Ameba Ownd

アプリで簡単、無料ホームページ作成

taiprodhifi1986's Ownd

Mcafee epo actions

2022.01.19 02:49




















The following terms are used throughout the installation and configuration documentation for the integration. Plugins are software components that provide specific features and functionalities within your Now Platform instance.


For more information on the installation and configuration of the integration plugins, see Install the application and configure a server for the McAfee ePO integration.


The following figure is an example of a customer environment. After you are connected, you invoke capabilities from your Now Platform to initiate malware scans, isolate host machines and restore them to your network, retrieve last scan results, and gather system details on your assets. When these capabilities return results from your assets that match your search criteria, data is pulled via the MID server into your Now Platform instance.


The following figure illustrates the data flow for one group of endpoints managed by one McAfee ePO console. As shown in the following figure, this integration can support more than one McAfee ePO console. However, you also may prefer to configure multiple MID servers if required by your organization. This extension plugin is required for the integration.


The security tags in your McAfee ePO console must match the security tags in the capability records in your Now Platform instance. The following steps show you how to install the extension plugin, create a security tag in your McAfee ePO console, and assign an action to the tag. Role required: McAfee ePO administrator. For this example, a tag with a name and description for the Initiate Malware Scan capability is displayed.


This tag name is what is matched and referenced in your Now Platform instance. I downloaded and installed the Splunk Add-On Builder 2. I was quickly dropped into a very handy wizard that walks you through the entire process needed to make custom alert actions. The wizard takes you through all the steps you need to create and describe the add-on, collect initial setup data from the user, and collect data needed for each individual alert.


Perhaps the biggest hurdle to creating custom alerts in the past was the effort required to generate the initial setup screens and securely store the passwords. The Add-On Builder takes care of all of that for you!


Adding optional functionality to support Enterprise Security 4. I had to ensure that I had the latest Common Information Model installed on my system, and just had to fill out 3 drop-down lists and 3 text fields to categorize the action. Enabling Splunk users to automate security responses has never been easier! The next step was to actually code the alert action in the tool using a little Python. All I had to do was a little cut and paste, a bit of research on how to interface with the McAfee ePO web API, and the usual code troubleshooting that needs be done when you have a guy with only a history degree writing Python scripts.


The helper functions in the sample code made most of it trivially easy.