Security tags are displayed on related security incidents. All workflow activities are also logged in work notes to create an audit trail.

    ServiceNow audit log in the McAfee ePO console

    In version 5.10.0 of McAfee ePO, a ServiceNow tab is displayed with a log of commands that are initiated from your ServiceNow AI Platform® instance. After an action or a query is invoked from a profile in your ServiceNow AI Platform® instance on a host machine (endpoint) in the McAfee ePO console, an audit log of ServiceNow commands is created in the McAfee ePO console. This log is displayed in the System tree in the McAfee ePO console and helps you audit the times of the commands that are sent to specific endpoints. To view logged ServiceNow events on specific machines in a McAfee ePO console, follow these steps.

    1. Navigate to the System tree in your McAfee ePO console and locate the ServiceNow tab.
    2. Click the tab to open a list of host machines.
    3. In the Name column, click a host name to open the audit log.

    In the following image, an example of a log for a host (PODCLIENT1) is displayed.

    Figure 1. PODClient
    System tree in ePO console

    The events initiated from the profiles in your ServiceNow AI Platform® instance are recorded and displayed in the log. Verify by checking the status of the host machine that the events listed in the log are successfully completed on the host.

    Example profiles

    The following topics include examples for how to configure profiles and test security incidents. These examples include profiles for all of the McAfee ePO capabilities that are available for this integration.