McAfee ePO integration
Summarize
Summary of McAfee ePO integration
The McAfee ePO integration with ServiceNow AI Platform® enhances Security Operations Center (SOC) analysts' ability to identify cyberthreats and remediate malicious activity. It provides two primary capability sets:actions(like isolating hosts and initiating malware scans) andqueries(gathering system details and threat events). These capabilities can be executed automatically based on incident conditions or manually from ServiceNow AI Platform® Security Incident Response (SIR) incidents.
Show less
Key Features
- Supports automated triggering of McAfee ePO queries/actions tied to specific incident criteria.
- Allows manual invocation of McAfee ePO capabilities directly from SIR security incidents for on-demand response.
- Enables creation of multiple profiles to tailor McAfee ePO and ServiceNow Security Operations capabilities based on incident categories such as malware.
- Provides a preview feature to validate profile configurations by displaying McAfee ePO results on SIR incidents.
- Utilizes security tags to track workflow-triggered capabilities and confirm successful query/action completion.
- Maintains a full audit trail with work notes in SIR incidents and logs commands in the McAfee ePO console.
- Supports multiple McAfee ePO consoles for flexible deployment.
Capabilities Available
- Get system details: Retrieves operating system and system information.
- Initiate malware scan: Starts endpoint scans based on configured schedules.
- Isolate/Unisolate host: Removes or restores network access to systems for investigation.
- List threat events: Gathers compliance and recent threat event data.
Setup Requirements
- Install the com.snc.sidep plugin and required Security Operations applications in a specified order for smooth installation.
- Install the ServiceNow Security Operations Extension for McAfee ePO plugin in the McAfee ePO console.
- Configure a MID Server in ServiceNow AI Platform® to enable communication with the McAfee ePO console.
- Create matching security tags in both McAfee ePO console and ServiceNow AI Platform to enable integration workflows.
- Establish an approval group to handle requests such as host isolation and restoration.
Supported Versions
- McAfee ePO versions 5.9.1 and 5.10.
- McAfee Agent version 5.5.1.388.
- McAfee Endpoint Security Threat Prevention version 10.5 (earlier versions require verification for scan support).
Practical Benefits for ServiceNow Customers
This integration empowers SOC teams to automate and streamline threat detection and response workflows within ServiceNow, leveraging McAfee ePO’s endpoint security capabilities. It ensures comprehensive visibility into endpoint status and threats, supports rapid containment actions like host isolation, and provides an auditable trail of all security responses. The flexible profile-based approach lets your team customize automated and manual actions to fit diverse incident scenarios, improving incident response efficiency and accuracy.
The McAfee ePO integration endpoint detection and response (EDR) capability that helps Security Operations Center (SOC) analysts identify cyberthreats and repair the damage caused by malicious files.
Overview
There are two sets of McAfee ePO capabilities used in this integration, the capabilities that invoke actions, such as isolating a host and initiating a malware scan, and the capabilities that run queries to gather system details and threat events. Both types of capabilities, the actions and the queries, are invoked from your ServiceNow AI Platform® instance. You can group these capabilities together so that they automatically run when a specific type of security event occurs, or, you can invoke them manually from a ServiceNow AI Platform® security incident.
The following McAfee ePO capabilities are available for this integration.
- Get system details
- Gather system details that include operating system details.
- Initiate malware scan
- Based on scan configuration and scheduling, initiate a scan of an impacted endpoint.
- Isolate/Unisolate host
- Remove a system from network access for investigation and restore access to the network.
- List threat events
- Gather compliance status and the most current threat events.
Key features
This integration includes the following key features.
- Supports automated triggering of McAfee ePO queries that are based on incident conditions.
- Supports launching McAfee ePO capabilities manually from ServiceNow AI Platform® Security Incident Response (SIR) security incidents that perform on-demand actions.
- The flexibility to create multiple profiles for triggering different types of McAfee ePO and ServiceNow AI Platform® Security Operations capabilities. These profiles gather threat event information or perform actions based on the conditions of specific incident categories such as malware.
- Validate your profile configuration with a preview of the McAfee ePO results on SIR security incidents.
- If tagging is enabled, security tags identify which McAfee ePO capabilities are initially launched by a workflow and when the queries or actions are successfully completed.
- A complete audit trail of the McAfee ePO queries and actions is posted in the work notes on SIR security incidents, and commands from the ServiceNow AI Platform® are logged in the McAfee ePO console.
- Supports multiple McAfee ePO consoles.
ServiceNow Plugins
The com.snc.si_dep plugin is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.
- Security Integration Framework
- Security Support Common
- Security Support Orchestration
- Security Incident Response
- Security Incident Response Workspace
For more information on setting up your ServiceNow AI Platform instance for the integration, see Set up your ServiceNow AI Platform instance for the McAfee ePO integration.
The ServiceNow extension plugin
The ServiceNow Security Operations Extension for McAfee ePO℠ extension plugin is required for this integration. You install this ServiceNow plugin in your McAfee ePO console. For more information, see Set up your ServiceNow AI Platform instance for the McAfee ePO integration.
MID Server
This integration requires an installed and configured MID Server in your ServiceNow AI Platform® instance to connect to the McAfee ePO server (console). See the ServiceNow Product Documentation website for more information about MID Servers.
Supported versions of McAfee
The integration supports version 5.9.1 & 5.10 of McAfee ePO. It supports McAfee Agent: MA 5.5.1.388 For more information about McAfee products and the ePolicy Orchestrator, see the McAfee product website.
The integration supports the version 10.5 of the McAfee Endpoint Security Threat Prevention product. If you are not running version 10.5, consult with your McAfee ePO administrator to see if your version can support on-demand scans via tag actions.
McAfee ePO security tags are used in this integration. You are required to create these tags in your McAfee ePO console. For more information on these tags, see Set up your McAfee ePO console to integrate with Security Incident Response (SIR).
References
| Reference | Document Identifier | Document Title |
|---|---|---|
| 1 | McAfee product website |
McAfee product website |
| 2 | McAfee Business Product Documentation for ePolicy Orchestrator Cloud |
McAfee Product Documentation |
| 3 | ServiceNow Product documentation website |
ServiceNow Product Documentation website |
For a checklist to track your progress with setting up, installing, and verifying results for the integration, see Checklist for the McAfee ePO integration.
For a smooth installation of the application and to help you verify expected results, follow the topics in the order they are presented.