From the Splunk launcher or the app drop down menu, select the "System Tagger for McAfee ePO" App. Once installed, you will need to confiugure it with ePO server information and access credentials. The search head(s) will need network connectivity to the McAfee ePO server over the ePO port in use in your environment (default 8000 or 8443).
#MCAFFEE APP SPLUNK BASE INSTALL#
To install this app, simply deploy it to your search head(s) or deploy via normal search head cluster deployer mechanisms. PLEASE NOTE: Users of older versions of this add-on may need to remove and re-install the app due to the a required re-name of the app. It also includes inputs and dashboard panels to list/search systems and tags in ePO. This add-on works as both a custom alert action in Splunk Enterprise 6.3+, and as an Adaptive Response Framework action in Splunk Enterprise Security 4.5+.
This enables automation between any data in Splunk and McAfee endpoint security. ePO can automatically run tag-specific tasks such as AV scans, and/or apply policies like blocking outbound communications via the endpoint firewall on the compromised host. via proxy logs with threat intel), the add-on can tag that system as "compromised" in ePO. E.g., if a Splunk query detects an endpoint communicating with a malicious host (e.g. Once the system is tagged in ePO, new endpoint policies can be automatically applied and/or new tasks can be assigned in ePO. The System Tagger for McAfee ePO add-on allows Splunk users who are also using McAfee ePolicy Orchestrator (ePO) for endpoint security management to apply or remove ePO tags to systems in ePO as the result of a search.
0 kommentar(er)
