Mcafee ESM 2.0.0
App Vendor: McAfee
Connector Category: Analytics & SIEM
Connector Version: 2.0.1
API Version: 1.0.0
About App
The McAfee ESM (Enterprise Security Manager) app in the Orchestrate application allows security teams to integrate with the McAfee SIEM solution to detect, prioritize, manage incidents and respond to threats. McAfee's ESM collects logs from numerous sources and correlates events for investigation and incident response. McAfee ESM uses watchlists as alarm conditions so that the alarm triggers when the system encounters an event that matches a value in the watchlist.
The McAfee ESM app is configured with the Orchestrate application to perform the below-listed actions:
Action Name | Description |
|---|---|
Add Watchlist Values | This action adds the watchlist values. |
Get Watchlist Values | This action obtains the watchlisted values. |
Get Watchlist fields | This action obtains the watchlisted fields. |
Get Watchlist Details | This action fetches the details of a watchlisted value. |
Get All Watchlist | This action obtains the list of all the watchlisted values. |
Remove Watchlist Value | This action removes the watchlisted values. |
Get Access Group Details | This action obtains the list of user access groups defined in the McAfee ESM app. |
Get Alarm Details | This action obtains the alarm details. |
Get Triggered Alarms | This action obtains the list of alarms triggered between the specified time range. |
Acknowledge Triggered Alarm | This action acknowledges a triggered alarm. |
Clear Acknowledgement of Triggered Alarm | This action clears the acknowledgment provided for a triggered alarm. |
Get User List | This action obtains the list of users. |
Add Case | This action adds a case event. |
Update Case | This action updates the case details. |
Get Case | This action fetches the cases in an event. |
Fetch Case Event Details | This action fetches details of a case in an event. |
Fetch Case List | This action fetches the list of cases. |
Fetch IPS Alert Data | This action fetches the details of an IPS alert. |
Configuration parameters
Below is the list of configuration parameters that are required for the Mcafee ESM app to communicate with the Mcafee ESM application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Base URL, FQDN, or IP address of the SMS Server. Example: "https://esm.domain.tld" | Text | Required | |
Username | Enter the Security Management System (SMS) Username. | Text | Required | |
Password | Enter the Security Management System (SMS) password. | Password | Required | |
SSLVerification | Optional preference to either verify or skip the SSL verification. | Boolean | Optional | Allowed values:
Default Value: No |
Action: Add Watchlist Values
This action adds the watchlist values.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. Example, "12". | Integer | Required | |
Value | Enter the watchlist value. Example, $LIST[1.1.1.9, 1.1.1.8] | List | Required |
Example Request
[
{
"value": ["1.1.1.9", "1.1.1.8"],
"watchlist_id": 8
}
]Action: Get Watchlist Values
This action obtains the watchlisted values.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. For example, 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
Example Request
[
{
"watchlist_id": 8
}
]Action: Get Watchlist Fields
This action obtains the watchlisted fields.
Action Input Parameters
No input parameters are required for this action.
Action: Get Watchlist Details
This action fetches the details of a watchlisted value.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. For example, 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
Example Request
[
{
"watchlist_id": 8
}
]Action: Get All Watchlist
This action fetches all the watchlist details such as keywords, IPs, and Technology terms.
Action Input Parameters
No input parameters are required for this action.
Action: Remove Watchlist Value
This action removes the watchlisted values.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. Example, "12". | Integer | Required | |
Value List | Enter the watchlist value. Example, $LIST[1.1.1.9,1.1.1.8] | List | Required |
Example Request
[
{
"value": ["1.1.1.9", "1.1.1.8"],
"watchlist_id": 8
}
]Action: Get Access Group Details
This action obtains the list of user access groups defined in the McAfee ESM app.
Action Input Parameters
No input parameters are required for this action.
Action: Get Alarm Details
This action obtains the alarm details.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Alarm ID | Enter the Alarm ID. Example, 8 | Integer | Required |
Example Request
[
{
"alarm_id": 8
}
]Action: Get Triggered Alarms
This action fetches the triggered alarm details that were used to run a playbook automatically.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Time Range | Enter the time range to search requests over a specified period of time and return events that match the search condition. | Text | Required | Allowed values are: LAST_MINUTE, LAST_10_MINUTES, LAST_30_MINUTES LAST_HOUR CURRENT_DAY, PREVIOUS_DAY, LAST_24_HOURS, LAST_2_DAYS, LAST_3_DAYS, CURRENT_WEEK, PREVIOUS_WEEK, CURRENT_MONTH, PREVIOUS_MONTH, CURRENT_QUARTER, PREVIOUS_QUARTER, CURRENT_YEAR, PREVIOUS_YEAR. |
Custom Start | Enter the custom Start time range. Example: "2021-04-07T00:08:40.900Z" | Text | Optional | |
Custom End | Enter the custom End time range. Example: "2021-04-07T00:08:40.900Z". | Text | Optional | |
Status | Enter the status. Example: "Acknowledged" | Text | Optional | The default value is null. Allowed values:
|
Page Size | Enter the page size. Example: 10 | Integer | Optional | The default value is 1000. |
Page Number | Enter the Page Number. Example: 1 | Integer | Optional | The default value is 1. |
Example Request
[
{
"time_range": " LAST_MINUTE"
}
][
{
"custom start: "2021-04-07T00:08:40.900Z”,
"custom end: "2021-07-07T00:08:40.900Z"
}
]
Action: Acknowledge Triggered Alarm
This action acknowledges a triggered alarm.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
Alarm ID List | Enter the Alarm ID List. Example: 1 | Integer | Required |
Example Request
[
{
"alarmid_list": 1
}
]Action: Clear Acknowledgement of Triggered Alarm
This action clears the acknowledgment provided for a triggered alarm.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Alarm ID List | Enter the Alarm ID List. Example: "1". | Integer | Required |
Example Request
[
{
"alarmid_list": 1"
}
]Action: Get User List
This action obtains the list of users.
