Skip to main content

Cyware Orchestrate

Mcafee ESM 2.0.0

App Vendor: McAfee

Connector Category: Analytics & SIEM

Connector Version: 2.0.1

API Version: 1.0.0

About App

The McAfee ESM (Enterprise Security Manager) app in the Orchestrate application allows security teams to integrate with the McAfee SIEM solution to detect, prioritize, manage incidents and respond to threats. McAfee's ESM collects logs from numerous sources and correlates events for investigation and incident response. McAfee ESM uses watchlists as alarm conditions so that the alarm triggers when the system encounters an event that matches a value in the watchlist.

The McAfee ESM app is configured with the Orchestrate application to perform the below-listed actions:

Action Name

Description

Add Watchlist Values

This action adds the watchlist values.

Get Watchlist Values

This action obtains the watchlisted values.

Get Watchlist fields

This action obtains the watchlisted fields.

Get Watchlist Details

This action fetches the details of a watchlisted value.

Get All Watchlist

This action obtains the list of all the watchlisted values.

Remove Watchlist Value

This action removes the watchlisted values.

Get Access Group Details

This action obtains the list of user access groups defined in the McAfee ESM app.

Get Alarm Details

This action obtains the alarm details.

Get Triggered Alarms

This action obtains the list of alarms triggered between the specified time range.

Acknowledge Triggered Alarm

This action acknowledges a triggered alarm.

Clear Acknowledgement of Triggered Alarm

This action clears the acknowledgment provided for a triggered alarm.

Get User List

This action obtains the list of users.

Add Case

This action adds a case event.

Update Case

This action updates the case details.

Get Case

This action fetches the cases in an event.

Fetch Case Event Details

This action fetches details of a case in an event.

Fetch Case List

This action fetches the list of cases.

Fetch IPS Alert Data

This action fetches the details of an IPS alert.

Configuration parameters

Below is the list of configuration parameters that are required for the Mcafee ESM app to communicate with the Mcafee ESM application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required / Optional

Comments

Base URL

Enter the Base URL, FQDN, or IP address of the SMS Server.

Example:

"https://esm.domain.tld"

Text

Required

Username

Enter the Security Management System (SMS) Username.

Text

Required

Password

Enter the Security Management System (SMS) password.

Password

Required

SSLVerification

Optional preference to either verify or skip the SSL verification.

Boolean

Optional

Allowed values:

  • Yes

  • No

Default Value: No

Action: Add Watchlist Values

This action adds the watchlist values.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Watchlist ID

Enter the Watchlist ID.

Example,

"12".

Integer

Required

Value

Enter the watchlist value.

Example,

$LIST[1.1.1.9, 1.1.1.8]

List

Required

Example Request

[
    {
        "value": ["1.1.1.9", "1.1.1.8"],
        "watchlist_id": 8
    }
]
Action: Get Watchlist Values

This action obtains the watchlisted values.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Watchlist ID

Enter the Watchlist ID.

For example, 12

Integer

Required

You can retrieve the Watchlist ID using the Get All Watchlist action.

Example Request

[
    {
        "watchlist_id": 8
    }
]
Action: Get Watchlist Fields

This action obtains the watchlisted fields.

Action Input Parameters

No input parameters are required for this action.

Action: Get Watchlist Details

This action fetches the details of a watchlisted value.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Watchlist ID

Enter the Watchlist ID.

For example, 12

Integer

Required

You can retrieve the Watchlist ID using the Get All Watchlist action.

Example Request

[
    {
        "watchlist_id": 8
    }
]
Action: Get All Watchlist

This action fetches all the watchlist details such as keywords, IPs, and Technology terms.

Action Input Parameters

No input parameters are required for this action.

Action: Remove Watchlist Value

This action removes the watchlisted values.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Watchlist ID

Enter the Watchlist ID.

Example,

"12".

Integer

Required

Value List

Enter the watchlist value.

Example,

$LIST[1.1.1.9,1.1.1.8]

List

Required

Example Request

[
    {
        "value": ["1.1.1.9", "1.1.1.8"],
        "watchlist_id": 8
    }
]
Action: Get Access Group Details

This action obtains the list of user access groups defined in the McAfee ESM app.

Action Input Parameters

No input parameters are required for this action.

Action: Get Alarm Details

This action obtains the alarm details.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Alarm ID

Enter the Alarm ID.

Example,

8

Integer

Required

Example Request

[
    {
        "alarm_id": 8
    }
]
Action: Get Triggered Alarms

This action fetches the triggered alarm details that were used to run a playbook automatically.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Time Range

Enter the time range to search requests over a specified period of time and return events that match the search condition.

Text

Required

Allowed values are: LAST_MINUTE, LAST_10_MINUTES, LAST_30_MINUTES LAST_HOUR CURRENT_DAY, PREVIOUS_DAY, LAST_24_HOURS, LAST_2_DAYS, LAST_3_DAYS, CURRENT_WEEK, PREVIOUS_WEEK, CURRENT_MONTH, PREVIOUS_MONTH, CURRENT_QUARTER, PREVIOUS_QUARTER, CURRENT_YEAR, PREVIOUS_YEAR.

Custom Start

Enter the custom Start time range.

Example:

"2021-04-07T00:08:40.900Z"

Text

Optional

Custom End

Enter the custom End time range.

Example:

"2021-04-07T00:08:40.900Z".

