PLEASE NOTE: Users of older versions of this add-on may need to remove and re-install the app due to the a required re-name of the app.
To install this app, simply deploy it to your search head(s) or deploy via normal search head cluster deployer mechanisms. The search head(s) will need network connectivity to the McAfee ePO server over the ePO port in use in your environment (default 8000 or 8443). Minimum ePO version is 4.6.
Once installed, you will need to confiugure it with ePO server information and access credentials. From the Splunk launcher or the app drop down menu, select the "System Tagger for McAfee ePO" App. First, configure your ePO server details by clicking "Configuration" and then "Add-on Settings" from within the app.
Besides logging level and any required proxies between Splunk search heads and the ePO server (which you can configure on other tabs), you will need to specify 4 data points. You :
- ePO Server: This is a resolvable hostname or IP address of your McAfee ePolicy Orchestrator server
- ePO Port: This is the port of ePO server communications, usually 8000 (clear text, not recommended) or 8443 (encrypted, secure). This setting defaults to 8443, but change it if necessary.
- ePO User Name: This is the name of an existing account in McAfee ePO with permissions to apply system tags.
- ePO User Password: This is the above user's password. It is stored securely on the search head.
Save your changes, and you should be ready to use the add-on for apply and removing tags in ePO. You should also create any tags in McAfee ePO that you want to apply from within Splunk. Consult ePO documentation for instructions on how to do this.
You may also want to add data inputs at this point to collect data about available tags and systems from ePO. You do this from within the System Tagger for McAfee ePO App by clicking "Inputs" (the defaul view in the app) and then clicking "Create New Input" on the upper right. There are 2 types of inputs - tags and systems. You should create 1 for each type of input, specifying the frequency in seconds (this shouldn't need to more than a few times per day in most cases), index, and a unique name for the input. ePO server location and credentials used for these inputs are taken from the previous configuration step.
There are 2 ways to use this add-on: 1) as a custom alert action in Splunk Enterprise 6.3+ or, 2) as an Adaptive Response Framework action (automated or ad-hoc) in Splunk Enterprise Security 4.5+.
To configure a custom alert action, simply create a Splunk search that results in data indicating that there are systems that you want to tag or untag. Note which field in the search results contains the value of the system name you want to tag in ePO (e.g. host, dest, src, dvc, ComputerName, etc.). Save your search as an Alert, schedule it in the normal way, and then under the actions section, Add Action - McAfee ePO System Tagger. You should also set it to trigger "for each result" instead of just once, so that each system in the search results will be tagged properly.
The Alert Action will ask for 3 mandatory items:
- Action: You can either apply a tag to a system in ePO or remove a tag if the system already has that tag applied.
- Tag to Apply: This tag must already exist in ePO and the spelling must match the tag as it exists in ePO. This tag will be applied to the systems in ePO that come back in the search results.
- Field for System Name: This is the search results field from which the action will derive the system name as it matches the system name in ePO. You must use specify it in token format meaning $result.<yourField>$. Common examples might be $result.host$, $result.src$ or $result.dest$. Use whichever field in your search results provides the desired system name to be matched in ePO.
To use this add-on as an Adaptive Response Framework action in Splunk Enterprise Security 4.5 or higher, the instructions are essentially the same, except you will add the alert action when you configure the Correlation Search in Enterprise Security. It can be set to automatically tag or untag the system when the Correlation Search returns a result, or you can expose the ability to tag systems ad hoc to analysts as they review a Notable Event in the Incident Review Dashboard. In either case, the user will have to supply the tag name and field for system name as described above.
If you have configured the inputs as described above in the Installation and Setup section, you will be able to search for ePO tag or system data using "sourcetype=mcafee:epo:tag OR sourceptype=mcafee:epo:systems", respectively.
The add-on also includes 4 pre-build dashboard panels, which you can add to any new or existing dashboard in Splunk. These can be added when editing a dashboard (in edit panels mode) by clicking the "Add Panel" button, expanding the "Pre-Build Panel" section on the right, and choosing one of the panels that begins with "System Tagger." The 4 include panels return a list select fields for all tags, all systems, and allow free-form text search for any tag or system name.
The purpose of adding these inputs and pre-built panels into this add-on is to give admins a clear picture of the available tags and system names in ePO that can be used in the custom alert actions and/or Adaptive Response actions. Additionally, system admins and security analysts might find the available ePO system information valuable for other purposes.
If systems are not getting tagged/untagged in ePO as expected, there could be several causes: network connectivity, permissions, typos in or failure to configure the setup screen, referencing tags that don't exist in ePO, mismatch on system name between Splunk and ePO, etc.
As a general troubleshooting method you can use Splunk to look at the logs. An admin, you can run:
index=_internal sourcetype=splunkd component=sendmodalert action="mfe_epo_system_tagger"
In addition, anyone with access to the main index can find the add-on script's logging by searching:
Another good method to troubleshoot is to attempt to tag a system manually using Curl or a similar command line tool from the Splunk search head itself. It will look something like this:
curl -k -u MYUSER:MYPASSWORD "https://MYEPOSERVER:MYEPOPORT/remote/system.applyTag?names=MYSYSTEMTOTAG&tagName=MYTAGTOAPPLY"
A positive result from the curl command say "OK: 1" to indicate 1 tag was applied. "OK: 0" could be a problem or could simply indicate that the system is already tagged with that tag. Anything else indicates an issue.
The previous update changes the underlying app ID, so you may have to REMOVE the old version and install (and reconfigure) this version, if you had the old version installed.
New Features in 1.2:
- Includes data inputs to pull information about systems and tags that exist on the ePO server
- Includes modular dashboard panels to review and search systems and tags from ePO
New Features in 1.1:
- Includes the ability to apply as well as remove tags from systems with a custom alert
This update changes the underlying app ID, so you will have to REMOVE the old version and install (and reconfigure) this version, if you had the old version installed.
In addition, this version adds the ability to remove tags from ePO systems that have a particular tag applied. It offers this through an Action dropdown item when you configure an alert action.
App name change to clarify authorship.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.