Accenture MDR Quick Start Guide for McAfee® ePolicy Orchestrator

Owned by KM (Unlicensed)
Apr 26, 2021
5 min read

This quick start guide will help Accenture MDR customers configure McAfee® ePolicy Orchestrator (ePO) to allow log collection from the Log Collection Platform (LCP).

The guide can also be used to configure McAfee MOVE AntiVirus Multi-Platform deployment which is controlled from the ePO server.

 

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture Security Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at

Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source 

Destination

Port

Description

LCP

McAfee ePO Database

1433 (TCP)

Default database port

Configuring McAfee ePO Database

Note: McAfee MOVE events are stored in the EPOEvents table and the configuration steps are same.

Create a read-only database account for Microsoft SQL server.

Note: To create a read-only database user with Windows Account for Microsoft SQL Server,

  1. From the Windows Start menu, choose Run and then type the command: cmd

  2. Navigate to the directory that contains the osql.exe file.

  • For Microsoft SQL Server 2012, the default directory location for this file is C:\Program Files\Microsoft SQL Server\110\Tools\Binn.

  • For Microsoft SQL Server 2008, the default directory location for this file is C:\Program Files\Microsoft SQL Server\100\Tools\Binn.

  • For Microsoft SQL Server 2005, the default directory location for this file is C:\Program Files\Microsoft SQL Server\90\Tools\Binn.

3. Login as administrator user and type the following command: sqlcmd -S <ip_address_or_host_name> -U sa -P <sa_user_password>

4. Based on the McAfee ePO and SQL server versions used, follow the instructions below.

 

For McAfee ePO 5.0, 5.3, 5.9 and 5.10

  • Microsoft SQL Server 2005 and 2008 or

  • Microsoft SQL Server 2000 or Desktop Engine 2000 (MSDE)

 Note:

  • For McAfee ePO 5.x, if you have the IPS module, then you must also grant permissions to the HIP7_* or HIP8_* tables.

  • For McAfee ePO v5.3, both EPOEvents and OrionAuditLog are views, not tables and the EPOEventCategory is not applicable. 

 

For McAfee ePO 4.x

  • Microsoft SQL Server 2005, 2008, and 2012 or

  • Microsoft SQL Server 2000 or Desktop Engine 2000 (MSDE)

Note: For McAfee ePO v4.x, if you have the IPS module, then you must also grant permissions to the HIP7_* tables.

 

For McAfee ePO 5.0, 5.3, 5.9 and 5.10

Microsoft SQL Server 2005 and 2008

EXEC sp_addlogin 'account_name', 'password', 'database_name'

USE database_name

CREATE USER account_name

FOR LOGIN account_name

GRANT SELECT ON EPOEvents to 'account_name';

GRANT SELECT ON EPOEventFilterDesc to 'account_name';

GRANT SELECT ON EPOEventFilter to 'account_name';

GRANT SELECT ON EPOEventCategory to 'account_name';

GRANT SELECT ON OrionAuditLog to 'account_name';

GRANT SELECT ON HIP8_EventInfo to 'account_name';

GRANT SELECT ON HIP8_SigNameXlate to 'account_name';

GRANT SELECT ON HIP8_Signature to 'account_name';

GRANT SELECT ON HIP8_IPSEventParameter to 'account_name';

GRANT SELECT ON WP_EventInfo to 'account_name';

GRANT SELECT ON WP_ContentClassification to 'account_name';

GRANT SELECT ON EPExtendedEvent to 'account_name';

GRANT SELECT ON EPOProdPropsView_VIRUSCAN to 'account_name';

GRANT SELECT ON WP_EventInfoMT to 'account_name';

GRANT SELECT ON OrionAuditLogMT to 'account_name';

GRANT EXECUTE ON FN_Core_IsSystemUserInContext to 'account_name';

GRANT EXECUTE ON FN_Core_GetContextTenantId to 'account_name';

GRANT SELECT ON EPOLeafNode to 'account_name';

GRANT SELECT ON VSECustomEvent to 'account_name';

go

quit

Microsoft SQL Server 2000 or MSDE 2000

EXEC sp_addlogin 'account_name', 'password', database_name'

USE database_name

EXEC sp_grantdbaccess 'account_name'

