Protection Orchestration Case: Policy Management with McAfee ePO

Protection policy demanding situations

As organizations scale, coordinating security coverage throughout heterogeneous systems and environments turn into difficult. Managers face demanding situations in unifying security policy actions throughout disparate networks and tying in those actions with incident reaction and different security measures.

Using Demisto’s integration with McAfee Antivirus ePolicy Orchestrator (ePO), you can carry policy control under the umbrella of safety orchestration and automation. From running diagnostic playbooks for endpoint connectivity and compliance to automating protection policy adjustments which can get up within the ambit of incident reaction, this integration allows you to leverage the total strength of EPO while increasing efficiency and culling redundant guide responsibilities.

Case: Endpoint Diagnostics

The playbook instance we’ll observe nowadays automates endpoint connectivity tests. The simple glide is given underneath:

This playbook conducts exams: it first assessments for any endpoints that are indexed as unmanaged on EPO, after which assessments if any agents had been unresponsive with EPO for the past three days. For each check, the playbook automates enrichment and remediation moves and lays out a few guide actions that analysts can run remotely.

This playbook highlights the interweaving of automatic and manual responsibilities as appropriate stability for a playbook, permitting analysts to eschew repetitive responsibilities and codify manual operating methods.

allow’s examine the playbook in element:

Step 1: Take a look at for unmanaged endpoints

The playbook will begin by using strolling a conditional challenge to check for unmanaged endpoints indexed in ePO. If it reveals such an endpoint, the analyst must first take a look at if those endpoints are part of excluded lists (like legacy OS), that’s a guide challenge. even as going thru this list, the analyst can enter remarks for endpoints that need motion.

Analysts also can get the excluded listing via an API command in the Battle Room. by the usage of the [detectedsystem.find] command with modifiers inclusive of overlooked, Exception, Rogue action, Rogue nation, and Inactive, this in any other case hard undertaking distills right into a one-step quickie.

The project can include descriptive textual content to offer new analysts a concept approximately their characteristic. the outline of the aforementioned manual venture is given under:

The subsequent mission makes use of the comments context command to take all of the analyst-entered feedback from the previous task and shop them inside the incident context. The screenshot indicates how the project stores feedback within the epoUnmanagedEndpoint key.

The following mission makes use of the ServiceNow-incident-create command to create a new ticket in ServiceNow.

those duties standardize and quicken preliminary enrichment and remediation even as orchestrating amongst a couple of merchandise without leaving the Demisto console.

To research more about Demisto’s integration with the McAfee suite of protection products, watch our video demo. WATCH VIDEO

Step 2: Test for Unresponsive Retailers

After the first check is finished, the playbook will check if there are any agents that haven’t communicated with EPO within the past three days. For such marketers found, the primary enrichment project is equal: the playbook will take analyst-entered comments for the agents and save them in incident context.

• Now the playbook interweaves each automated and guide tasks to kickstart connectivity with these sellers.
• The playbook first uses the Ping command to test connectivity for each endpoint.

The subsequent mission instructs the analyst to remotely check to wither McAfee Agent is established and walking on these endpoints. The analyst is also counseled to remotely execute the Cmdagent command-line software to force communique with EPO and to retrieve McAfee Agent logs from non-speaking endpoints.

As with the primary take a look at, this segment of the playbook combines automatic and guide responsibilities to standardize and quicken reaction tactics in the event of defective endpoint connectivity with ePO. Mcafee EPO successfully Activate on mcafee.com/activate, then activated On your PC

To discover extra use cases and capabilities of Demisto’s integration with McAfee ePO and other McAfee products, download our joint answer short.