Integrate LogRhythm and McAfee ePolicy Orchestrator
- Configure VirusScan Enterprise for ePO notifications. If your site requires deployment of VirusScan Enterprise 8.5 to the LogRhythm XM or EM server that hosts the LogRhythm Alarming and Response Manager (ARM), your ePO administrator must take steps to ensure that VirusScan does not block LogRhythm’s ePO alarm notifications. To prevent blocking, follow the ePolicy Orchestrator documentation to create a VirusScan policy exception for the LogRhythm ARM and apply that policy exception to the LogRhythm XM (or EM) system. The policy exception parameters are shown here:
Product. VirusScan Enterprise 8.5.0
Category. Access Protection Policies
Access protection rules:
Categories. Common Standard Protection
Block/Report/Rules. Prevent modification of McAfee Common Management Agent files and settings
- Rule Details. Processes to exclude. scarm.exe
- Follow the instructions in McAfee’s ePolicy Orchestrator (3.6, 4.0, 4.5, 5.0, 5.1, or 5.3) documentation to deploy the McAfee Agent to the LogRhythm XM or EM system that hosts the LogRhythm Alarming and Response Manager (ARM).
- Download the LogRhythm ePO Server Extension from the LogRhythm Community.
- Install the LogRhythm ePO Server Extension.
Start the McAfee ePO console.
Click Configuration.
Click Extensions.
Click Install Extension located at the bottom of the Extensions panel.
In the Install Extension dialog box, click the Browse button and go to the LogRhythmExtension.zip file.
Select the file.
Click OK.
The ePO Console displays information about the LogRhythmAlarmEvents extension.To install the extension, click OK.
- Configure LogRhythm to send alarm notifications to ePolicy Orchestrator.
- Ensure the Notification Engine is enabled.
On the main toolbar, click Deployment Manager.
Click the Platform Manager tab.
In the Alarming, Reporting, and Response Manager Services section, click the Properties button.
Select the check box next to Enable Alarming Engine.
- Click OK.
- Do one of the following:
- Add ePO Notification to an existing user account or role.
Click the People tab.
To open the Person Properties dialog box, double-click a user account or role in the list.
Select ePolicy Orchestrator Event from the Contact Method Type list and click Save.
Contact information is not required for ePO notification because the McAfee Agent automatically communicates events to the ePolicy Orchestrator server.Click OK.
- Create a separate role for ePO notification.
- Click the People tab.
Right-click the list of people, and then click New.
The Is Person an Individual? dialog box appears.Click No because the new account is for a role and not for an individual.
Enter a Display Name for the new role, such as McAfee ePO Notification.
Select ePolicy Orchestrator Event from the Contact Method Type list and click Save. Contact Information is not required for ePO notification because the McAfee Agent automatically communicates events to the ePolicy Orchestrator server.
- Click OK.
- Add ePO Notification to an existing user account or role.
- Add ePO notification to an alarm rule.
On the main toolbar, click Deployment Manager.
Click the Alarm Rules tab.
To open the Alarm Rule window, double-click an alarm rule in the list.
Click the Notify tab.
On the top of the window, click Add Person.
The Person Selector window appears.Make a selection in the Person Record Type filter box to populate the Person list.
Select the person or role you created for ePO notification.
Click OK.
You return to the Alarm Rule window.Click the Information tab to enable the OK button.
- Click OK.
- Ensure the Notification Engine is enabled.