Skip to main content

McAfee ePO (Deprecated)

This Integration is part of the McAfee ePO Pack.#

Deprecated

Use McAfee ePO v2 instead.

This integration was integrated and tested with McAfee ePO v5.3.2.

Configure McAfee ePO in Cortex#

  • Name: a textual name for the integration instance.
  • Url: for example: https://****:port
  • Username
  • Password
  • Trust any certificate (not secure) Mark to trust Certificate Authority.
  • Use system proxy settings

Permissions#

McAfee ePO has a highly flexible and powerful permissions system. The permissions required for the user that uses this integration depend on which operations they need to perform. The API user should have the same permissions a regular user would have in order to access the data via the UI. It is possible to view the exact permissions needed for a specific command by running the !epo-help command. The !epo-help command's output will include help information for the specific command including required permissions. More info about McAfee ePO's permissions model is available here.

Example !epo-help outputs with permission information:

  • !epo-help command="repository.findPackages":
  • !epo-help command="repository.deletePackage":

Playbooks#

  • McAfee ePO Endpoint Connectivity Diagnostics - Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.
  • McAfee ePO Endpoint Compliance - Discover endpoints that are not using the latest McAfee AV Signatures
  • McAfee ePO Repository Compliance - Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
  • Endpoint Enrichment - Generic v2: uses epo-find-systems to enrich an endpoint by hostname.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Print help for ePO commands: epo-help
  2. Get the latest DAT file: epo-get-latest-dat
  3. Check the current DAT file version: epo-get-current-dat
  4. Update the DAT file: epo-update-client-dat
  5. Update a repository: epo-update-repository
  6. Get system tree groups: epo-get-system-tree-group
  7. Find systems in the system tree: epo-find-systems
  8. epo-command
  9. epo-advanced-command
  10. Wake up an agent: epo-wakeup-agent
  11. Apply a tag: epo-apply-tag
  12. Clear a tag: epo-clear-tag
  13. Query an ePO table: epo-query-table
  14. Get an ePO table: epo-get-table
  15. Get the ePO version: epo-get-version
  16. Find systems in the system tree: epo-find-system
  17. Move a system to a different group: epo-move-system

1. Print help for ePO commands#

Prints help (information) for ePO commands. If no command argument is specified, returns all ePO commands.

Base Command#
epo-help
Input#
Argument NameDescriptionRequired
searchString to search for in help.Optional
commandCommand for which to print help.Optional
Context Output#

There is no context output for this command.

Command Example#

!epo-help search="agent"

Human Readable Output#

screen shot 2018-08-26 at 10 28 00

2. Get the latest DAT file#

Checks for the latest DAT file in the McAfee repository.

Base Command#
epo-get-latest-dat
Input#

There is no input for this command. 

Context Output#
PathTypeDescription
McAfee.ePO.latestDATNumberLatest McAfee DAT file version.
Command Example#

!epo-get-latest-dat

Human Readable Output#

screen shot 2018-08-26 at 10 15 58

3. Check the current DAT file version#

Checks the existing DAT file version in ePO.

Base Command#
epo-get-current-dat
Input#

There is no input for this command.

Context Output#
PathTypeDescription
McAfee.ePO.epoDATnumberCurrent McAfee DAT file in the ePO repository.
Command Example#

!epo-get-current-dat

Human Readable Output#

screen shot 2018-08-26 at 10 18 36

4. Update the DAT file#

Run client task to update the DAT file.

To run this command, you need to create a task on the ePO server with a specific name.

  1. Log on to the ePO server.
  2. Select System Tree.
  3. Select Assigned Client Tasks > Actions > New Client Task Assignment.
  4. Configure the Select Task section.
FieldValue
ProductMcAfee Agent
Task TypeProduct Update
Task NameDAT Update
  1. Select Create New Task.
FieldValue
Task NameVSEContentUpdateDemisto
Package SelectionSelected packages
Signatures and EnginesDAT
Base Command#
epo-update-client-dat
Input#
Argument NameDescriptionRequired
systemsA CSV list of IP addresses or system names.Required
retryAttemptsNumber of times the server will attempt to send the task to the client. Default is 1 retry.Optional
retryIntervalInSecondsRetry interval in seconds. Default is 30 seconds.Optional
abortAfterMinutesThe threshold (in minutes) after which attempts to send the task to the client are aborted. Default is 5.Optional
stopAfterMinutesThe threshold (in minutes) that the client task is allowed to run. Defaults to 20.Optional
randomizationIntervalDuration (in minutes) over which to randomly spread task execution. Default is 0 (executes on all clients immediately).Optional
Context Output#

There is no context output for this command.

