AlienVault® USM Anywhere™

Configuring the AlienApp for McAfee ePO

Role Availability Read-Only Analyst Manager

The AlienApp for McAfee ePO connects to the ePO server SQL database and retrieves and ingests data for analysis in USM Anywhere. After USM Anywhere analyzes the first of these events, the McAfee ePO dashboard is available.


To configure the AlienApp for McAfee ePO, you must add a scheduled job in USM Anywhere that collects the data directly from your McAfee ePO server SQL database. Before you do this, there is information about your database that is required to make the connection:

  • Hostname or IP address of the ePO server SQL database
  • Port number (usually 1433) that is open for the connection
  • The ePO Server SQL database name
  • Username and password used to log in to the ePO server SQL database

    Important: This is the SQL Server account and not the Windows user account. The AlienApp for McAfee ePO uses SQL Server authentication over Windows Authentication.

Creating the Scheduled McAfee ePO Job

The AlienApp for McAfee ePO page provides easy access to define a new log collection job to retrieve your McAfee ePO event data. After you create the new job, you can make changes to the parameters for the scheduled job or review its history in the Scheduler page. See Managing Jobs in the Scheduler for more information about working with scheduled jobs.

To schedule a McAfee ePO job

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Available Apps tab

  3. On the AlienApps page, click the McAfee ePO tile.

    Click the McAfee ePO tile

    The page displays the Status tab by default, but the status information indicates that there are no tasks until the AlienApp for McAfee ePO is configured.

  4. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  5. Click the Actions tab.
  6. On the right side of the page, click Schedule Job.

    Add a log collection job for the AlienApp

    This opens the Schedule New Job dialog box with many of the options already defined for an AlienApp for McAfee ePO job.

  7. Enter the name and description for the job.

    The description is optional, but it is a best practice to provide this information so that others can easily understand what it does.

  8. Enter a name and description for the new job

  9. Enter the McAfee ePO database connection information:

    Enter the McAfee ePO database connection information

    • In the IP address field, enter the IP address of the ePO server SQL database.
    • In the Port number field, enter the port number on which the ePO server SQL database listens.
    • In the Database name field, enter the name of the ePO server SQL database.
    • In the Username and Password fields, enter the credentials you use to access the ePO server SQL database.
  10. Set the schedule to specify when USM Anywhere runs the job.

    First, choose the increment as Hour, Day, Week, Month, or Year. Next, set the interval options for the increment. The selected increment determines the available options.

    For example, on a weekly increment you can select the days of the week to run the job.

    Set the schedule for the job to run each week

    Or, on a monthly increment you can specify a date or a day of the week that occurs within the month.

    Set the schedule for the job to run each month

    To finish, set the Start time. This is the time that the job starts at the specified interval. It uses the time zone configured for your USM Anywhere instance (default is UTC).

  11. Click Save.

After the scheduled job runs, you should start seeing new events in USM Anywhere originating from the ePO server SQL database.