Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Device Configuration- McAfee (Now Trellix) EPO

Overview

In this document we will guide you with integration of McAfee EPO with Seceon SIEM to have better visibility of threats happening in your environment. We will guide with steps to configure syslog in McAfee GUI and the process to enable TCP over TLS on CCE server.

Steps Of Configuration

Steps to be taken to enable protocol TCP over TLS on CCE server so that CCE start collecting the data through TCP protocol : -

On CCE server:

  1. Login as Seceon user on CCE

  2. Go inside the cce-log processor by running the command : otmdoc -s cce-log processor

  3. Then run the command : cd /docker/config

  4. Go inside logstash-bas-var.yml file to enable tcp over tls : vi logstash-bas-var.yml

  5. Now press i in the keyboard to insert and in front of tcp over tls make it true tcp over tls: True

  6. Press Esc colun(:) wq esclamation mark(!) in keyboard to save the changes

  7. Restart the log processor container by running the command : otmdoc -r log-processor

 

Steps to be taken on McAfee EPO console : -

On McAfee EPO :

  1. Add the syslog server as a registered server and send information (responses or Solidcore events) to the syslog server

    1. On the McAfee EPO console, select MenuConfigurationRegistered Servers, then click New Server to open the Registered Server Builder wizard.

    2. Select Solidcore Syslog Server from the Server type list.

    3. Specify the server name, add any notes, then click Next.

    4. Modify the syslog server port as 514.

    5. Enter the server address. Put the CCE IP in the place of server address.

    6. Select the type of logs the server is configured to receive by selecting a value from the Syslog Facility list.

    7. Click Test Syslog send to verify the connection to the server. It should be successful

    8. Click Save.

    You can choose to send specific responses to the syslog server (complete step 2) or use the seeded response to send all Solidcore events to the syslog server (complete step 3).

  2. Send responses to the syslog server

Verification

On CCE server

Login with Seceon as a user and run the command : sudo tcpdump -i any port 514 and host <McAfee IP> to see if syslog are coming on CCE server

On UI

  1. Log in to UI with Administrative Rights & Navigate to System>> Log/Flow Collection Status Option.

  2. Inside Source Device IP, the IP Address of the Device will reflect including the no. of logs sent to the Seceon Servers.

Reference : Trellix Doc Portal

 

Seceon Inc. All rights reserved. https://www.seceon.com