Endpoint details query from the McAfee ePO server

After you enable Network Security Platform-McAfee ePO integration at an admin domain level, you can view the details of the corresponding network endpoints using the Attack Log. If you have installed McAfee Host Intrusion Prevention software and if the Host Intrusion Prevention is running on the endpoint, then you can view the top 10 McAfee Host Intrusion Prevention events for an endpoint as well.

Consider the following example. My Company is the root admin domain and HR and Finance are its child domains. Sensor-HR and Sensor-Fin are the respective Sensors of the two child domains. Assume that the Manager-McAfee ePO integration is enabled only for Finance. For an attack detected by Sensor-Fin, you can view the details of the source and destination endpoints from Attack Log because McAfee ePO integration is enabled for the Finance admin domain.

Note that for you to view the details, the information should be available on the McAfee ePO server. For example, if an attack is from outside your network, then your McAfee ePO server may not have any information about this source endpoint.

Note: The Network Security Platform extension running on McAfee ePO must be compatible with your current version of Network Security Platform. Consider that you integrated McAfee ePO with the earlier version of Network Security Platform, and then subsequently you upgraded Network Security Platform. Then the integration with McAfee ePO might not work as expected because the Network Security Platform extension on McAfee ePO is from an old installation. This extension might not be compatible with your current version of Network Security Platform. To verify this, you can use the Test Connection button in step 2 of the ePO Configuration Wizard in your current Manager. If the Network Security Platform extension is incompatible, then an error message is displayed along with the minimum required version for the extension.

An endpoint can belong to one of the following three types:

  • Managed Endpoints — These are endpoints currently managed by McAfee ePO agent.
  • Unmanaged Endpoints — These are endpoints recognized by McAfee ePO but are not currently managed by any McAfee ePO agent.
  • Unrecognized Endpoints — These are endpoints about which McAfee ePO has no information. In the Attack Log, an unrecognized endpoint is represented by a series of ellipses (- - -).

You can view the details of the source and destination endpoints in an alert. Alternatively, you can also enter the IP address and get the details from the McAfee ePO server. These details may enable you to troubleshoot and fix any security-related issues in those endpoints. In the Attack Log, you can view the details of managed and unmanaged endpoints but not for unrecognized endpoints.

Note: If you modify the McAfee ePO server settings, re-launch the Attack Log to view the endpoint details.

Tags

Network Security Platform now provides you the ability to assign tags to source or destination endpoints managed by McAfee ePO. Tags assist a security analyst in identifying endpoints that do not meet security requirements on your network. To learn more about tags and their assignment through the Manager, see Tags.