McAfee ESM 3.0.0
App Vendor: McAfee
App Category: IT Services
Connector Version: 3.0.0
API Version: 1.0.0
About App
The McAfee ESM (Enterprise Security Manager) app in the Orchestrate application allows security teams to integrate with the McAfee SIEM solution to detect, prioritize, manage cases, and respond to threats.
The McAfee ESM app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add Watchlist Values | This action adds the watchlist values. |
Get Watchlist Values | This action retrieves the watchlisted values. |
Get Watchlist fields | This action retrieves the watchlisted fields. |
Get Watchlist Details | This action retrieves the details of a watchlisted value. |
Get All Watchlist | This action retrieves the list of all the watchlisted values. |
Remove Watchlist Value | This action removes the watchlisted values. |
Get Access Group Details | This action retrieves the list of user access groups defined in the McAfee ESM app. |
Get Alarm Details | This action retrieves the alarm details. |
Get Triggered Alarms | This action retrieves the list of alarms triggered within the specified time range. |
Acknowledge Triggered Alarm | This action acknowledges a triggered alarm. |
Clear Acknowledgement of Triggered Alarm | This action clears the acknowledgment provided for a triggered alarm. |
Get User List | This action retrieves the list of users. |
Add Case | This action adds a case event. |
Update Case | This action updates the case details. |
Get Case | This action retrieves the cases in an event. |
Fetch Case Event Details | This action retrieves details of a case in an event. |
Fetch List Cases | This action retrieves the list of cases. |
Fetch IPS Alert Data | This action retrieves the details of an IPS alert. |
Configuration parameters
The following configuration parameters are required for the Mcafee ESM app to communicate with the Mcafee ESM enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL, FQDN, or IP address of the Security Management System (SMS) server. Example: "https://esm.domain.tld" | Text | Required |
|
Username | Enter the username of the SMS server. | Text | Required |
|
Password | Enter the password of the SMS server. | Password | Required |
|
SSL Verification | Optional preference to either verify or skip SSL verification. | Boolean | Optional | Allowed values:
Default Value: No |
Action: Add Watchlist Values
This action adds the watchlist values.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: 12 | Integer | Required | You can retrieve the watchlist ID using the Get All Watchlist action. |
Value | Enter the watchlist value. Example: $LIST[1.1.1.9, 1.1.1.8] | List | Required |
|
Example Request
[
{
"value": ["1.1.1.9", "1.1.1.8"],
"watchlist_id": 12
}
]Action: Get Watchlist Values
This action retrieves the watchlisted values.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
Example Request
[
{
"watchlist_id": 12
}
]Action: Get Watchlist Fields
This action retrieves the watchlisted fields.
Action Input Parameters
This action does not require any input parameter.
Action: Get Watchlist Details
This action retrieves the details of a watchlisted value.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
Example Request
[
{
"watchlist_id": 12
}
]Action: Get All Watchlist
This action retrieves all the watchlist details such as keywords, IPs, and technology terms.
Action Input Parameters
This action does not require any input parameter.
Action: Remove Watchlist Value
This action removes the watchlisted values.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: 12 | Integer | Required | You can retrieve the Watchlist ID using the Get All Watchlist action. |
Value List | Enter the watchlist value. Example: $LIST[1.1.1.9,1.1.1.8] | List | Required |
|
Example Request
[
{
"value": ["1.1.1.9", "1.1.1.8"],
"watchlist_id": 12
}
]Action: Get Access Group Details
This action retrieves the list of user access groups defined in the McAfee ESM app.
Action Input Parameters
This action does not require any input parameter.
Action: Get Alarm Details
This action retrieves the alarm details.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Alarm ID | Enter the alarm ID. Example: 8 | Integer | Required |
Example Request
[
{
"alarm_id": 8
}
]Action: Get Triggered Alarms
This action fetches the triggered alarm details that were used to run a playbook automatically.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Time Range | Enter the time range to retrieve the alarms. Example: "LAST_MINUTE" | Text | Required | Allowed values:
|
Custom Start | Enter the custom start time. Example: "2021-04-07T00:08:40.900Z" | Text | Optional | |
Custom End | Enter the custom end time. Example: "2021-04-07T00:09:40.900Z". | Text | Optional | |
Status | Enter the status of the alarms. Example: "Acknowledged" | Text | Optional | Allowed values:
Default value: Null |
Page Size | Enter the page size. Example: 10 | Integer | Optional | Default value: 1000 |
Page Number | Enter the page number. Example: 1 | Integer | Optional | Default value: 1 |
Example Request
[
{
"time_range": " LAST_MINUTE",
"custom start: "2021-04-07T00:08:40.900Z”,
"custom end: "2021-07-07T00:09:40.900Z",
"status": "Acknowledged",
"page_size": 10,
"page_number": 1
}
]Action: Acknowledge Triggered Alarm
This action acknowledges a triggered alarm.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
Alarm ID List | Enter the alarm ID list. Example: $LIST[1,2] | LIST | Required |
Example Request
[
{
"alarmid_list": ["1","2"]
}
]Action: Clear Acknowledgement of Triggered Alarm
This action clears the acknowledgment provided for a triggered alarm.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Alarm ID List | Enter the alarm ID list. Example: $LIST[1,2] | LIST | Required |
Example Request
[
{
"alarmid_list": ["1","2"]
}
]Action: Get User List
This action retrieves the list of users.
