Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

McAfee ePolicy Orchestrator (ePO)

McAfee ePolicy Orchestrator (ePO)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
SNMP Traps

Event Types

In ADMIN > Device Support > Event Types, search for "mcafee epolicy" to see the event types associated with this application or device.

Configuration

FortiSIEM processes events via SNMP traps sent by the device.

Follow the below procedures to configure McAfee ePO to send Threat based SNMP traps to FortiSIEM.

Step 1: Configuring SNMP Server to send Traps from McAfee ePO.

FortiSIEM processes events from a device via SNMP traps sent by the device.

  1. Log in to the McAfee ePO web console.
  2. Go to Main Menu > Configuration > Registered Servers, and click New Server.

    The Registered Server Builder opens.

  3. For Server type, select SNMP Server.
  4. For Name, enter the IP address of your SNMP server.
  5. Enter any Notes, and click Next to go to the Details page.
  6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and SNMP that will receive the SNMP trap.
  7. For SNMP Version, select SNMPv1.
  8. For Community, enter public.

    Note: The community string entered here would not be used in FortiSIEM as FortiSIEM accepts traps from McAfee ePO without any configuration.

  9. Click Send Test Trap, and then click Save.
  10. Log in to your Supervisor node and use Real Time Search to see if FortiSIEM received the trap. Without any configuration on FortiSIEM, the traps are received under Real time/Historical Analytics. (Search using 'Reporting IP' as McAfee ePO’s IP.)

Step 2: Configuring “Automatic Response”

By default, McAfee ePO does not send SNMP Trap alerts for the events that occur. This must be configured.

  1. Go to Main Menu > Automation > Automatic Response.
  2. By default, there are a few Automatic Response configured, but are in a disabled state.
  3. Click on New Response button.
  4. Enter a Name for the 'Response'.
  5. Set Status as 'Enabled' and click Next.
  6. Click the Ellipsis icon and select the top level under Select System Tree Group and click OK.
  7. On the left side of the same screen, select Threat Handled.

Sample Access Protection Violation detected SNMP Trap

2017-05-30 16:24:27 192.168.100.205TRAP, SNMP v1, community fortisiem SNMPv2-SMI::enterprises.3401.12.2.1.1 Enterprise Specific Trap (101) Uptime: 3:56:08.15 SNMPv2- SMI::enterprises.3401.12.2.1.1.5.7 = STRING: "Threat_Trigger_Rule"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.30 = STRING: "58F5DD64- 43C5-11E7-0584-000C29219964" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.360 = STRING: "My Organization" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.20 = STRING: "05/30/17 13:20:24 UTC" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "ENDP_AM_1050" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.510 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.510 = STRING: "Access Protection" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.520 = "" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.70 = STRING: "WIN2012- SKULLC" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.90 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.80 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "000c29219964" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "McAfee Endpoint Security"SNMPv2- SMI::enterprises.3401.12.2.1.1.6.0.00 = STRING: "10.5.0" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.370 = STRING: "Access Protection rule violation detected and NOT blocked" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.6 = STRING: "Threat" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.1 = INTEGER: 1 SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.390 = STRING: "Server" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.380 = STRING: "Windows Server 2012 R2" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "05/30/17 13:24:05 UTC" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.530 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.550 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.540 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.560 = "" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.580 = STRING: "FIREFOX.EXE" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.590 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.570 = STRING: "WIN2012-SKULLC\Administrator" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "GlobalRoot\Directory\My Group"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.280 = STRING: "C:\USERS\ADMINISTRATOR\DOWNLOADS\V3_2994DAT.EXE" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.200 = STRING: "WIN2012- SkullC" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.220 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.210 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.230 = "" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.250 = STRING: "0" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.270 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.260 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.240 = STRING: "SYSTEM" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.340 = STRING: "IDS_ACTION_WOULD_BLOCK" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.290 = STRING: "'File' class or access"SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.300 = STRING: "1095"SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.350 = STRING: "True"SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.320 = STRING: "Browsers launching files from the Downloaded Program Files folder"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.310 = STRING: "Critical" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.330 = STRING: "Access Protection"

McAfee ePolicy Orchestrator (ePO)

McAfee ePolicy Orchestrator (ePO)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
SNMP Traps

Event Types

In ADMIN > Device Support > Event Types, search for "mcafee epolicy" to see the event types associated with this application or device.

