Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
john.petropoulo1 Absent Member.
Absent Member.
1702 views

P-McAfee_ePO_1.0.0.2.arb

The McAfee ePO package is to be used in conjunction with the Malware Solution Pack.

 

Installation instructions are provided within the wiki under the Security Technology Monitoring section.

 

 

Note:  If you have access to McAfee ePO and are well versed in the product, please reach out to us.  I'm looking for help in understanding how to best configure the agents and ePO.

 

Also, a big thanks to and his team for helping pull this together!

Labels (1)
21 Replies
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Quick shout to and since any credit deserved here is theirs. All I did was try not to get in the way any more than I had to.

0 Likes
htalbot10 Absent Member.
Absent Member.

Re: P-McAfee_ePO_1.0.0.2.arb

All, thanks for the arb, this is very timely and and really great that Activate is getting traction.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Is there a wiki page or other doc for end device configuration?

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

DOH:

"Installation instructions are provided within the wiki under the Security Technology Monitoring section."

0 Likes
john.petropoulo1 Absent Member.
Absent Member.

Re: P-McAfee_ePO_1.0.0.2.arb

But I am missing end device configuration. Need some help from a few experts!

Sent from my iPhone

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Here's a doc to help if you dont have it already:

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Error while installing Malware dependency package :

Could Not Find C:\arcsight\Console\current\L1-Malware Monitoring - Indicators adn Warnings 1.0.0.5\L

1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warnings_-_Customizations_*.arb

Any help?

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Hey,

So, my guess, and this seems to be a common problem, is that you didn't put all the contents of the zip file into your console's current directory. If you used 7zip or native Windows extraction, it may have put them in a sub-directory. If so, move the contents up a level, and that should fix it when you run the .bat file again.

Hope this helps,

--

Prentice

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Hey Mary,

Yes, you are correct, this is done from your console directory, not from ESM.

The screenshot you added has everything you need. The L1-Malware_Monitoring... bundle contains all the other bundles. The .bat file (script) imports this bundle onto the manager, which includes the other .arb files.

The screenshot also has this path:

C:\arcsight\Console\current\L-1Malware Monitoring - Indicators and Warnings 1.0.0.5

This means you have:

C:\arcsight\Console\current\L-1Malware Monitoring - Indicators and Warnings 1.0.0.5\DO NOT IMPORT VIA CONSOLE.txt, etc.

Move the .bat and .arb files up one directory, then run the .bat file again. It will work.

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

ok...now this (apologies for the noobie questions):

'bin\arcsight' is not recognized as an internal or external command,

operable program or batch file.

Could Not Find C:\arcsight\Console\current\L1-Perimeter_and_Network_Monitoring_-_Indicators_and_Warn

ings_-_Customizations_*.arb

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

For anyone else that might be having issues below is the resolution:

  1. I am using several console versions to connect to several versions of ESM
  2. Extracted file contents need to be copied into the *\current directory of the console version/installation for the corresponding ESM destination of the package (oh yeah, of course, totally makes sense!)

Thanks for the call, WebEx, and 2nd pair of eyes Prentice! 

0 Likes
MaryCordova Frequent Contributor.
Frequent Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Hi Prentice,

Another issue, in the installation guide for the McAfee ePO package there are instructions from the wiki for the package configuration that outlines "hooking" four filters into the L1 Malware package.  In the screenshots it shows just the McAfee filter.  However, in my package there is a broken filter resource present called "/All Filters/ArcSight Activate/Core/Common/Events/No Events". 

Do I need to address this or should I delete that dependency?

-Mary

filter_dep.JPG

wiki_guide.JPG

0 Likes
Highlighted
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Oy!

Yeah, just delete it. I'll fix it in the next update! It should be "false", not a reference to a filter...

Thanks for pointing that out!

--

Prentice

0 Likes
prentice@hpe.co Honored Contributor.
Honored Contributor.

Re: P-McAfee_ePO_1.0.0.2.arb

Just a clarification point, if I may.

The filters that we hook product package filters into should have a default value of false. This should be deleted and replaced with the appropriate product filter.

This allows us to install the packages and keep them from randomly firing off of the wrong events before we can configure the product packages. It makes all of our lives easier!

Thanks & fyi,

--

Prentice

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.