Set up your ServiceNow AI Platform instance for the McAfee ePO integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Set up your ServiceNow AI Platform instance for the McAfee ePO integration

    This guide outlines the essential setup tasks that ServiceNow AI Platform administrators must complete before installing the McAfee ePO integration application. Proper preparation ensures a seamless installation and effective integration between ServiceNow AI Platform and McAfee ePolicy Orchestrator (ePO).

    Show full answer Show less

    Key Setup Requirements

    • Roles and Permissions: Assign the necessary roles within ServiceNow AI Platform:
      • System Administrator (admin): Required for application installation.
      • Security Incident Administrator (snsi.admin): Configures the application and manages profiles.
      • Security Incident Analyst (snsi.analyst): Handles security incidents and can initiate profile actions; also submits isolation and restoration requests if approval is enabled.
    • McAfee ePO Version: Confirm usage of McAfee ePO version 10.4.3 or higher for compatibility.
    • ServiceNow Plugin in McAfee ePO: Install the ServiceNow extension plugin within the McAfee ePO console to enable integration features. The plugin can be obtained via ServiceNow Knowledge Articles.
    • ServiceNow Core Applications: Ensure the following Security Operations applications are installed and activated from the ServiceNow Store, in this order:
      • Security Incident Response
      • Security Incident Response Workspace
      • Security Integration Framework
      • Security Support Common
      • Security Support Orchestration
      Additionally, install and activate the Security Incident Response Dependency plugin (com.snc.sidep) before these applications to satisfy dependencies.
    • MID Server: Install and configure a MID Server in your ServiceNow AI Platform instance as it is required for the integration to function correctly.
    • Approval Process (Optional): If your organization requires additional control over isolating hosts and restoring them to the network, enable the approval process during profile configuration.
      • Create an approval group to handle requests.
      • Assign approval authority either to the default security incident administrator role or to the specified approval group.

    Practical Benefits

    Completing these steps prepares your ServiceNow AI Platform instance to fully support the McAfee ePO integration, enabling automated security incident response actions such as host isolation and restoration with optional approval controls. This setup enhances your organization's ability to manage security incidents efficiently and securely.

    The following section lists the setup tasks that you’re required to complete in your ServiceNow AI Platform® instance prior to installing the application for the McAfee ePO integration.

    Set up requirements

    Role required: ServiceNow AI Platform administrator (admin). Review the following information before your ServiceNow AI Platform® instance for the McAfee ePO integration.

    The following table is a list of setup requirements for the application. Verify that you’ve completed these tasks before you install the application for the integration from the ServiceNow Store.
    Set up task Description
    Verify that you’ve assigned the required ServiceNow AI Platform® and Security Incident Response (SIR) roles. The following roles are required:
    • A user with the system administrator (admin) role to install the application.
    • A user with the security incident administrator (sn_si.admin) role configures the application, and creates, activates, and removes profiles.
    • A user with the security incident analyst (sn_si.analyst) role works with security incidents. Tasks include manually launching profiles from security incidents. If the approval option is selected in a profile during the configuration step, users with this role also submit requests for isolating hosts and returning them to the network.
    Verify that you are using version 5.9 of McAfee ePO. The integration supports version 10.4.3 of the McAfee ePolicy Orchestrator.
    Verify that you have installed the ServiceNow extension plugin in your McAfee ePO console. Install the ServiceNow plugin in your McAfee ePO console.

    For more information and to obtain the plugin file, in your ServiceNow AI Platform instance, navigate to Knowledge > Articles > All and, in the Search field, enter, ServiceNow Security Operations Extension for McAfee ePO .
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you install the application for the integration.

    Security Incident Response Dependency plugin (com.snc.si_dep) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the following order to ensure a smooth installation.

    1. Security Incident Response
    2. Security Incident Response Workspace
    3. Security Integration Framework
    4. Security Support Common
    5. Security Support Orchestration

    For more information about installing the Security Operations core applications, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.
    Verify that you have installed and configured a MID Server. An installed and configured MID Server is required in your ServiceNow AI Platform® instance. See the ServiceNow Product Documentation website for more information about MID Servers.
    If you want to enable the approval process for profiles, verify that you have created an approval group to process requests.

    There is an optional approval process available for isolating host machines and restoring them to the network.

    If this option is enabled, prior approval is required before host machines are isolated and restored to your network.

    If your organization wants an extra level of control over these actions, enable the Require approval option during the configuration step for a profile.

    By default, approval authority is assigned to the ServiceNow AI Platform® security incident administrator (sn_si.admin). This authority can be reassigned to an approval group. Within the group, any member has permission to approve or reject requests.

    You select an active approval group during the configuration step of your profile setup. For more information, see Create an approval group.