This article provides information about the permissions required for TIE events that needs to be sent from ePO to the McAfee SIEM.
If TIE events are displayed in ePO but not in the SIEM user interface where other ePO data sources display events, you might need to edit the permission settings for
TIE Topics in ePO.
The following settings must be reconfigured if you have:
- Added TIE to ePO.
- Recently changed permission settings in TIE.
- Stopped receiving TIE events in the McAfee SIEM.
ePO has to allow TIE to communicate events to the McAfee SIEM on its own topic in the DXL Fabric. If you can see TIE events in the ePO console but none of those events are being reported to the SIEM, then you need to configure the
Topic Permissions for TIE in ePO.
Steps to set TIE Topic Permissions in ePO
- Log on to the ePO console using the admin account.
- Select Server Settings.
- Select DXL Topic Authorizations from the side bar.
- Locate the TIE Server Reputation Notification topic group.
- Verify that the Receive column has All Systems or a Tag that is specific to the SIEM Event Receiver (ERC).
- If these settings are not displayed in the TIE Server Reputation Notification topic group, click Edit.
- Select the checkbox next to the TIE Server Reputation Notification topic.
- Use the Actions menu and select Restrict Receive Tags.
- Deselect everything to allow all systems to get notifications or use a Tag specific to the SIEM Event Receiver (ERC).
- Select Server Tasks and run the Manage DXL Brokers task.
- Perform the Wake Up Agent task on the Receiver (ERC) from the ePO console.
- With an SSH session on the SIEM Event Receiver, restart the Receiver services by running NitroStop and NitroStart. You can also try to restart just the collector service by running killall collectorsctl until the collectorsctl process closes. Next, restart the collectorsctl process by running collectorsctl -- +laux.
- Wait for 10–15 minutes and then verify that the TIE events in the SIEM GUI are displayed.
Steps to set MAR Topic Permissions in ePO
- Log on to the ePO console using the admin account.
- Select Server Settings.
- Select DXL Topic Authorizations from the side bar.
- Locate the Active Response Server API topic group.
- Verify that the Send Restrictions and Receive Restrictions columns have All Systems or a Tag that is specific to the SIEM Event Receiver (ERC) selected.
- If these settings are not displayed in the Active Response Server API topic group, click Edit.
- Select the checkbox next to the Active Response Server API topic.
- Use the Actions menu and select Restrict Receiver Tags.
- Deselect everything to allow all systems to get notifications or use a Tag specific to the SIEM Event Receiver (ERC).
- Verify that both Send Restrictions and Receiver Restrictions are configured correctly.
- Select Server Tasks and run the Manage DXL Brokers task.
- Perform the Wake Up Agent task on the Receiver (ERC) from the ePO console.
- With an SSH session on the SIEM Event Receiver, restart the Receiver services by running NitroStop and NitroStart. You can also try to restart just the collector service by running killall collectorsctl until the collectorsctl process closes. Next, restart the collectorsctl process by running collectorsctl -- +laux.
- Wait for 10–15 minutes and then verify that the TIE events in the SIEM GUI are displayed.