Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.
Device Configuration- McAfee (Now Trellix) EPO
- 1 Overview
- 2 Steps Of Configuration
- 2.1 On CCE server:
- 2.2 On McAfee EPO :
- 3 Verification
- 3.1 On CCE server
- 3.2 On UI
Overview
In this document we will guide you with integration of McAfee EPO with Seceon SIEM to have better visibility of threats happening in your environment. We will guide with steps to configure syslog in McAfee GUI and the process to enable TCP over TLS on CCE server.
Steps Of Configuration
Steps to be taken to enable protocol TCP over TLS on CCE server so that CCE start collecting the data through TCP protocol : -
On CCE server:
Login as Seceon user on CCE
Go inside the cce-log processor by running the command : otmdoc -s cce-log processor
Then run the command : cd /docker/config
Go inside logstash-bas-var.yml file to enable tcp over tls : vi logstash-bas-var.yml
Now press i in the keyboard to insert and in front of tcp over tls make it true tcp over tls: True
Press Esc colun(:) wq esclamation mark(!) in keyboard to save the changes
Restart the log processor container by running the command : otmdoc -r log-processor
Steps to be taken on McAfee EPO console : -
On McAfee EPO :
Add the syslog server as a registered server and send information (responses or Solidcore events) to the syslog server
On the McAfee EPO console, select Menu → Configuration → Registered Servers, then click New Server to open the Registered Server Builder wizard.
Select Solidcore Syslog Server from the Server type list.
Specify the server name, add any notes, then click Next.
Modify the syslog server port as 514.
Enter the server address. Put the CCE IP in the place of server address.
Select the type of logs the server is configured to receive by selecting a value from the Syslog Facility list.
Click Test Syslog send to verify the connection to the server. It should be successful
Click Save.
You can choose to send specific responses to the syslog server (complete step 2) or use the seeded response to send all Solidcore events to the syslog server (complete step 3).
Send responses to the syslog server
Verification
On CCE server
Login with Seceon as a user and run the command : sudo tcpdump -i any port 514 and host <McAfee IP> to see if syslog are coming on CCE server
On UI
Log in to UI with Administrative Rights & Navigate to System>> Log/Flow Collection Status Option.
Inside Source Device IP, the IP Address of the Device will reflect including the no. of logs sent to the Seceon Servers.
Reference : Trellix Doc Portal
Seceon Inc. All rights reserved. https://www.seceon.com