The McAfee ePO integration automates security operations center (SOC) tasks such as gathering system details and threat event information. Security analysts use this information to investigate security incidents and assist them with follow-up actions that include initiating malware scans and isolating systems from the network.
The following McAfee ePO capabilities are available for this integration:
- Get System Details
- List Threat Events
- Initiate Malware Scan
- Isolate Host
This integration includes the following key features:
- Supports automated triggering of McAfee ePO queries and actions based on incident conditions.
- Supports launching McAfee ePO capabilities manually from Now Platform® Security Incident Response (SIR) security incidents.
- The flexibility to create multiple profiles for triggering different types of McAfee ePO and Now Platform Security Operations capabilities. These profiles automatically gather threat event information that is based on the conditions of specific incident types such as malware.
- Validate your profile configuration with a preview of the McAfee ePO results on SIR security incidents.
- Initiate malware scans from a SIR security incident to identify potential system compromise.
- Isolate compromised systems from the network and, after remediation, return the systems to the network.
- If tagging is enabled, security tags identify which McAfee ePO capabilities are initially launched by a workflow and when the queries or actions are completed.
- A complete audit trail of the McAfee ePO queries and actions is posted on SIR security incidents, and commands from the Now Platform are logged in the McAfee ePO console.
- Supports multiple McAfee ePO consoles so that you can apply different policies to user groups and regions.
New :
Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes.This update ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the order listed below to ensure a smooth installation.
- Security Incident Response
- Security Integration Framework
- Security Support Common
- Security Support Orchestration
The ServiceNow Security Operations Extension plugin for McAfee ePO is required for this integration. This extension plugin references the security tags that you create in your McAfee ePO console for the isolate host and initiate malware scan actions.
The zip file with this extension plugin is available in KB0744611 in the HI Knowledge Base: https://hi.service-now.com/kb_view.do?sysparm_article=KB0744611
For more information, see the installation and configuration guide for the McAfee ePO integration on the ServiceNow Store website.