McAfee ePO (Deprecated)
McAfee ePO Pack.#
This Integration is part of theDeprecated
Use McAfee ePO v2 instead.
This integration was integrated and tested with McAfee ePO v5.3.2.
#
Configure McAfee ePO in Cortex- Name: a textual name for the integration instance.
- Url: for example:
https://****:port
- Username
- Password
- Trust any certificate (not secure) Mark to trust Certificate Authority.
- Use system proxy settings
#
PermissionsMcAfee ePO has a highly flexible and powerful permissions system. The permissions required for the user that uses this integration depend on which operations they need to perform. The API user should have the same permissions a regular user would have in order to access the data via the UI. It is possible to view the exact permissions needed for a specific command by running the !epo-help
command. The !epo-help
command's output will include help information for the specific command including required permissions.
More info about McAfee ePO's permissions model is available here.
Example !epo-help
outputs with permission information:
!epo-help command="repository.findPackages"
:!epo-help command="repository.deletePackage"
:
#
Playbooks- McAfee ePO Endpoint Connectivity Diagnostics - Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.
- McAfee ePO Endpoint Compliance - Discover endpoints that are not using the latest McAfee AV Signatures
- McAfee ePO Repository Compliance - Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
- Endpoint Enrichment - Generic v2: uses
epo-find-systems
to enrich an endpoint by hostname.
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Print help for ePO commands: epo-help
- Get the latest DAT file: epo-get-latest-dat
- Check the current DAT file version: epo-get-current-dat
- Update the DAT file: epo-update-client-dat
- Update a repository: epo-update-repository
- Get system tree groups: epo-get-system-tree-group
- Find systems in the system tree: epo-find-systems
- epo-command
- epo-advanced-command
- Wake up an agent: epo-wakeup-agent
- Apply a tag: epo-apply-tag
- Clear a tag: epo-clear-tag
- Query an ePO table: epo-query-table
- Get an ePO table: epo-get-table
- Get the ePO version: epo-get-version
- Find systems in the system tree: epo-find-system
- Move a system to a different group: epo-move-system
#
1. Print help for ePO commandsPrints help (information) for ePO commands. If no command argument is specified, returns all ePO commands.
#
Base Command#
InputArgument Name | Description | Required |
---|---|---|
search | String to search for in help. | Optional |
command | Command for which to print help. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!epo-help search="agent"
#
Human Readable Output#
2. Get the latest DAT fileChecks for the latest DAT file in the McAfee repository.
#
Base Command#
InputThere is no input for this command.Â
#
Context OutputPath | Type | Description |
---|---|---|
McAfee.ePO.latestDAT | Number | Latest McAfee DAT file version. |
#
Command Example!epo-get-latest-dat
#
Human Readable Output#
3. Check the current DAT file versionChecks the existing DAT file version in ePO.
#
Base Command#
InputThere is no input for this command.
#
Context OutputPath | Type | Description |
---|---|---|
McAfee.ePO.epoDAT | number | Current McAfee DAT file in the ePO repository. |
#
Command Example!epo-get-current-dat
#
Human Readable Output#
4. Update the DAT fileRun client task to update the DAT file.
To run this command, you need to create a task on the ePO server with a specific name.
- Log on to the ePO server.
- Select System Tree.
- Select Assigned Client Tasks > Actions > New Client Task Assignment.
- Configure the Select Task section.
Field | Value |
---|---|
Product | McAfee Agent |
Task Type | Product Update |
Task Name | DAT Update |
- Select Create New Task.
Field | Value |
---|---|
Task Name | VSEContentUpdateDemisto |
Package Selection | Selected packages |
Signatures and Engines | DAT |
#
Base Command#
InputArgument Name | Description | Required |
---|---|---|
systems | A CSV list of IP addresses or system names. | Required |
retryAttempts | Number of times the server will attempt to send the task to the client. Default is 1 retry. | Optional |
retryIntervalInSeconds | Retry interval in seconds. Default is 30 seconds. | Optional |
abortAfterMinutes | The threshold (in minutes) after which attempts to send the task to the client are aborted. Default is 5. | Optional |
stopAfterMinutes | The threshold (in minutes) that the client task is allowed to run. Defaults to 20. | Optional |
randomizationInterval | Duration (in minutes) over which to randomly spread task execution. Default is 0 (executes on all clients immediately). | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!epo-update-client-dat systems=ADMIN-PC
#
Human Readable Output#
5. Update a repositoryTriggers a server task in specific ePO servers to retrieve the latest signatures from the update server.
