McAfee ePO integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of McAfee ePO integration

    The McAfee ePO integration enhances ServiceNow AI Platform® by enabling Security Operations Center (SOC) analysts to detect cyberthreats and respond effectively. It allows invoking McAfee ePO capabilities—both automated actions (like isolating hosts, initiating malware scans) and queries (such as gathering system details or threat event information)—directly from security incidents within ServiceNow. These capabilities can run automatically based on incident conditions or be triggered manually.

    Show full answer Show less

    Key Features

    • Automated triggering of McAfee ePO queries and actions based on incident conditions.
    • Manual launching of McAfee ePO capabilities from Security Incident Response (SIR) incidents.
    • Ability to create multiple capability profiles to handle different incident categories and tailor responses.
    • Preview functionality to validate profile configurations with real McAfee ePO results within SIR incidents.
    • Security tags identify which McAfee ePO capabilities are launched and track their completion status.
    • Comprehensive audit trails are maintained in ServiceNow work notes and the McAfee ePO console.
    • Supports multiple McAfee ePO consoles for flexible deployment environments.

    Setup and Configuration

    The integration requires installation and activation of specific ServiceNow plugins and Security Operations applications, including com.snc.sidep, Security Integration Framework, Security Support, Security Orchestration, Security Incident Response, and Security Incident Response Workspace. It also requires the ServiceNow Security Operations Extension plugin to be installed in the McAfee ePO console.

    A configured and running MID Server in the ServiceNow instance is necessary to facilitate communication with the McAfee ePO console.

    McAfee ePO versions 5.9.1 and 5.10 and McAfee Agent version 5.5.1.388 are supported, along with McAfee Endpoint Security Threat Prevention version 10.5. McAfee ePO security tags must be created and synchronized between the McAfee console and ServiceNow for proper triggering and identification of actions.

    Users must create approval groups within ServiceNow to manage approval workflows for actions such as isolating and restoring hosts.

    Practical Use and Management

    • Profiles allow grouping of McAfee ePO queries and actions to automate or manually execute responses when new security incidents occur.
    • Capabilities like listing threat events and initiating malware scans can be triggered on-demand or as additional actions.
    • The integration is accessible and manageable via the ServiceNow Analyst Workspace, providing streamlined workflows for incident response teams.

    Benefits for ServiceNow Customers

    This integration empowers ServiceNow customers to enhance their threat detection and response capabilities by seamlessly connecting their security incidents with McAfee ePO actions and data. It improves incident investigation efficiency, supports automated and manual remediation actions, provides detailed audit trails for compliance, and allows tailored responses to different security scenarios through configurable profiles.

    By following the setup checklist and installation sequence, customers can ensure smooth deployment and effective operation of the McAfee ePO integration within their ServiceNow AI Platform environment.

    The McAfee ePO integration endpoint detection and response (EDR) capability that helps Security Operations Center (SOC) analysts identify cyberthreats and repair the damage caused by malicious files.

    Overview

    There are two sets of McAfee ePO capabilities used in this integration, the capabilities that invoke actions, such as isolating a host and initiating a malware scan, and the capabilities that run queries to gather system details and threat events. Both types of capabilities, the actions and the queries, are invoked from your ServiceNow AI Platform® instance. You can group these capabilities together so that they automatically run when a specific type of security event occurs, or, you can invoke them manually from a ServiceNow AI Platform® security incident.

    The following McAfee ePO capabilities are available for this integration.

    Get system details
    Gather system details that include operating system details.
    Initiate malware scan
    Based on scan configuration and scheduling, initiate a scan of an impacted endpoint.
    Isolate/Unisolate host
    Remove a system from network access for investigation and restore access to the network.
    List threat events
    Gather compliance status and the most current threat events.

    Key features

    This integration includes the following key features.

    • Supports automated triggering of McAfee ePO queries that are based on incident conditions.
    • Supports launching McAfee ePO capabilities manually from ServiceNow AI Platform® Security Incident Response (SIR) security incidents that perform on-demand actions.
    • The flexibility to create multiple profiles for triggering different types of McAfee ePO and ServiceNow AI Platform® Security Operations capabilities. These profiles gather threat event information or perform actions based on the conditions of specific incident categories such as malware.
    • Validate your profile configuration with a preview of the McAfee ePO results on SIR security incidents.
    • If tagging is enabled, security tags identify which McAfee ePO capabilities are initially launched by a workflow and when the queries or actions are successfully completed.
    • A complete audit trail of the McAfee ePO queries and actions is posted in the work notes on SIR security incidents, and commands from the ServiceNow AI Platform® are logged in the McAfee ePO console.
    • Supports multiple McAfee ePO consoles.

    ServiceNow Plugins

    The com.snc.si_dep plugin is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

    The following Security Operations applications must be installed and activated from the ServiceNow Store. Install and then activate one application at a time in the order listed below to ensure a smooth installation:
    1. Security Integration Framework
    2. Security Support Common
    3. Security Support Orchestration
    4. Security Incident Response
    5. Security Incident Response Workspace

    For more information on setting up your ServiceNow AI Platform instance for the integration, see Set up your ServiceNow AI Platform instance for the McAfee ePO integration.

    The ServiceNow extension plugin

    The ServiceNow Security Operations Extension for McAfee ePO℠ extension plugin is required for this integration. You install this ServiceNow plugin in your McAfee ePO console. For more information, see Set up your ServiceNow AI Platform instance for the McAfee ePO integration.

    MID Server

    This integration requires an installed and configured MID Server in your ServiceNow AI Platform® instance to connect to the McAfee ePO server (console). See the ServiceNow Product Documentation website for more information about MID Servers.

    Supported versions of McAfee

    The integration supports version 5.9.1 & 5.10 of McAfee ePO. It supports McAfee Agent: MA 5.5.1.388 For more information about McAfee products and the ePolicy Orchestrator, see the McAfee product website.

    The integration supports the version 10.5 of the McAfee Endpoint Security Threat Prevention product. If you are not running version 10.5, consult with your McAfee ePO administrator to see if your version can support on-demand scans via tag actions.

    McAfee ePO security tags are used in this integration. You are required to create these tags in your McAfee ePO console. For more information on these tags, see Set up your McAfee ePO console to integrate with Security Incident Response (SIR).

    References

    Reference Document Identifier Document Title
    1

    McAfee product website

    		 McAfee product website
    2

    McAfee Business Product Documentation for ePolicy Orchestrator Cloud

    		 McAfee Product Documentation
    3

    ServiceNow Product documentation website

    		 ServiceNow Product Documentation website

    For a checklist to track your progress with setting up, installing, and verifying results for the integration, see Checklist for the McAfee ePO integration.

    For a smooth installation of the application and to help you verify expected results, follow the topics in the order they are presented.