GRANT SELECT ON EPOEvents to 'account_name';

GRANT SELECT ON EPOEventFilterDesc to 'account_name';

GRANT SELECT ON EPOEventFilter to 'account_name';

GRANT SELECT ON EPOEventCategory to 'account_name';

GRANT SELECT ON OrionAuditLog to 'account_name';

GRANT SELECT ON HIP8_EventInfo to 'account_name';

GRANT SELECT ON HIP8_SigNameXlate to 'account_name';

GRANT SELECT ON HIP8_Signature to 'account_name';

GRANT SELECT ON HIP8_IPSEventParameter to 'account_name';

GRANT SELECT ON WP_EventInfo to 'account_name';

GRANT SELECT ON WP_ContentClassification to 'account_name';

GRANT SELECT ON EPExtendedEvent to 'account_name';

GRANT SELECT ON EPOProdPropsView_VIRUSCAN to 'account_name';

GRANT SELECT ON WP_EventInfoMT to 'account_name';

GRANT SELECT ON OrionAuditLogMT to 'account_name';

GRANT EXECUTE ON FN_Core_IsSystemUserInContext to 'account_name';

GRANT EXECUTE ON FN_Core_GetContextTenantId to 'account_name';

GRANT SELECT ON EPOLeafNode to 'account_name';

go

quit

 

For McAfee ePO 4.x

Microsoft SQL Server 2005, 2008, and 2012

EXEC sp_addlogin 'account_name', 'password', 'database_name'

USE database_name

CREATE USER account_name FOR LOGIN account_name

GRANT SELECT ON EPOEvents to 'account_name';

GRANT SELECT ON EPOEventFilterDesc to 'account_name';

GRANT SELECT ON EPOEventFilter to 'account_name';

GRANT SELECT ON EPOEventCategory to 'account_name';

GRANT SELECT ON OrionAuditLog to 'account_name';

GRANT SELECT ON HIP7_EventInfo to 'account_name';

GRANT SELECT ON HIP7_SigNameXlate to 'account_name';

GRANT SELECT ON HIP7_Signature to 'account_name';

GRANT SELECT ON HIP7_IPSEventParameter to 'account_name';

GRANT SELECT ON WP_EventInfo to 'account_name';

GRANT SELECT ON WP_ContentClassification to 'account_name';

GRANT SELECT ON EPExtendedEvent to 'account_name';

GRANT SELECT ON EPOProdPropsView_VIRUSCAN to 'account_name';

GRANT SELECT ON WP_EventInfoMT to 'account_name';

GRANT SELECT ON OrionAuditLogMT to 'account_name';

GRANT EXECUTE ON FN_Core_IsSystemUserInContext to 'account_name';

GRANT EXECUTE ON FN_Core_GetContextTenantId to 'account_name';

GRANT SELECT ON EPOLeafNode to 'account_name';

go

quit

Microsoft SQL Server 2000 or 2000 Desktop Engine (MSDE)

EXEC sp_addlogin 'account_name', 'password', database_name'

USE database_name

EXEC sp_grantdbaccess 'account_name'

GRANT SELECT ON EPOEvents to 'account_name';

GRANT SELECT ON EPOEventFilterDesc to 'account_name';

GRANT SELECT ON EPOEventFilter to 'account_name';

GRANT SELECT ON EPOEventCategory to 'account_name';

GRANT SELECT ON OrionAuditLog to 'account_name';

GRANT SELECT ON HIP7_EventInfo to 'account_name';

GRANT SELECT ON HIP7_SigNameXlate to 'account_name';

GRANT SELECT ON HIP7_Signature to 'account_name';

GRANT SELECT ON HIP7_IPSEventParameter to 'account_name';

GRANT SELECT ON WP_EventInfo to 'account_name';

GRANT SELECT ON WP_ContentClassification to 'account_name';

GRANT SELECT ON EPExtendedEvent to 'account_name';

go

quit

 

Set the SQL server security mode to mixed authentication.

To set the Microsoft SQL server security mode to mixed authentication, follow the steps below.

Based on the Microsoft SQL server version, do one of the following:

  • ​​For Microsoft SQL Server 2016, from the Start menu, go to Programs Microsoft SQL Server 2016SQL Server Management Studio.

