McAfee ePO integration capability profiles

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • As a user with the security incident administrator (sn_si.admin) role, you create profiles for the McAfee ePO capabilities in your ServiceNow AI Platform® instance. You group queries or actions in profiles and determine which McAfee ePO capabilities you want to run when a new security incident is created.

    Capability profiles

    You create profiles™ so you can group McAfee ePO capabilities and configure the settings for these capabilities from your ServiceNow AI Platform® instance. You have the flexibility to create multiple profiles for these capabilities, which allows you to determine which actions or queries are invoked when a Security Incident Response (SIR) incident is created. To fit the needs of your organization, you can create a single profile that runs queries for system details, initiates malware scans, and isolates host machines, for example, or, you can create multiple profiles, each with its own, single McAfee ePO capability.

    Table 1. Profile types and required McAfee ePO capabilities
    Primary purpose of your profile Set up requirements McAfee ePO capabilities required for this profile type
    Gather system details None Get Host Details
    Isolate a host

    Verify with your McAfee ePO administrator that you have created the security tags for the isolate host action in your McAfee ePO console. For more information, see Set up your McAfee ePO console to integrate with Security Incident Response (SIR).

    		 Isolate Host
    Scan and search for threats on your host

    Verify with your McAfee ePO administrator that you have created the security tags for the initiate malware scan action in your McAfee ePO console. For more information, see Set up your McAfee ePO console to integrate with Security Incident Response (SIR).

    		 Initiate Malware Scan
    Note:
    As part of the McAfee ePO malware scan, the List Threat Events capability is invoked automatically. However, you are not required to add the List Threat Events capability to the profile with the malware scan capability. Results of the malware scan are displayed on the Threat Event Details tab on the security incident.
    Remove isolation for a host

    Verify with your McAfee ePO administrator that you have created the security tags for the isolate host action in your McAfee ePO console. For more information, see Set up your McAfee ePO console to integrate with Security Incident Response (SIR).

    		 Remove Isolation
    Gather threat enrichment data. None List Threat Events