Action Input Parameters
No input parameters are required for this action.
Action: Add Case
This action adds a case event.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Case Title | Input the title of the case. Example: "Case 1". | Text | Required | |
Case ID | Input the case ID. Example: 547 | Integer | Required | |
Assigned To | Input the user ID of the user to be assigned to the case. Example: 1 | Integer | Required | |
Org ID | Input the Organization ID. Example: "1" | Text | Required | |
Status ID | Input the Status ID. Example: 1 | Integer | Required | The default values are 1-Open and 2-Closed. |
Severity | Input the severity of the case. Example: "30". | Integer | Required | |
Event List | Input the Event List. Example: [{ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" }] | List | Required | |
Device List | Input the Device List. Example: $LIST[123456789000, 123456789000] | List | Required | |
Data Source List | Input the Data Source List. Example: $LIST[source1, source2] | List | Required | |
Notes | Input Notes. Example: "Case created via automation from Cyware" | Text | Required | |
Notes Added | Input the notes of a particular case. | Text | Required | |
History | Input History Notes. | Text | Required |
Example Request
[
{
"summary": "case1",
"case_id": 547,
"assigned_to": 1,
"org_id": 1,
"status_id": 2,
"severity": 30,
"event_list": [{"id": "(value)","message": " (message)","lastTime": "(lastTime)"}],
"device_list": ["123456789000", "123456789000"],
"data_source_list": ["source1", "source2"],
"notes": "Case created via automation from Cyware",
"notes_added": "sample notes",
"history":"sample history notes"
}
]Action: Update Case
This action updates the case details.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Case Title | Input the title of the case. Example: "Case 1". | Text | Required | |
Case ID | Input the case ID. Example: 547 | Integer | Required | |
Assigned To | Input the user ID of the user to be assigned to the case. Example: 1 | Integer | Required | |
Org ID | Input the Organization ID. Example: "1" | Text | Required | |
Status ID | Input the Status ID. Example: 1 | Integer | Required | The default values are 1-Open and 2-Closed. |
Severity | Input the severity of the case. Example: "30". | Integer | Required | |
Event List | Input the Event List. Example: [{ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" }] | List | Required | |
Device List | Input the Device List. Example: $LIST[123456789000, 123456789000] | List | Required | |
Data Source List | Input the Data Source List. Example: $LIST[source1, source2] | List | Required | |
Notes | Input Notes. Example: "Case created via automation from Cyware" | Text | Required | |
Notes Added | Input the notes of a particular case. | Text | Required | |
History | Input History Notes. | Text | Required |
Example Request
[
{
"summary": "case1",
"case_id": 547,
"assigned_to": 1,
"org_id": 1,
"status_id": 2,
"severity": 30,
"event_list": [{"id": "(value)","message": " (message)","lastTime": "(lastTime)"}],
"device_list": ["123456789000", "123456789000"],
"data_source_list": ["source1", "source2"],
"notes": "Case created via automation from Cyware",
"notes_added": "sample notes",
"history":"sample history notes"
}
]Action: Get Case
This action fetches the cases in an event.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Case ID | Input the case ID. | Integer | Required |
Example Request
[
{
"id_no": 1
}
]Action: Fetch Case Event Details
This action fetches details of a case in an event.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Event ID List | Input the Event ID List. Example: $LIST[144115188075855872|1345, 144115188075855872|1341] | List | Required |
Example Request
[
{
"event_id": [ "1441151880758455872|1340", "144115188075855872|1341"]
}
]Action: Fetch Case List
This action fetches the list of cases.
Action Input Parameters
[
{
"event_id": [ "1441151880758455872|1340", "144115188075855872|1341"]
}
]Action: Fetch IPS Alert Data
This action fetches the details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
IPS ID | Input the IPS ID. Example: "144115188075855872|1340". | Text | Required |
Example Request
[
{
"ips_id": "144115188075855872|1340"
}
]