This app is archived. Learn more

System Tagger for McAfee ePO

The System Tagger for McAfee ePO add-on allows Splunk users who are also using McAfee ePolicy Orchestrator (ePO) for endpoint security management to apply or remove ePO tags to systems in ePO as the result of a search. Once the system is tagged in ePO, new endpoint policies can be automatically applied and/or new tasks can be assigned in ePO. E.g., if a Splunk query detects an endpoint communicating with a malicious host (e.g. via proxy logs with threat intel), the add-on can tag that system as "compromised" in ePO. ePO can automatically run tag-specific tasks such as AV scans, and/or apply policies like blocking outbound communications via the endpoint firewall on the compromised host. This enables automation between any data in Splunk and McAfee endpoint security.

Built by Splunk Works

Latest Version 1.2

April 3, 2017

Compatibility

Not Available

CIM Version: 4.x

Rating

0

(0)

Log in to rate this app

Support

Not Supported

The System Tagger for McAfee ePO add-on allows Splunk users who are also using McAfee ePolicy Orchestrator (ePO) for endpoint security management to apply or remove ePO tags to systems in ePO as the result of a search. Once the system is tagged in ePO, new endpoint policies can be automatically applied and/or new tasks can be assigned in ePO. E.g., if a Splunk query detects an endpoint communicating with a malicious host (e.g. via proxy logs with threat intel), the add-on can tag that system as "compromised" in ePO. ePO can automatically run tag-specific tasks such as AV scans, and/or apply policies like blocking outbound communications via the endpoint firewall on the compromised host. This enables automation between any data in Splunk and McAfee endpoint security. This add-on works as both a custom alert action in Splunk Enterprise 6.3+, and as an Adaptive Response Framework action in Splunk Enterprise Security 4.5+. It also includes inputs and dashboard panels to list/search systems and tags in ePO.