App Vendor: McAfee
Connector Category: IT Services
Connector Version: 1.0.1
API Version: 1.0.0
The McAfee ESM (Enterprise Security Manager) app in the Orchestrate application allows security teams to integrate with the McAfee SIEM solution to detect, prioritize, manage incidents and respond to threats. McAfee's ESM collects logs from numerous sources and correlates events for investigation and incident response. McAfee ESM uses watchlists as alarm conditions so that the alarm triggers when the system encounters an event that matches a value in the watchlist.
The McAfee ESM app is configured with the Orchestrate application to perform the below-listed actions:
Action Name | Description |
---|---|
Add Watchlist Values | This action adds the watchlist values. |
Get Watchlist Values | This action obtains the watchlisted values. |
Get Watchlist fields | This action obtains the watchlisted fields. |
Get Watchlist Details | This action fetches the details of a watchlisted value. |
Get All Watchlist | This action obtains the list of all the watchlisted values. |
Remove Watchlist Value | This action removes the watchlisted values. |
Get Access Group Details | This action obtains the list of user access groups defined in the McAfee ESM app. |
Get Alarm Details | This action obtains the alarm details. |
Get Triggered Alarms | This action obtains the list of alarms triggered between the specified time range. |
Acknowledge Triggered Alarm | This action acknowledges a triggered alarm. |
Clear Acknowledgement of Triggered Alarm | This action clears the acknowledgment provided for a triggered alarm. |
Get User List | This action obtains the list of users. |
Add Case | This action adds a case event. |
Update Case | This action updates the case details. |
Get Case | This action fetches the cases in an event. |
Fetch Case Event Details | This action fetches details of a case in an event. |
Fetch Case List | This action fetches the list of cases. |
Fetch IPS Alert Data | This action fetches the details of an IPS alert. |
Below is the list of configuration parameters that are required for the Mcafee ESM app to communicate with the Mcafee ESM application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Base URL | Enter the Base URL, FQDN, or IP address of the SMS Server. For example, enter the Base URL in the format, https://<host>.<tld> | Text | Required | |
Username | Enter the Security Management System (SMS) Username. | Text | Required | |
Password | Enter the Security Management System (SMS) password. | Password | Required | |
SSL Verification | Optional preference to either verify or skip the SSL verification. | Boolean | Optional | Allowed values:
Default Value: "No". |
This action adds the watchlist values.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. Example, "12". | Integer | Required | |
Value | Enter the watchlist value. Example, "1.1.1.9". | Any | Required |
[
{
"value": [
"1.1.1.9"
],
"watchlist_id": 8
}
]
This action obtains the watchlisted values.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. For example, 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
[
{
"watchlist_id": 8
}
]
This action obtains the watchlisted fields.
No input parameters are required for this action.
This action fetches the details of a watchlisted value.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. For example, 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
[
{
"watchlist_id": 8
}
]
This action fetches all the watchlist details such as keywords, IPs, and Technology terms.
No input parameters are required for this action.
This action removes the watchlisted values.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. Example, "12". | Integer | Required | |
Value List | Enter the watchlist value. Example, | Any | Required |
[
{
"value": [
"1.1.1.9"
],
"watchlist_id": 8
}
]
This action obtains the list of user access groups defined in the McAfee ESM app.
No input parameters are required for this action.