Configuration

FortiSIEM processes events via SNMP traps sent by the device.

Follow the below procedures to configure McAfee ePO to send Threat based SNMP traps to FortiSIEM.

Step 1: Configuring SNMP Server to send Traps from McAfee ePO.

FortiSIEM processes events from a device via SNMP traps sent by the device.

  1. Log in to the McAfee ePO web console.
  2. Go to Main Menu > Configuration > Registered Servers, and click New Server.

    The Registered Server Builder opens.

  3. For Server type, select SNMP Server.
  4. For Name, enter the IP address of your SNMP server.
  5. Enter any Notes, and click Next to go to the Details page.
  6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and SNMP that will receive the SNMP trap.
  7. For SNMP Version, select SNMPv1.
  8. For Community, enter public.

    Note: The community string entered here would not be used in FortiSIEM as FortiSIEM accepts traps from McAfee ePO without any configuration.

  9. Click Send Test Trap, and then click Save.
  10. Log in to your Supervisor node and use Real Time Search to see if FortiSIEM received the trap. Without any configuration on FortiSIEM, the traps are received under Real time/Historical Analytics. (Search using 'Reporting IP' as McAfee ePO’s IP.)

Step 2: Configuring “Automatic Response”

By default, McAfee ePO does not send SNMP Trap alerts for the events that occur. This must be configured.

  1. Go to Main Menu > Automation > Automatic Response.
  2. By default, there are a few Automatic Response configured, but are in a disabled state.
  3. Click on New Response button.
  4. Enter a Name for the 'Response'.
  5. Set Status as 'Enabled' and click Next.
  6. Click the Ellipsis icon and select the top level under Select System Tree Group and click OK.
  7. On the left side of the same screen, select Threat Handled.

Sample Access Protection Violation detected SNMP Trap

2017-05-30 16:24:27 192.168.100.205TRAP, SNMP v1, community fortisiem SNMPv2-SMI::enterprises.3401.12.2.1.1 Enterprise Specific Trap (101) Uptime: 3:56:08.15 SNMPv2- SMI::enterprises.3401.12.2.1.1.5.7 = STRING: "Threat_Trigger_Rule"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.30 = STRING: "58F5DD64- 43C5-11E7-0584-000C29219964" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.360 = STRING: "My Organization" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.20 = STRING: "05/30/17 13:20:24 UTC" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "ENDP_AM_1050" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.510 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.510 = STRING: "Access Protection" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.520 = "" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.70 = STRING: "WIN2012- SKULLC" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.90 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.80 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "000c29219964" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "McAfee Endpoint Security"SNMPv2- SMI::enterprises.3401.12.2.1.1.6.0.00 = STRING: "10.5.0" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.370 = STRING: "Access Protection rule violation detected and NOT blocked" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.6 = STRING: "Threat" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.1 = INTEGER: 1 SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.390 = STRING: "Server" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.380 = STRING: "Windows Server 2012 R2" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "05/30/17 13:24:05 UTC" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.530 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.550 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.540 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.560 = "" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.580 = STRING: "FIREFOX.EXE" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.590 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.570 = STRING: "WIN2012-SKULLC\Administrator" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "GlobalRoot\Directory\My Group"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.280 = STRING: "C:\USERS\ADMINISTRATOR\DOWNLOADS\V3_2994DAT.EXE" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.200 = STRING: "WIN2012- SkullC" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.220 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.210 = STRING: "192.168.100.205" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.230 = "" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.250 = STRING: "0" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.270 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.260 = "" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.240 = STRING: "SYSTEM" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.340 = STRING: "IDS_ACTION_WOULD_BLOCK" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.290 = STRING: "'File' class or access"SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.300 = STRING: "1095"SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.350 = STRING: "True"SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.320 = STRING: "Browsers launching files from the Downloaded Program Files folder"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.310 = STRING: "Critical" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.330 = STRING: "Access Protection"