McAfee ePolicy Orchestrator (henceforth, “ePO”) is a tool used by many organizations to manage McAfee (now Intel Security) endpoint security products on their servers and endpoints. If you use ePO, you know how useful ePO system tags can be. For example, you can automatically or manually tag a system in ePO with a “pci” tag and have different anti-virus policies and actions applied to it versus systems lacking that tag.
There are many cases in which a security team using Splunk to discover issues with a server or endpoint would get a lot of value from having a Splunk search automatically apply a tag to a particular system in ePO. For example, imagine a Splunk search through IPS logs or proxy logs looking for command and control or data exfiltration traffic to a known malicious host on the Internet. Wouldn’t it be great if that search could automatically tell ePO that an internal system is infected with malware and needs to have its network activity limited and/or kick off an intensive virus scan? Well, I’ve written an alert script that does just that!
As a prerequisite you will, of course, need both McAfee ePO (I’ve tested with version 5.0.1, but the API was introduced in version 4.6) and any supported version of Splunk Enterprise.
First, create or determine which tag(s) you will want to apply to systems when the Splunk search returns results. If the tags exist already in ePO, you don’t have to do anything. For my example I created a very simple tag in ePO called “infected” that can only be applied to systems manually. I did this under Menu – System – Tag Catalog – Tag Actions (lower left) – New Tag. I simply named it and accepted all other defaults with the result below:
Once tested, you will want to configure ePO policies and actions and assign them to system with this tag. E.g., you can create an intensive virus scan action that only applies to systems with tag “infected.” For testing you don’t need this, but in production these actions and policies are the whole point – automate a response in ePO to a threat detected in Splunk.
Now I need to install the McAfee Python library on my Splunk Search Head. There are many ways to skin this cat, but I went into my $splunk_home$/bin/scripts directory and pulled it down like this:
wget https://community.mcafee.com/servlet/JiveServlet/downloadBody/3095-102-1-4007/python-remote-client.zip --no-check-certificate
I then unzipped it and copied the libraries directly into my scripts directory (there are probably better ways to get these libraries into Splunk Python, but this is quick and dirty). From that same directory:
unzip python-remote-client.zip cp –R ./pyclient/Python26/* ./
Next I created the Python script that I will call from the alert. In that same scripts folder, “vi applyTag.py” (or whatever you want to call it) and create a script like the one below. Note that you can create different copies of this file for different circumstances or sets of tags you wish to apply in response to search results.
import sys,gzip,csv,mcafee
mc = mcafee.client('<YourEPOServer>','<8443>','<user>','<pw>')
results_file = sys.argv[8]
results = gzip.open(results_file)
for row in csv.DictReader(results, delimiter=',', quotechar='"'):
mc.system.applyTag(row['host'],'infected')
results.close()
After importing the needed libraries, the script creates a connection to the ePO server (use your own values for the ePO server, port, user and password). The script then unzips and opens up the search results (sys.argv[8]). It expects results in a simple table format with a single field (“host”), which should match the hostname as it appears in ePO. It then iterates through your search results file and for each hostname tells ePO to apply the “infected” tag to the host via the API’s “applyTag” method. This would kick off any policy changes and/or actions associated with that tag in ePO.
Now on the Splunk side you want to configure your search to find the system(s) that need to receive this tag. You can have this search be anything you want, but the end result should be a simple table with a single column that contains the hostnames you want to tag as they would appear in ePO. For testing, I did a very simple search:
host=adeposvr | head 1 | table host
This simply finds a specific host (in this case my ePO server), limits the results to a single event (you can also use “dedup host”, e.g.), and spits out a table with just a hostname.
Once you have a search that works, save it as an alert in Splunk (Save As – Alert). For testing I set it to look back to the beginning of the day and run every minute.
The alert actions I’ve enabled are to list the alert in the Splunk interface and run the script I just created. When the alert fires and the script runs it picks up the search results and feeds the hostname(s) to the ePO API, at which point ePO applies the “infected” tag to the system(s).
Once I see results for my alert in Splunk, I should also see the ePO tag applied to the affected systems when I look at my System Tree in ePO.
Now, go back and make the search useful for actual security threats, or apply a similar alert to your existing security searches across any kind of data in Splunk. Again, the magic of tag-based policies and actions in ePO will provide the automation to take the appropriate action on the client side. This action can be just about anything you can do with your McAfee endpoint security products.
In my next blog post, I intend to show how you can you use Splunk to manually apply a tag to a system in ePO without having to automate it through alerts. This would be useful, e.g., if you are interactively exploring your data and discover a security threat that could be remediated or mitigated through the application of an ePO tag.
In the meantime, happy Splunking!