Action Input Parameters
This action does not require any input parameter.
Action: Add Case
This action adds a case event.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Title of Case | Enter the title of the case. Example: "Case 1". | Text | Required | |
Assigned To | Enter the user ID of the user to assign the case. Example: 1 | Integer | Required | |
Org ID | Enter the organization ID. Example: 1 | Integer | Required | |
Status ID | Enter the status ID. Example: 1 | Integer | Required | Allowed values:
|
Severity | Enter the severity of the case. Example: 30 | Integer | Required | |
Event List | Enter the event list. Example: $LIST[ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)"] | List | Required | |
Device List | Enter the device list. Example: $LIST[123456789000, 123456789000] | List | Required | |
Data Source List | Enter the data source list. Example: $LIST[source1, source2] | List | Required | |
Notes | Enter the notes. Example: "Case created via automation from Cyware" | Text | Required | |
Notes Added | Enter the notes of a particular case. Example: "Case created via automation" | Text | Required | |
History | Enter history notes. Example: "Historical notes | Text | Required |
Example Request
[
{
"summary": "case1",
"assigned_to": 1,
"org_id": 1,
"status_id": 2,
"severity": 30,
"event_list": [{"id": "(value)","message": "(message)","lastTime": "(lastTime)"}],
"device_list": ["123456789000", "123456789000"],
"data_source_list": ["source1", "source2"],
"notes": "Case created via automation from Cyware",
"notes_added": "Case created via automation",
"history":"Historical notes"
}
]Action: Update Case
This action updates the case details.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Case Title | Enter the title of the case. Example: "Case 1". | Text | Required | |
Case ID | Enter the case ID. Example: 547 | Integer | Required | |
Assigned To | Enter the user ID of the user to be assigned to the case. Example: 1 | Integer | Required | |
Org ID | Enter the organization ID. Example: 1 | Integer | Required | |
Status ID | Enter the status ID. Example: 1 | Integer | Required | Allowed values:
|
Severity | Enter the severity of the case. Example: 30 | Integer | Required | |
Event List | Enter the event list. Example: $LIST[ "id": "(value)", "message": "(message)", "lastTime": "(lastTime)" ] | List | Required | |
Device List | Enter the device list. Example: $LIST[123456789000, 123456789000] | List | Required | |
Data Source List | Enter the data source list. Example: $LIST[source1, source2] | List | Required | |
Notes | Enter the notes. Example: "Case created via automation from Cyware" | Text | Required | |
Notes Added | Enter the notes of a particular case. Example: "Case created via automation" | Text | Required | |
History | Enter history notes. Example: "Historical notes" | Text | Required |
Example Request
[
{
"summary": "case1",
"case_id": 547,
"assigned_to": 1,
"org_id": 1,
"status_id": 2,
"severity": 30,
"event_list": [{"id": "(value)","message": "(message)","lastTime": "(lastTime)"}],
"device_list": ["123456789000", "123456789000"],
"data_source_list": ["source1", "source2"],
"notes": "Case created via automation from Cyware",
"notes_added": "Case created via automation",
"history":"Historical notes"
}
]Action: Get Case
This action retrieves the cases in an event.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the case ID. Example: 1 | Integer | Required |
Example Request
[
{
"id_no": 1
}
]Action: Fetch Case Event Details
This action retrieves the details of events.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Event ID List | Enter the event ID list. Example: $LIST[144115188075855872|1345, 144115188075855872|1341] | List | Required |
Example Request
[
{
"event_id": [ "1441151880758455872|1340", "144115188075855872|1341"]
}
]Action: Fetch List Cases
This action retrieves a list of cases.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of cases to be retrieved. Example: 1 | Integer | Optional | Default value: 1 |
Offset | Enter the offset value to skip the result from start. Example: 1 | Integer | Optional | Default value: 0 |
Action Input Parameters
[
{
"limit": 1,
"offset": 1
}
]Action: Fetch IPS Alert Data
This action retrieves the details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
IPS ID | Enter the IPS ID. Example: "144115188075855872|1340". | Text | Required |
Example Request
[
{
"ips_id": "144115188075855872|1340"
}
]