System Tagger for McAfee ePO

The System Tagger for McAfee ePO add-on allows Splunk users who are also using McAfee ePolicy Orchestrator (ePO) for endpoint security management to apply or remove ePO tags to systems in ePO as the result of a search. Once the system is tagged in ePO, new endpoint policies can be automatically applied and/or new tasks can be assigned in ePO. E.g., if a Splunk query detects an endpoint communicating with a malicious host (e.g. via proxy logs with threat intel), the add-on can tag that system as "compromised" in ePO. ePO can automatically run tag-specific tasks such as AV scans, and/or apply policies like blocking outbound communications via the endpoint firewall on the compromised host. This enables automation between any data in Splunk and McAfee endpoint security. This add-on works as both a custom alert action in Splunk Enterprise 6.3+, and as an Adaptive Response Framework action in Splunk Enterprise Security 4.5+. It also includes inputs and dashboard panels to list/search systems and tags in ePO.