  • For Microsoft SQL Server 2012, from the Start menu, go to Programs Microsoft SQL Server 2012 > SQL Server Management Studio.

  • For Microsoft SQL Server 2008, from the Start menu, go to Programs Microsoft SQL Server 2008 > SQL Server Management Studio.

  • For Microsoft SQL Server 2005, from the Start menu, go to Programs Microsoft SQL Server 2005 > SQL Server Management Studio.

  • For Microsoft SQL Server 2000, from the Start menu, go to Programs Microsoft SQL Server 2000 > SQL Enterprise Manager.

  1. Login as Administrator.

  2. On the left pane, right-click the appropriate server and then click Properties.

  3. In the Server Properties window, select Security.

  4. In Server Authentication section, click SQL Server and Windows Authentication mode.

  5. Click OK and then click Close.

 

Configure the SQL server instance to listen on a non-dynamic port

To configure the Microsoft SQL server instance to listen on a non-dynamic port:

  1. On the Start menu, go to Programs Microsoft SQL Server > SQL Enterprise ManagerSQL Server Configuration Manager.

  2. Expand SQL Server Network Configuration and select Protocols for <instance_name>

  3. In the right pane, click TCP/IP.

  • In the TCP/IP properties window, on the IP Address tab, ensure that the Active and Enabled options are set to Yes.

  • Ensure that the TCP Dynamic Ports text box is blank for the IP address to which the LCP connects.

  • In the TCP Port text box, type 1433

4. Configure the SSL connection for the Microsoft SQL server.

 

To configure SSL for the SQL server:

  1. Based on the Microsoft SQL server version, do one of the following:

  • For Microsoft SQL Server 2016, from the Start menu, go to Programs Microsoft SQL Server 2016 > Configuration Tools > SQL Server Configuration.

  • For Microsoft SQL Server 2012, from the Start menu, go to Programs Microsoft SQL Server 2012 > Configuration Tools > SQL Server Configuration.

  • For Microsoft SQL Server 2008, from the Start menu, go to Programs Microsoft SQL Server 2008 > Configuration Tools > SQL Server Configuration.

  • For Microsoft SQL Server 2005, from the Start menu, go to Programs Microsoft SQL Server 2005 Configuration Tools > SQL Server Configuration

  • For Microsoft SQL Server 2000, from the Start menu, go to Programs Microsoft SQL Server 2000 Configuration Tools > SQL Server Configuration

2. Expand SQL Server Network Configuration, right-click Protocols for the required server and then click Properties.

3. On the Certificate tab, select the required certificate.

Note: Self-signed certificates are supported but not recommended because they do not provide adequate security.

 4. On the Flags tab, specify the protocol encryption option.

5. Set the ForceEncryption option to Yes to encrypt all client and server communication. The clients that cannot support encryption are denied access.

6. Click Apply and then click OK.

7. Click SQL Server Services, right-click SQL-SERVER, and then click Restart.

8. Click Apply and then click OK.

LCP Configuration Parameters

Table 1-2: The McAfee ePO event collector(DB-3318) properties to be configured by MDR are shown in the table

Property

Default Value

Description

Database URL

For SQL based authentication,

jdbc:jtds:sqlserver://<hostname>:1433;

DatabaseName=<databasename>

(or)

jdbc:jtds:sqlserver://<hostname>

\instance_name=<instancename>:1433;

DatabaseName=<databasename>

 

For Windows AD based Authentication,

jdbc:jtds:sqlserver://<hostname>:1433;

DatabaseName=<databasename>;

integratedSecurity=true;

domain=<Windowsdomainname>;

The database URL strings that need to be configured on the collector by MDR.

Hostname - Hostname or IP address of the database. 

DatabaseName - The name of the database in which the McAfee ePO events are stored.

1433 (TCP port) - The default port number for DB connectivity.

Note: If the device is configured to use a different port number, please advise the MDR onboarding team.

Instance_name - The name of the instance within the specified database.

User Name

Custom Value

The username for the database account mentioned in the Pre-Installation Questionnaire (PIQ).

Note: It can be a SQL User name or Windows Domain Username with read-only permission on database.

Password

Custom Value

The password for the database account mentioned in the PIQ.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.