#
Base Command#
InputThere is no input for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!epo-update-repository
#
Human Readable Output#
6. Get system tree groupsReturns system tree groups.
#
Base Commandepo-get-system-tree-group
#
InputArgument Name | Description | Required |
---|---|---|
search | String to search for in the system tree group. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
McAfee.ePO.SystemTreeGroups.groupId | number | System tree group ID. |
McAfee.ePO.SystemTreeGroups.groupPath | string | System tree group path. |
#
Human Readable Output#
7. Find systems in the system treeFind systems in the System Tree - by group ID or by search
#
Base Commandepo-find-systems
#
InputArgument Name | Description | Required |
---|---|---|
groupId | System tree group ID. | Required |
verbose | Whether to return all system data. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Endpoint.Name | string | Endpoint name. |
Endpoint.Domain | string | Endpoint domain. |
Endpoint.Hostname | string | Endpoint hostname. |
Endpoint.IPAddress | string | Endpoint IP address. |
Endpoint.OS | string | Endpoint OS. |
Endpoint.OSVersion | string | Endpoint OS version. |
Endpoint.Processor | string | Processor model. |
Endpoint.Processors | number | Number of processors. |
Endpoint.Memory | number | Endpoint memory. |
McAfee.ePO.Endpoint.ComputerName | string | Endpoint name. |
McAfee.ePO.Endpoint.Domain | string | Endpoint domain. |
McAfee.ePO.Endpoint.Hostname | string | Endpoint hostname. |
McAfee.ePO.Endpoint.IPAddress | string | Endpoint IP address. |
McAfee.ePO.Endpoint.OS | string | Endpoint OS. |
McAfee.ePO.Endpoint.OSVersion | string | Endpoint OS version. |
McAfee.ePO.Endpoint.Processor | string | Processor model. |
McAfee.ePO.Endpoint.Processors | number | Number of processors |
McAfee.ePO.Endpoint.Memory | number | Endpoint memory. |
#
8. epo-commandExecutes the ePO command. Receives the mandatory ''command'' argument, and other optional arguments.
To get a list of available commands, run the ''epo-help'' command to get a list of available commands. You can also specify the ''headers'' argument to filter table headers. Example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName
#
Base Commandepo-command
#
Command Example!epo-command command=system.find searchText=10.0.0.1
!epo-command command=agentmgmt.listAgentHandlers
#
9. epo-advanced-commandExecutes the ePO command.
To get a list of available commands, run the ''epo-help'' command. For example/:/ !epo-advanced-command command=clienttask.find commandArgs=searchText:On-demand. You can also specify the ''headers'' argument to filter table headers, for example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName.
#
Base Command#
InputArgument Name | Description | Required |
---|---|---|
command | The command to execute. Run either the core.help command or the !epo-help to get all available commands. | Required |
commandArgs | CSV list of key value pairs as additional arguments to pass, for example, "argName1:argValue1,argName2:argValue2". | Required |
#
Context Output There is no context output for this command.
#
Command Example!epo-advanced-command command="clienttask.find" commandArgs="searchText:On-demand"
#
10. Wake up an agentWakes up an agent.
#
InputArgument Name | Description | Required |
---|---|---|
names | Agent hostname. | Required |
#
11. Apply a tagApplies a tag to hostnames.
#
InputArgument Name | Description | Required |
---|---|---|
names | Hostnames on which to apply tags. | Required |
tagName | Tag name. | Required |
#
Command Example!epo-apply-tag names="ADMIN-PC" tagName="Compromised"
