IBM Security QRadar

Expand all | Collapse all

Problems in integrating McAfee ePolicy Orchestrators to QRadar

  • 1.  Problems in integrating McAfee ePolicy Orchestrators to QRadar

    Posted Wed October 23, 2019 05:59 AM
    Edited by sanba06c Wed October 23, 2019 09:52 PM
    Hello everyone,

    I attempted to integrate "McAfee ePolicy Orchestrator" (antivirus appliance) to QRadar. However, there were some errors, which made it unsuccessful. Is there any "step-by-step demonstration process" for this integration (or is there any simpler way to forward logs from McAfee ePolicy Orchestrator to QRadar)? Although there is a guide from IBM, it still seems a little bit complicated for me. 

    When it comes to my case, here are some of my specific enquiries:

    Installation of RPMs:

    "If automatic updates are not enabled, RPMs are available for download from the IBM support website (http://www.ibm.com/support). Download and install the most recent version of the following RPMs on your QRadar Console.
    • JDBC Protocol RPM
    • SNMP Protocol RPM
    • DSMCommon RPM
    • McAfee ePolicy Orchestrator DSM RPM"
    On my QRadar system, automatic updates are enabled, but I could not find JDBC, SNMP, and McAfee ePolicy Orchestrator. So, should I install these three mentioned RPMs? If so, as with "McAfee ePolicy Orchestrator DSM RPM", I failed to find version 7.3 for my existing QRadar (only version 7.2 is available on IBM FixCentral), so is it correct or did I miss something here?

    Add a McAfee ePolicy Orchestrator log source on the QRadar Console:

    "Log source parameters: SNMPv1, v2, v3, and JDBC": Should I install all of these four protocols or just the one corresponding to "registered server" on McAfee ePolicy Orchestrators? I used SNMPv2 for the registered server. So I assume that it would be necessary to install the mentioned protocol only on QRadar.  

    Any response would be highly appreciated.

    ------------------------------
    TRAN NAM
    ------------------------------


  • 2.  RE: Problems in integrating McAfee ePolicy Orchestrators to QRadar

    Posted Tue October 29, 2019 09:43 AM
    Hi @TRAN NAM

    I have never integrated McAfee ePO into QRadar. May I ask which QRadar version are you on? According to your case where you are unable to see the protocols, I am running v7.3.2 and I can see JDBC, SNMP v1/2 and 3 for McAfee ePolicy Orchestrator​. So I would suggest to install the protocols from scratch. Also you absolutely require McAfee ePolicy Orchestrator DSM RPM and DSMCommon RPM. Your need former to parse the events automatically and effeciently. You need latter also in another cases and in other log sources.

    Apart from these 2, you can choose to install only SNMP v2 or all the protocols. Doesnt really matter and depends on your decision.

    Hope this helps.


    ------------------------------
    Chinmay Kulkarni
    ------------------------------



  • 3.  RE: Problems in integrating McAfee ePolicy Orchestrators to QRadar

    Posted Tue October 29, 2019 04:17 PM
    Hi Tran,

    I have onboarded many McAfee ePO servers into Qradar and I highly recommend using JDBC.  SNMP can cause a load on the server and must be very granularly defined in order to provide any value.  

    With JDBC, you're configuring a read-only account to remotely query the back end SQL database and sending those query results into Qradar. 

    The query is essentially 

    select * from ePOEvents;​

    so you're getting the benefit of threat events as well as "Scan was stopped", "Scan was started" kind of things as well.

    ------------------------------
    Paul
    ------------------------------



  • 4.  RE: Problems in integrating McAfee ePolicy Orchestrators to QRadar

    Posted Thu November 21, 2019 02:33 PM
      |   view attached
    Hi @Paul Goffar,

    I have integrated qradar with mcafee epo but qradar couldn't read db. We have investigated the issue with our db admin. Qradar can reach the db but couldn't read db. we have increase user permission to sysadmin. What was your db configuration? We used dsm and mcafee manuals for configuration.

    Any help and document would be appreciated.


    ------------------------------
    Jasmine
    ------------------------------

    Attachment(s)

    pdf
    McAfee_EPO.pdf   158 KB 1 version


  • 5.  RE: Problems in integrating McAfee ePolicy Orchestrators to QRadar

    Posted Fri November 22, 2019 09:19 AM
    Have you visited app exchange and used the free app-If not try it Ithink it will end your frustration, if not please let me know.

    Link to QRadar App Exchange (you can enter as guest)

    https://exchange.xforce.ibmcloud.com/hub

     and then look for this app

    IBM QRadar Custom Properties for McAfee EPO

    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------



  • 6.  RE: Problems in integrating McAfee ePolicy Orchestrators to QRadar

    Posted Sat November 23, 2019 12:08 PM
    Hi Richard,

    Qradar could connect to mcafee db, but we have this error:

    com.q1labs.semsources.sources.jdbc.JdbcEventConnector: [ERROR] Chained SQL Exception [1/1]: Invalid parameter index 1.

    Best
    Jasmine

    ------------------------------
    Jasmine
    ------------------------------