This action obtains the alarm details.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Alarm ID | Enter the Alarm ID. Example, "8". | Integer | Required |
[
{
"alarm_id": 8
}
]
This action fetches the triggered alarm details that were used to run a playbook automatically.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Time Range | Enter the time range to search requests over a specified period of time and return events that match the search condition. | Text | Required | Allowed values are: LAST_MINUTE, LAST_10_MINUTES, LAST_30_MINUTES LAST_HOUR CURRENT_DAY, PREVIOUS_DAY, LAST_24_HOURS, LAST_2_DAYS, LAST_3_DAYS, CURRENT_WEEK, PREVIOUS_WEEK, CURRENT_MONTH, PREVIOUS_MONTH, CURRENT_QUARTER, PREVIOUS_QUARTER, CURRENT_YEAR, PREVIOUS_YEAR. |
Custom Start | Enter the custom Start time range. Example: "2021-04-07T00:08:40.900Z" | Text | Optional | |
Custom End | Enter the custom End time range. Example: "2021-04-07T00:08:40.900Z". | Text | Optional | |
Status | Enter the status. i.e. Acknowledged or Unacknowledged | Text | Optional | The default value is null. |
Page Size | Enter the page size. | Integer | Optional | The default value is 1000. |
Page Number | Enter the Page Number. | Integer | Optional | The default value is 1. |
[
{
"time_range": " LAST_MINUTE"
"custom start: "2021-04-07T00:08:40.900Z"
"custom end: "2021-07-07T00:08:40.900Z"
}
]
This action acknowledges a triggered alarm.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Alarm ID List | Enter the Alarm ID List. Example: "1". | Any | Required |
[
{
"alarm_id": 1
}
]
This action clears the acknowledgment provided for a triggered alarm.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Alarm ID List | Enter the Alarm ID List. Example: "1". | Any | Required |
[
{
"alarmid_list": 1"
}
]
This action obtains the list of users.
No input parameters are required for this action.
This action adds a case event.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Case Title | Input the title of the case. Example: "Case 1". | Text | Required | |
Case ID | Input the case ID. | Integer | Required | |
Assigned To | Input the case number of the person assigned. Example: "1". | Integer | Required | |
Org ID | Input the Org ID. Example: "1". | Text | Required | |
Status ID | Input the Status ID. | Integer | Required | The default values are 1-Open and 2-Closed. |
Severity | Input the severity of the case. Example: "30". | Integer | Required | |
Event List | Input the Event List. Example: [{ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" }] | Any | Required | |
Device List | Input the Device List. Example: ["123456789000"]) | Any | Required | |
Data Source List | Input the Data Source List. Example: ["(value)"] | Any | Required | |
Notes | Input Notes. | Text | Required | |
Notes Added | Input the notes of a particular case. | Text | Required | |
History | Input History Notes. | Text | Required |
[
{
"org_id": 1,
"summary": "test",
"assigned_to": 1
}
]
This action updates the case details.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Case Title | Input the title of the case. Example: "Case 1". | Text | Required | |
Case ID | Input the case ID. | Integer | Required | |
Assigned To | Input the case number of the person assigned. Example: "1". | Integer | Required | |
Org ID | Input the Org ID. Example: "1". | Text | Required | |
Status ID | Input the Status ID. | Integer | Required | The default values are 1-Open and 2-Closed. |
Severity | Input the severity of the case. Example: "30". | Integer | Required | |
Event List | Input the Event List. Example: [{ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" }] | Any | Required | |
Device List | Input the Device List. Example: ["123456789000"]) | Any | Required | |
Data Source List | Input the Data Source List. Example: ["(value)"] | Any | Required | |
Notes | Input Notes. | Text | Required | |
Notes Added | Input the notes of a particular case. | Text | Required | |
History | Input History Notes. | Text | Required |
[
{
"org_id": 1,
"case_id": 8210,
"summary": "fun",
"assigned_to": 1
}
]
This action fetches the cases in an event.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Case ID | Input the case ID. | Integer | Required |
[
{
"id_no": 1
}
]
This action fetches details of a case in an event.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
Event ID List | Input the Event ID List. Example: "144115188075855872|1345". | Any | Required |
[
{
"event_id": [
"144115188075855872|1340",
"144115188075855872|1340"
]
}
]
This action fetches the list of cases.
No input parameters are required for this action.
This action fetches the details of an alert.
Parameter | Description | Field Type | Required / Optional | Comments |
---|---|---|---|---|
IPS ID | Input the IPS ID. Example: "144115188075855872|1340". | Text | Required |
[
{
"ips_id": "144115188075855872|1340"
}
]