Command Example#

!epo-update-client-dat systems=ADMIN-PC

Human Readable Output#

screen shot 2018-08-26 at 10 41 04

5. Update a repository#

Triggers a server task in specific ePO servers to retrieve the latest signatures from the update server.

Base Command#
epo-update-repository
Input#

There is no input for this command.

Context Output#

There is no context output for this command.

Command Example#

!epo-update-repository

Human Readable Output#

screen shot 2018-08-26 at 10 00 40

6. Get system tree groups#

Returns system tree groups.

Base Command#

epo-get-system-tree-group

Input#
Argument NameDescriptionRequired
searchString to search for in the system tree group.Optional
Context Output#
PathTypeDescription
McAfee.ePO.SystemTreeGroups.groupIdnumberSystem tree group ID.
McAfee.ePO.SystemTreeGroups.groupPathstringSystem tree group path.
Human Readable Output#

screen shot 2018-08-26 at 9 59 49

7. Find systems in the system tree#

Find systems in the System Tree - by group ID or by search

Base Command#

epo-find-systems

Input#
Argument NameDescriptionRequired
groupIdSystem tree group ID.Required
verboseWhether to return all system data.Optional
Context Output#
PathTypeDescription
Endpoint.NamestringEndpoint name.
Endpoint.DomainstringEndpoint domain.
Endpoint.HostnamestringEndpoint hostname.
Endpoint.IPAddressstringEndpoint IP address.
Endpoint.OSstringEndpoint OS.
Endpoint.OSVersionstringEndpoint OS version.
Endpoint.ProcessorstringProcessor model.
Endpoint.ProcessorsnumberNumber of processors.
Endpoint.MemorynumberEndpoint memory.
McAfee.ePO.Endpoint.ComputerNamestringEndpoint name.
McAfee.ePO.Endpoint.DomainstringEndpoint domain.
McAfee.ePO.Endpoint.HostnamestringEndpoint hostname.
McAfee.ePO.Endpoint.IPAddressstringEndpoint IP address.
McAfee.ePO.Endpoint.OSstringEndpoint OS.
McAfee.ePO.Endpoint.OSVersionstringEndpoint OS version.
McAfee.ePO.Endpoint.ProcessorstringProcessor model.
McAfee.ePO.Endpoint.ProcessorsnumberNumber of processors
McAfee.ePO.Endpoint.MemorynumberEndpoint memory.

8. epo-command#

Executes the ePO command. Receives the mandatory ''command'' argument, and other optional arguments.

To get a list of available commands, run the ''epo-help'' command to get a list of available commands. You can also specify the ''headers'' argument to filter table headers. Example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName

Base Command#

epo-command

Command Example#

!epo-command command=system.find searchText=10.0.0.1

screen shot 2018-10-02 at 9 44 34

!epo-command command=agentmgmt.listAgentHandlers

screen shot 2018-10-02 at 9 46 00

9. epo-advanced-command#

Executes the ePO command.

To get a list of available commands, run the ''epo-help'' command. For example/:/ !epo-advanced-command command=clienttask.find commandArgs=searchText:On-demand. You can also specify the ''headers'' argument to filter table headers, for example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName.

Base Command#
epo-advanced-command
Input#
Argument NameDescriptionRequired
commandThe command to execute. Run either the core.help command or the !epo-help to get all available commands.Required
commandArgsCSV list of key value pairs as additional arguments to pass, for example, "argName1:argValue1,argName2:argValue2".Required
Context Output#

 There is no context output for this command.

Command Example#

!epo-advanced-command command="clienttask.find" commandArgs="searchText:On-demand"

screen shot 2018-10-29 at 13 31 53

10. Wake up an agent#

Wakes up an agent.

Input#
Argument NameDescriptionRequired
namesAgent hostname.Required

11. Apply a tag#

Applies a tag to hostnames.

