EventTracker: Integrating McAfee epolicy Orchestrator Publication Date: Jan 18, 2012 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com
About This Guide Purpose This guide will help you in configuring epo, Trap Tracker and EventTracker to receive McAfee epolicy Orchestrator events. You will find the detailed procedures required for monitoring epolicy by McAfee. Intended Audience Administrators who are assigned the task to monitor and manage events using EventTracker. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.x and before, and McAfee epolicy Orchestrator 4.5 and later. 1
Table of Contents Overview... 3 Pre-requisite... 3 Configure McAfee epolicy Orchestrator to log all client events... 3 Configure McAfee epolicy Orchestrator to send all events as SNMP traps to Trap Tracker... 4 Add SNMP server... 4 Create automatic response rule... 5 Trap Tracker configuration... 7 Import McAfee epo knowledge pack into EventTracker... 12 To import Category... 12 To import Alerts... 12 To import Scheduled Reports... 12 Verify McAfee epo knowledge pack in the EventTracker... 13 Verify McAfee categories... 13 Verify McAfee alerts... 13 Verify McAfee scheduled reports... 15 Sample Analysis report... 17 2
Overview In order to monitor McAfee epolicy Orchestrator 4.6 in EventTracker, you need to perform the configurations as below. Configure McAfee epolicy Orchestrator to log all client events. Configure McAfee epolicy Orchestrator to send all events as SNMP traps to Trap Tracker. Configure Trap Tracker to send events to EventTracker system. Pre-requisite EventTracker should be installed with Trap tracker MacAfee epolicy Orchestrator 4.6 (or later) should be installed Per McAfee EPO console needs one trap tracker license. Configure McAfee epolicy Orchestrator to log all client events 1 Launch McAfee epolicy Orchestrator. 2 Enter appropriate user credentials, and log in. 3 Click Menu on the navigation bar, click Configuration, and then click Server settings. 4 In Setting Categories, click Event Filtering. NOTE: On the right side, the message should be The agent forwards: All events to the server. 5 To change the message (if required), click the Edit button. 6 Select appropriate option, and then click the Save button. 7 In Setting categories, click Event Notifications. Here you can set the time interval at which epo notifications can be sent to Automatic responses. 8 To change the Evaluation Interval, click the Edit button. 9 Enter the required time in Minutes text box, and then click the Save button. 3
Configure McAfee epolicy Orchestrator to send all events as SNMP traps to Trap Tracker Add SNMP server Once the automation is completed, you must register the SNMP server to communicate with. To add the SNMP server, 1 Click Menu on the navigation bar, click Configuration, and then click Registered Servers. 2 Click the New Server button. Figure 1 3 Select Server type as SNMP server. 4 Enter the name and description of the server. NOTE: The server name should be name of Trap Tracker or EventTracker server. 5 Click the Next button. 6 Enter appropriate address. NOTE: The address would be DNS name or IP address. 7 Enter SNMP version, Security details, and then click the Save button. 4
Create automatic response rule 1 Click Menu on the navigation bar, click Automation, and then click Automatic responses. Figure 2 2 Click the Actions button, and then click New response or click Edit to an existing rule. McAfee epo opens Response Builder page 3 In the Description tab, Enter the response s name in the Name box. From the Event Group dropdown, click event group as epo Notification Events. Click Event Type as Threat. Click Enabled in the Status to enable the response. 4 After making appropriate changes, click the Next button. 5 In the Filter tab, verify the criteria which should be Defined at System is in group or subgroup, and its value will be My Organization. 6 Click the Next button. 7 In the Aggregation tab, make the required changes to define when the event triggers the rule, and then click the Next button. 8 In the Actions tab, select Send SNMP trap option from the dropdown. 5
Figure 3 9 Click target SNMP server from the SNMP Servers, individually select all the values in Available Type, and then click the arrow button. Figure 4 10 Click the Next button. 11 In the Summary tab, verify the updated details. 6
Figure 5 12 Click the Save button. NOTE: In the above steps, we have configured only Event type Threat to send events as SNMP trap. To configure epo to send all events as SNMP trap, repeat the above steps for Event type Client and Server. Trap Tracker configuration 1 Launch EventTracker Control panel. 2 Double click Trap Tracker. 3 Click the Options menu, and then click Configuration. Figure 6 7
