McAfee ePO integration

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:8分

    • The McAfee ePO integration endpoint detection and response (EDR) capability that helps Security Operations Center (SOC) analysts identify cyberthreats and repair the damage caused by malicious files.

    Overview of McAfee ePO integration

    There are two sets of McAfee ePO capabilities used in this integration, the capabilities that invoke actions, such as isolating a host and initiating a malware scan, and the capabilities that run queries to gather system details and threat events. Both types of capabilities, the actions and the queries, are invoked from your ServiceNow AI Platform® instance. You can group these capabilities together so that they automatically run when a specific type of security event occurs, or, you can invoke them manually from a ServiceNow AI Platform® security incident.

    The following McAfee ePO capabilities are available for this integration.

    Get system details
    Gather system details that include operating system details.
    Initiate malware scan
    Based on scan configuration and scheduling, initiate a scan of an impacted endpoint.
    Isolate/Unisolate host
    Remove a system from network access for investigation and restore access to the network.
    List threat events
    Gather compliance status and the most current threat events.

    Key features

    This integration includes the following key features.

    • Supports automated triggering of McAfee ePO queries that are based on incident conditions.
    • Supports launching McAfee ePO capabilities manually from ServiceNow AI Platform® Security Incident Response (SIR) security incidents that perform on-demand actions.
    • The flexibility to create multiple profiles for triggering different types of McAfee ePO and ServiceNow AI Platform® Security Operations capabilities. These profiles gather threat event information or perform actions based on the conditions of specific incident categories such as malware.
    • Validate your profile configuration with a preview of the McAfee ePO results on SIR security incidents.
    • If tagging is enabled, security tags identify which McAfee ePO capabilities are initially launched by a workflow and when the queries or actions are successfully completed.
    • A complete audit trail of the McAfee ePO queries and actions is posted in the work notes on SIR security incidents, and commands from the ServiceNow AI Platform® are logged in the McAfee ePO console.
    • Supports multiple McAfee ePO consoles.

    ServiceNow Plugins

    The com.snc.si_dep plugin is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

    The following Security Operations applications must be installed and activated from the ServiceNow Store. Install and then activate one application at a time in the order listed below to ensure a smooth installation:
    1. Security Integration Framework
    2. Security Support Common
    3. Security Support Orchestration
    4. Security Incident Response
    5. Security Incident Response Workspace

    For more information on setting up your ServiceNow AI Platform instance for the integration, see Set up your ServiceNow AI Platform instance for the McAfee ePO integration.

    The ServiceNow extension plugin

    The ServiceNow Security Operations Extension for McAfee ePO℠ extension plugin is required for this integration. You install this ServiceNow plugin in your McAfee ePO console. For more information, see Set up your ServiceNow AI Platform instance for the McAfee ePO integration.

    MID Server

    This integration requires an installed and configured MID Server in your ServiceNow AI Platform® instance to connect to the McAfee ePO server (console). See the ServiceNow Product Documentation website for more information about MID Servers.

    Supported versions of McAfee

    The integration supports version 5.9.1 & 5.10 of McAfee ePO. It supports McAfee Agent: MA 5.5.1.388 For more information about McAfee products and the ePolicy Orchestrator, see the McAfee product website.

    The integration supports the version 10.5 of the McAfee Endpoint Security Threat Prevention product. If you are not running version 10.5, consult with your McAfee ePO administrator to see if your version can support on-demand scans via tag actions.

    McAfee ePO security tags are used in this integration. You are required to create these tags in your McAfee ePO console. For more information on these tags, see Set up your McAfee ePO console to integrate with Security Incident Response (SIR).

    References

    Reference Document Identifier Document Title
    1

    McAfee product website

    		 McAfee product website
    2

    McAfee Business Product Documentation for ePolicy Orchestrator Cloud

    		 McAfee Product Documentation
    3

    ServiceNow Product documentation website

    		 ServiceNow Product Documentation website

    For a checklist to track your progress with setting up, installing, and verifying results for the integration, see Checklist for the McAfee ePO integration.

    For a smooth installation of the application and to help you verify expected results, follow the topics in the order they are presented.