Sending McAfee ePO Threat based SNMP traps to ELK SIEM

ELK Stack processes events from a device via SNMP traps sent by the device.

Configuring SNMP Server to send Threat based SNMP traps from McAfee ePO.

1. Log in to the McAfee ePO web console.
2. Go to Main Menu > Configuration > Registered Servers, and click New Server.
The Registered Server Builder opens.

3. For Server type, select SNMP Server.
4. For Name, enter the IP address of your SNMP server.
5. Enter any Notes, and click Next to go to the Details page.
6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and SNMP that will receive the SNMP trap.
7. For SNMP Version, select SNMPv1 or SNMPv2.
8. For Community, enter any community string.

Note: The community string entered here would not be used in ELK as ELK accepts traps from McAfee ePO without any configuration.
Click Send Test Trap, and then click Save.

Within McAfee EPO, you won’t be able to change the default snmp port (UDP 162)
You must enable port forwarding to the required port on the receiving end to change the destination port configured with snmptrap input filter.

sudo iptables -t nat -A PREROUTING -i enp0s3 -p udp --dport 162 -j REDIRECT --to-port 5678
[root@elkbox]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   udp  --  anywhere             anywhere             udp dpt:snmptrap redir ports 5678

Input : input.conf

input {
  snmptrap {
   port => 5678
   type => "MCAFEELOG"
  }
}

Filter : filter.conf

filter{

if [type]=="MCAFEELOG"
        {
        mutate {
                add_field => { "indexType" => "MCAFEE-LOG" }
                rename => { "SNMPv2-MIB::sysUpTime.0" => "System Uptime" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.13" => "Detection Time" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.143" => "Detecting IPv4 Address" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.173" => "Source User Name" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.183" => "Source Process Name" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.213" => "Source IPv4 Address" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.243" => "Target User Name"}
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.283" => "Target File Path" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.293" => "Event Category"}
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.303" => "Event ID" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.313" => "Threat Severity" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.323" => "Threat Name" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.33" => "Target Hash" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.333" => "Threat Type" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.343" => "Action Taken" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.353" => "Threat Handled" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.373" => "Action Taken" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.383" => "Target OS" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.403" => "System-Tree Path" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.413" => "Detection Method" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.53" => "Product" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.63" => "Product Version" }
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.73" => "Host Name"}
                rename => { "SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.83" => "Target IPv4 Address"}

                remove_field => [ "message","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.23","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.93","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.43","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.393","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.363","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.153","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.223","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.273","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.263","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.253","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.233","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.203","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.193","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.163","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.133","SNMPv2-MIB::snmpTrapOID.0","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.103","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.113","SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.123"]

                }
        }
	}

Output : output.conf

output {
 if [indexType]== "MCAFEE-LOG"
 {

  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "dhcplog-%{+YYYY.MM.dd}"
    user => "logstash_admin"
    password => "xxxxxx"
}
}

 

Please follow and like us: