0
10.4.3
Vancouver
The McAfee ePO integration automates security operations center (SOC) tasks such as gathering system details and threat event information. Security analysts use this information to investigate security incidents and assist them with follow-up actions that include initiating malware scans and isolating systems from the network.
The following McAfee ePO capabilities are available for this integration:
- Get System Details
- List Threat Events
- Initiate Malware Scan
- Isolate Host
This integration includes the following key features:
- Supports automated triggering of McAfee ePO queries and actions based on incident conditions.
- Supports launching McAfee ePO capabilities manually from Now Platform® Security Incident Response (SIR) security incidents.
- The flexibility to create multiple profiles for triggering different types of McAfee ePO and Now Platform Security Operations capabilities. These profiles automatically gather threat event information that is based on the conditions of specific incident types such as malware.
- Validate your profile configuration with a preview of the McAfee ePO results on SIR security incidents.
- Initiate malware scans from a SIR security incident to identify potential system compromise.
- Isolate compromised systems from the network and, after remediation, return the systems to the network.
- If tagging is enabled, security tags identify which McAfee ePO capabilities are initially launched by a workflow and when the queries or actions are completed.
- A complete audit trail of the McAfee ePO queries and actions is posted on SIR security incidents, and commands from the Now Platform are logged in the McAfee ePO console.
- Supports multiple McAfee ePO consoles so that you can apply different policies to user groups and regions.
Changed:
- Migrated this integration to the capability framework.
- UI Framework built for capabilities in the new workspace.
Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the order listed below to ensure a smooth installation.
- Security Incident Response
- Security Integration Framework
- Security Support Common
- Security Support Orchestration