#
12. Clear a tagClears a tag from hostnames.
#
InputArgument Name | Description | Required |
---|---|---|
names | Hostnames from which to clear tags. | Required |
tagName | Tag name. | Required |
#
Command Example!epo-clear-tag names="ADMIN-PC" tagName="Compromised"
#
13. Query an ePO tableQueries an ePO table.
#
Base Command#
InputArgument Name | Description | Required |
---|---|---|
target | Table name. | Required |
select | The columns to select, in SQUID syntax. Example: "(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)". | Optional |
where | Filter results, in SQUID syntax. Example: "(where ( eq ( OrionTaskLogTask .UserName "ga" )))". | Optional |
order | Order in which to return the results, in SQUID syntax. Example: "(order (asc OrionTaskLogTask.StartDate) )"). | Optional |
group | Group the results, in SQUID Syntax. Example: "(group EPOBranchNode.NodeName)". | Optional |
joinTables | Perform join, in SQUID syntax. | Optional |
query_name | Name for the query to appear in the context. | Optional |
#
Context OutputPath | Description |
---|---|
McAfee.ePO.Query | Query result. |
#
Human Readable Output!epo-query-table target=EPOLeafNode select="(select EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)" where="(hasTag EPOLeafNode.AppliedTags 4)"
!epo-query-table target=EPOLeafNode select="(select (top 3) EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)"
!epo-query-table target="EPOEvents" select="(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)" order="(order(desc EPOEvents.DetectedUTC))"
!epo-query-table target="EPExtendedEvent" select="(select (top 250) EPOEvents.ThreatName EPOEvents.AutoID EPExtendedEvent.EventAutoID EPExtendedEvent.TargetHash EPExtendedEvent.TargetPath EPOEvents.SourceHostName)" order="(order(desc EPExtendedEvent.TargetHash))" joinTables="EPOEvents"where="(where(eq EPOEvents.ThreatName "real Protect-LS!d5435f1fea5e"))"
#
14. Get an ePO tableReturns an ePO table.
#
Base Command#
InputArgument Name | Description | Required |
---|---|---|
table | Name of the table to return. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!epo-get-tables
#
Human Readable Output#
#
15. Get the ePO versionGets the ePO version. This command requires global admin permissions.
#
Base Command#
Context OutputPath | Type | Description |
---|---|---|
McAfee.ePO.Version | string | ePO version. |
#
Human Readable Output!epo-get-version
#
16. Find systems in the system treeFinds systems in the system tree.
#
Base Command#
InputArgument Name | Description | Required |
---|---|---|
searchText | Hostname to search. | Optional |
verbose | Print all system data | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Endpoint.Name | string | Endpoint name. |
Endpoint.Domain | string | Endpoint domain. |
Endpoint.Hostname | string | Endpoint hostname. |
Endpoint.IPAddress | string | Endpoint IP address. |
Endpoint.OS | string | Endpoint OS. |
Endpoint.OSVersion | string | Endpoint OS version. |
Endpoint.Processor | string | Processor model. |
Endpoint.Processors | number | Number of processors. |
Endpoint.Memory | number | Endpoint memory. |
McAfee.ePO.Endpoint.ComputerName | string | Endpoint name. |
McAfee.ePO.Endpoint.Domain | string | Endpoint domain. |
McAfee.ePO.Endpoint.Hostname | string | Endpoint hostname. |
McAfee.ePO.Endpoint.IPAddress | string | Endpoint IP address. |
McAfee.ePO.Endpoint.OS | string | Endpoint OS. |
McAfee.ePO.Endpoint.OSVersion | string | Endpoint OS version. |
McAfee.ePO.Endpoint.Processor | string | Processor model. |
McAfee.ePO.Endpoint.Processors | number | Number of processors. |
McAfee.ePO.Endpoint.Memory | number | Endpoint memory. |
#
Human Readable Output!epo-find-system searchText=mar
#
17. Move a system to a different groupMoves a system to a different group.
#
Base Commandepo-move-system
#
InputArgument Name | Description | Required |
---|---|---|
names | Asset name. | Required |
parentGroupId | Group ID. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!epo-move-system names=tie parentGroupId=3