Integration architecture for McAfee ePO

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integration architecture for McAfee ePO

    This integration connects the ServiceNow AI Platform with the McAfee ePolicy Orchestrator (McAfee ePO) console, enabling seamless management and response to security incidents. It requires setup both in your ServiceNow AI Platform instance and the McAfee ePO console before installing the application from the ServiceNow Store. The integration facilitates automated enrichment queries and actions on your assets managed by McAfee ePO directly from ServiceNow.

    Show full answer Show less

    Key Features

    • ServiceNow AI Platform integration: Forms the foundation for Security Incident Response (SIR) and other ServiceNow applications.
    • Plugins: Both the ServiceNow McAfee extension plugin and McAfee ePO plugin are required to enable communication and functionality between systems.
    • MID Server: Acts as the communication bridge, securely connecting ServiceNow to the McAfee ePO console over HTTPS.
    • Capabilities: Automated activities initiated from ServiceNow to perform asset enrichment, malware scans, host isolation, threat event listing, and removal of isolation actions within McAfee ePO.
    • Profiles: Configurable settings within McAfee ePO to specify when and how capabilities execute on assets.
    • Multi-console support: Integration supports multiple McAfee ePO consoles managing different endpoint groups, with data aggregation through one or multiple MID servers as needed.
    • Pre-configured workflows: Includes workflows for common security operations such as getting host details, initiating malware scans, isolating hosts, listing threat events, and removing isolation. These workflows are customizable to fit organizational needs.

    Key Outcomes

    Once configured, ServiceNow customers can:

    • Automate and streamline security incident response by invoking McAfee ePO actions directly from ServiceNow SIR incidents.
    • Obtain enriched data about endpoints and threat events managed by McAfee ePO within ServiceNow.
    • Execute containment and remediation actions such as malware scans and host isolation efficiently without switching consoles.
    • Manage endpoints across multiple McAfee ePO consoles through centralized ServiceNow workflows and MID server communication.
    • Enhance collaboration between security teams by integrating McAfee ePO data and actions into the ServiceNow AI Platform environment.

    The following topic is an overview of the system architecture and lists key features of the integration. This section also provides information about the setup steps that you are required to complete in your ServiceNow AI Platform instance and in the McAfee ePolicy Orchestrator (McAfee ePO) console prior to installing the application from the ServiceNow Store.

    Key terms for the McAfee ePO integration

    The following terms are used throughout the installation and configuration documentation for the integration.

    ServiceNow AI Platform
    An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components, such as Security Incident Response (SIR), IT Service Management, (ITSM), and other products are built.
    Security Incident Response (SIR)
    A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
    Plugin

    Plugins are software components that provide specific features and functionalities within your ServiceNow AI Platform instance. For more information on the installation and configuration of the integration plugins, see Install the application and configure a server for the McAfee ePO integration.

    ePolicy Orchestrator (McAfee ePO)
    The user console where you manage the McAfee services, products and settings.
    McAfee extension plugin
    This ServiceNow extension plugin is required for this integration. This plugin resides on your McAfee ePO console and connects your McAfee ePO console to your ServiceNow AI Platform instance.
    Capability
    An automatic activity initiated from your ServiceNow AI Platform instance that is run in the McAfee ePO console to conduct enrichment queries and perform actions on your assets.
    Profile
    Settings for McAfee ePO capabilities that you configure to specify when and under what conditions capabilities conduct enrichment queries and perform actions on your assets.
    MID server
    An application that facilitates communication and the movement of data between the ServiceNow AI Platform and external applications, data sources, and services.
    ServiceNow administrator (admin)
    A user with this role downloads and installs the SIR and McAfee ePO plugins to your ServiceNow AI Platform instance. A user with this role also assigns the security incident administrator role as required.
    ServiceNow Security incident administrator (sn_si.admin)
    A user with this role performs the configuration of the McAfee ePO integration with the Security Incident Response (SIR) product in your ServiceNow AI Platform instance as required. A user with this role also assigns the security incident analyst role as required.
    ServiceNow security incident analyst (sn_si.analyst)
    A user with this role interacts with and analyzes security incidents in the SIR product.

    System connection and data flow

    The following figure is an example of a customer environment. A ServiceNow AI Platform MID server is required so that your ServiceNow AI Platform instance can connect to a McAfee ePO server (console) via a ServiceNow extension plugin. After you are connected, you invoke capabilities from your ServiceNow AI Platform to initiate malware scans, isolate host machines and restore them to your network, retrieve last scan results, and gather system details on your assets. When these capabilities return results from your assets that match your search criteria, data is pulled via the MID server into your ServiceNow AI Platform instance. Data is displayed on the related lists of a ServiceNow AI Platform Security Incident Response (SIR) security incident. The following figure illustrates the data flow for one group of endpoints managed by one McAfee ePO console.

    Figure 1. Single endpoint configuration
    Configuration one.

    As shown in the following figure, this integration can support more than one McAfee ePO console. You can have one group of endpoints managed by one McAfee ePO console, and another group of endpoints managed by another McAfee ePO console. Data from multiple McAfee ePO consoles is pulled via a single MID server. However, you also may prefer to configure multiple MID servers if required by your organization.

    Figure 2. MID servers configuration
    Multiple configurations.

    Workflows for the McAfee ePO integration

    This integration includes the following workflows. These workflows are pre-configured and are designed specifically for this integration. You can edit these workflows to meet the needs of your organization as required. For more general information about workflows and using the workflow editor, see Getting started with workflows.

    • Security Operations McAfee EPO integration - Get Host Details
    • Security Operations McAfee EPO integration - Initiate Malware Scan
    • Security Operations McAfee EPO integration - Isolate Host
    • Security Operations McAfee EPO integration - List Threat Events
    • Security Operations McAfee EPO integration - Remove Isolation

    External systems connection

    The integration requires that the MID server communicates via HTTPS protocol connection to the McAfee ePO console.