Integration architecture for McAfee ePO
Summarize
Summary of Integration architecture for McAfee ePO
This integration connects your ServiceNow AI Platform instance with McAfee ePolicy Orchestrator (McAfee ePO) to enhance security incident response capabilities. It enables automated enrichment queries and actions on assets managed by McAfee ePO, streamlining malware scans, host isolation, threat event listing, and other critical security operations directly from ServiceNow.
Show less
Key Features
- ServiceNow AI Platform and SIR Integration: The integration operates on the ServiceNow AI Platform using the Security Incident Response (SIR) application to track and manage security incidents from detection to resolution.
- Plugins: Installation of the McAfee extension plugin on the McAfee ePO console and corresponding plugins in ServiceNow is required to facilitate communication and functionality.
- MID Server Utilization: A ServiceNow MID server acts as a secure communication bridge between the ServiceNow instance and McAfee ePO, enabling data exchange and command execution.
- Capability Profiles: Configurable profiles determine when and how enrichment queries and actions are performed on assets, allowing tailored automation.
- Support for Multiple McAfee ePO Consoles: The integration can manage data from multiple McAfee ePO consoles through a single or multiple MID servers, offering flexibility in complex environments.
- Pre-configured Workflows: Included workflows like initiating malware scans, isolating hosts, retrieving host details, listing threat events, and removing isolation can be customized to fit organizational needs.
- Secure Communication: The MID server communicates with the McAfee ePO console using HTTPS to ensure data security.
Setup and Roles
Before installation, configuration steps must be completed both in your ServiceNow AI Platform instance and McAfee ePO console. Key roles involved include:
- ServiceNow Administrator: Responsible for downloading and installing the required plugins and assigning appropriate roles.
- Security Incident Administrator: Configures the integration within the SIR product.
- Security Incident Analyst: Uses the integration to analyze and interact with security incidents.
Expected Outcomes
By implementing this integration, ServiceNow customers can expect streamlined security incident management with direct control over McAfee-protected endpoints. Automated data enrichment and action capabilities improve incident response efficiency, enhance visibility into endpoint security status, and enable coordinated remediation efforts all within the ServiceNow AI Platform interface.
The following topic is an overview of the system architecture and lists key features of the integration. This section also provides information about the setup steps that you are required to complete in your ServiceNow AI Platform instance and in the McAfee ePolicy Orchestrator (McAfee ePO) console prior to installing the application from the ServiceNow Store.
Key terms for the McAfee ePO integration
The following terms are used throughout the installation and configuration documentation for the integration.
- ServiceNow AI Platform
- An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components, such as Security Incident Response (SIR), IT Service Management, (ITSM), and other products are built.
- Security Incident Response (SIR)
- A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
- Plugin
Plugins are software components that provide specific features and functionalities within your ServiceNow AI Platform instance. For more information on the installation and configuration of the integration plugins, see Install the application and configure a server for the McAfee ePO integration.
- ePolicy Orchestrator (McAfee ePO)
- The user console where you manage the McAfee services, products and settings.
- McAfee extension plugin
- This ServiceNow extension plugin is required for this integration. This plugin resides on your McAfee ePO console and connects your McAfee ePO console to your ServiceNow AI Platform instance.
- Capability
- An automatic activity initiated from your ServiceNow AI Platform instance that is run in the McAfee ePO console to conduct enrichment queries and perform actions on your assets.
- Profile
- Settings for McAfee ePO capabilities that you configure to specify when and under what conditions capabilities conduct enrichment queries and perform actions on your assets.
- MID server
- An application that facilitates communication and the movement of data between the ServiceNow AI Platform and external applications, data sources, and services.
- ServiceNow administrator (admin)
- A user with this role downloads and installs the SIR and McAfee ePO plugins to your ServiceNow AI Platform instance. A user with this role also assigns the security incident administrator role as required.
- ServiceNow Security incident administrator (sn_si.admin)
- A user with this role performs the configuration of the McAfee ePO integration with the Security Incident Response (SIR) product in your ServiceNow AI Platform instance as required. A user with this role also assigns the security incident analyst role as required.
- ServiceNow security incident analyst (sn_si.analyst)
- A user with this role interacts with and analyzes security incidents in the SIR product.
System connection and data flow
The following figure is an example of a customer environment. A ServiceNow AI Platform MID server is required so that your ServiceNow AI Platform instance can connect to a McAfee ePO server (console) via a ServiceNow extension plugin. After you are connected, you invoke capabilities from your ServiceNow AI Platform to initiate malware scans, isolate host machines and restore them to your network, retrieve last scan results, and gather system details on your assets. When these capabilities return results from your assets that match your search criteria, data is pulled via the MID server into your ServiceNow AI Platform instance. Data is displayed on the related lists of a ServiceNow AI Platform Security Incident Response (SIR) security incident. The following figure illustrates the data flow for one group of endpoints managed by one McAfee ePO console.
As shown in the following figure, this integration can support more than one McAfee ePO console. You can have one group of endpoints managed by one McAfee ePO console, and another group of endpoints managed by another McAfee ePO console. Data from multiple McAfee ePO consoles is pulled via a single MID server. However, you also may prefer to configure multiple MID servers if required by your organization.
Workflows for the McAfee ePO integration
This integration includes the following workflows. These workflows are pre-configured and are designed specifically for this integration. You can edit these workflows to meet the needs of your organization as required. For more general information about workflows and using the workflow editor, see Getting started with workflows.
- Security Operations McAfee EPO integration - Get Host Details
- Security Operations McAfee EPO integration - Initiate Malware Scan
- Security Operations McAfee EPO integration - Isolate Host
- Security Operations McAfee EPO integration - List Threat Events
- Security Operations McAfee EPO integration - Remove Isolation
External systems connection
The integration requires that the MID server communicates via HTTPS protocol connection to the McAfee ePO console.