4 Click Forward all traps to EventTracker Manager checkbox. 5 Verify Destination and Port number, and then click the OK button. 6 Click the Tools menu, and then click MIB complier. EventTracker opens MIB compiler. Figure 7 7 Click the File menu, and then click Compile one MIB. EventTracker displays Open MIB file pop-up window. 8 Click NAI-MIB.mib file, and then click the Open button. EventTracker displays confirmation message box. Figure 8 8
9 Click the Yes button. EventTracker displays a window and prompts to provide the missing module. Figure 9 10 Click the Browse button. EventTracker displays Open window to search for the module. Figure 10 NOTE: The path for the modules will be <install dir>\traptracker\smi\mibs\ietf. 11 In the Open window, search the missing module, and then click the Open button. 9
NOTE: For all the missing modules, EventTracker will prompt you to provide the same. Please follow the steps 10 and 11 to add the missing modules. Once all the required modules are added, EventTracker returns to MIB compiler and displays a success message in the bottom pane. Figure 11 12 Click the File menu, and then click Compile one MIB option. EventTracker displays Open MIB file pop-up window. 13 Click TVD-MIB.mib file, and then click the Open button. EventTracker displays confirmation window. 14 Click the Yes button. 15 Click the File menu, and then click Compile one MIB option. EventTracker displays Open MIB file pop-up window. 16 Click EPO-MIB.mib file, and then click the Open button. EventTracker displays confirmation window. 10
17 Click the Yes button. NOTE The MIB files should be compiled in the sequence as below: NAI-MIB.mib TVD-MIB.mib EPO-MIB.mib You need to manually compile the MIB files only for EventTracker Enterprise version 7.2 and before. The later releases will do the compilation automatically. To add MIB files to the disk, click the File menu, and then click Save (OR) click the save icon on the toolbar. 11
Import McAfee epo knowledge pack into EventTracker 1 Launch EventTracker Control Panel. 2 Double click Import Export Utility. 3 Click the Import tab. 4 Import Category/ Alert/ Scheduled reports as given below. To import Category 1 Click Category option, and then click the browse button. 2 Locate the McAfee EPO categories.iscat file, and then click the Open button. 3 Click the Import button to import the categories. To import Alerts 1 Click Alert option, and then click the browse button. 2 Locate the McAfee EPO Alerts.isalt file, and then click the Open button. 3 Click the Import button to import the alerts. To import Scheduled Reports 1 Click Scheduled Report option, and then click the browse button. 2 Locate the McAfee EPO Threat analysis report.issch file, and then click the Open button. 3 Click the Import button to import the scheduled reports. 12
Verify McAfee epo knowledge pack in the EventTracker Verify McAfee categories 1 Logon to EventTracker Enterprise. 2 Click the Admin dropdown, and then click Categories. 3 In the Category Tree, expand Antivirus. Here you will find the imported categories under McAfee EPO. Verify McAfee alerts Figure 12 1 Logon to EventTracker Enterprise. 2 Click the Admin dropdown, and then click Alerts. 3 In the Search field, type McAfee, and then click the Go button. Alert Management page will display all the imported alerts. 13
Figure 13 4 To activate the imported alerts, select the respective checkbox in the Active column. EventTracker displays message box. Figure 14 5 Click the OK button, and then click the Activate now button. NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button. 14
Verify McAfee scheduled reports 1 Logon to EventTracker Enterprise. 2 Click the Analysis tab. 3 In the Actions pane, click Defined. EventTracker displays Defined Analysis page. Figure 15 Here you can find imported Scheduled reports as McAfee HIPS threat detail report. 4 Select the imported analysis, and then click the Schedule button. 5 Select the Groups/Systems/All Systems for analysis, and then click the Next >> button. 6 Select the Schedule and More options, and then click the Next >>button. 7 Select or add column(s) to display, and then click the Next >>button. 8 Enter Refine and Filter criteria, and then click the Next >>button. 9 Enter Title and description for the analysis, and then click the Next >>button. 10 Crosscheck Disk cost analysis details. 11 Configure the Publishing options as required, and then click the Next >>button. 12 Click the Schedule button. EventTracker displays message box. 15
Figure 16 13 Click the OK button. 16
Sample Analysis report EPO Threat Event Details Analysis 17
18