Text

Optional

Status

Enter the status. Example:

"Acknowledged"

Text

Optional

The default value is null.

Allowed values:

  • Acknowledged

  • Unacknowledged

Page Size

Enter the page size.

Example:

10

Integer

Optional

The default value is 1000.

Page Number

Enter the Page Number.

Example:

1

Integer

Optional

The default value is 1.

Example Request

[
    {
        "time_range": " LAST_MINUTE"
    }
]
[
    {
        "custom start: "2021-04-07T00:08:40.900Z”,
        "custom end: "2021-07-07T00:08:40.900Z"
    }
]
Action: Acknowledge Triggered Alarm

This action acknowledges a triggered alarm.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Alarm ID List

Enter the Alarm ID List.

Example:

1

Integer

Required

Example Request

[
    {
        "alarmid_list": 1
    }
]
Action: Clear Acknowledgement of Triggered Alarm

This action clears the acknowledgment provided for a triggered alarm.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Alarm ID List

Enter the Alarm ID List.

Example:

"1".

Integer

Required

Example Request

[
    {
        "alarmid_list": 1"
    }
]
Action: Get User List

This action obtains the list of users.

Action Input Parameters

No input parameters are required for this action.

Action: Add Case

This action adds a case event.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Case Title

Input the title of the case.

Example:

"Case 1".

Text

Required

Case ID

Input the case ID.

Example:

547

Integer

Required

Assigned To

Input the user ID of the user to be assigned to the case.

Example:

1

Integer

Required

Org ID

Input the Organization ID.

Example:

"1"

Text

Required

Status ID

Input the Status ID.

Example:

1

Integer

Required

The default values are 1-Open and 2-Closed.

Severity

Input the severity of the case.

Example:

"30".

Integer

Required

Event List

Input the Event List.

Example:

[{ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" }]

List

Required

Device List

Input the Device List.

Example:

$LIST[123456789000, 123456789000]

List

Required

Data Source List

Input the Data Source List.

Example:

$LIST[source1, source2]

List

Required

Notes

Input Notes.

Example:

"Case created via automation from Cyware"

Text

Required

Notes Added

Input the notes of a particular case.

Text

Required

History

Input History Notes.

Text

Required

Example Request

[
     {
        "summary": "case1", 
        "case_id": 547,
        "assigned_to": 1,
        "org_id": 1,
        "status_id": 2,
        "severity": 30,
        "event_list":  [{"id": "(value)","message": "                                                                                       (message)","lastTime": "(lastTime)"}],
        "device_list": ["123456789000", "123456789000"],
        "data_source_list": ["source1", "source2"],
        "notes": "Case created via automation from Cyware",
        "notes_added": "sample notes",
       "history":"sample history notes"
    }
]
Action: Update Case

This action updates the case details.

Parameter

Description

Field Type

Required / Optional

Comments

Case Title

Input the title of the case.

Example:

"Case 1".

Text

Required

Case ID

Input the case ID.

Example:

547

Integer

Required

Assigned To

Input the user ID of the user to be assigned to the case.

Example:

1

Integer

Required

Org ID

Input the Organization ID.

Example:

"1"

Text

Required

Status ID

Input the Status ID.

Example:

1

Integer

Required

The default values are 1-Open and 2-Closed.

Severity

Input the severity of the case.

Example:

"30".

Integer

Required

Event List

Input the Event List.

Example:

[{ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" }]

List

Required

Device List

Input the Device List.

Example:

$LIST[123456789000, 123456789000]

List

Required

Data Source List

Input the Data Source List.

Example:

$LIST[source1, source2]

List

Required

Notes

Input Notes.

Example:

"Case created via automation from Cyware"

Text

Required

Notes Added

Input the notes of a particular case.

Text

Required

History

Input History Notes.

Text

Required

Example Request

[
     {
        "summary": "case1", 
        "case_id": 547,
        "assigned_to": 1,
        "org_id": 1,
        "status_id": 2,
        "severity": 30,
        "event_list":  [{"id": "(value)","message": "                                                         (message)","lastTime": "(lastTime)"}],
        "device_list": ["123456789000", "123456789000"],
        "data_source_list": ["source1", "source2"],
        "notes": "Case created via automation from Cyware",
        "notes_added": "sample notes",
       "history":"sample history notes"
    }
]
Action: Get Case

This action fetches the cases in an event.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Case ID

Input the case ID.

Integer

Required

Example Request

[
    {
        "id_no": 1
    }
]
Action: Fetch Case Event Details

This action fetches details of a case in an event.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

Event ID List

Input the Event ID List.

Example:

$LIST[144115188075855872|1345, 144115188075855872|1341]

List

Required

Example Request

[
    {
        "event_id": [ "1441151880758455872|1340",                                                                                         "144115188075855872|1341"]
    }
]
Action: Fetch Case List

This action fetches the list of cases.

Action Input Parameters

[
    {
        "event_id": [ "1441151880758455872|1340",                                                                                         "144115188075855872|1341"]
    }
]
Action: Fetch IPS Alert Data

This action fetches the details of an alert.

Action Input Parameters

Parameter

Description

Field Type

Required / Optional

Comments

IPS ID

Input the IPS ID.

Example:

"144115188075855872|1340".

Text

Required

Example Request

[
    {
        "ips_id": "144115188075855872|1340"
    }
]