Input#
Argument NameDescriptionRequired
namesHostnames on which to apply tags.Required
tagNameTag name.Required

Command Example#

!epo-apply-tag names="ADMIN-PC" tagName="Compromised"

12. Clear a tag#

Clears a tag from hostnames.

Input#
Argument NameDescriptionRequired
namesHostnames from which to clear tags.Required
tagNameTag name.Required

Command Example#

!epo-clear-tag names="ADMIN-PC" tagName="Compromised"

13. Query an ePO table#

Queries an ePO table.

Base Command#
epo-query-table
Input#
Argument NameDescriptionRequired
targetTable name.Required
selectThe columns to select, in SQUID syntax. Example: "(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)".Optional
whereFilter results, in SQUID syntax. Example: "(where ( eq ( OrionTaskLogTask .UserName "ga" )))".Optional
orderOrder in which to return the results, in SQUID syntax. Example: "(order (asc OrionTaskLogTask.StartDate) )").Optional
groupGroup the results, in SQUID Syntax. Example: "(group EPOBranchNode.NodeName)".Optional
joinTablesPerform join, in SQUID syntax.Optional
query_nameName for the query to appear in the context.Optional
Context Output#
PathDescription
McAfee.ePO.QueryQuery result.
Human Readable Output#

!epo-query-table target=EPOLeafNode select="(select EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)" where="(hasTag EPOLeafNode.AppliedTags 4)"

screen shot 2018-10-29 at 15 17 18

!epo-query-table target=EPOLeafNode select="(select (top 3) EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)"

screen shot 2018-10-29 at 15 17 43

!epo-query-table target="EPOEvents" select="(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)" order="(order(desc EPOEvents.DetectedUTC))"

screen shot 2018-10-29 at 16 35 41

!epo-query-table target="EPExtendedEvent" select="(select (top 250) EPOEvents.ThreatName EPOEvents.AutoID EPExtendedEvent.EventAutoID EPExtendedEvent.TargetHash EPExtendedEvent.TargetPath EPOEvents.SourceHostName)" order="(order(desc EPExtendedEvent.TargetHash))" joinTables="EPOEvents"where="(where(eq EPOEvents.ThreatName "real Protect-LS!d5435f1fea5e"))"

screen shot 2018-10-31 at 10 03 49

14. Get an ePO table#

Returns an ePO table.

Base Command#
epo-get-tables
Input#
Argument NameDescriptionRequired
tableName of the table to return.Optional
Context Output#

There is no context output for this command.

Command Example#

!epo-get-tables

Human Readable Output#
screen shot 2018-10-29 at 15 19 13#

15. Get the ePO version#

Gets the ePO version. This command requires global admin permissions.

Base Command#
epo-get-version
Context Output#
PathTypeDescription
McAfee.ePO.VersionstringePO version.
Human Readable Output#

!epo-get-version

screen shot 2018-11-06 at 15 43 18

16. Find systems in the system tree#

Finds systems in the system tree.

Base Command#
epo-find-system
Input#
Argument NameDescriptionRequired
searchTextHostname to search.Optional
verbosePrint all system dataOptional
Context Output#
PathTypeDescription
Endpoint.NamestringEndpoint name.
Endpoint.DomainstringEndpoint domain.
Endpoint.HostnamestringEndpoint hostname.
Endpoint.IPAddressstringEndpoint IP address.
Endpoint.OSstringEndpoint OS.
Endpoint.OSVersionstringEndpoint OS version.
Endpoint.ProcessorstringProcessor model.
Endpoint.ProcessorsnumberNumber of processors.
Endpoint.MemorynumberEndpoint memory.
McAfee.ePO.Endpoint.ComputerNamestringEndpoint name.
McAfee.ePO.Endpoint.DomainstringEndpoint domain.
McAfee.ePO.Endpoint.HostnamestringEndpoint hostname.
McAfee.ePO.Endpoint.IPAddressstringEndpoint IP address.
McAfee.ePO.Endpoint.OSstringEndpoint OS.
McAfee.ePO.Endpoint.OSVersionstringEndpoint OS version.
McAfee.ePO.Endpoint.ProcessorstringProcessor model.
McAfee.ePO.Endpoint.ProcessorsnumberNumber of processors.
McAfee.ePO.Endpoint.MemorynumberEndpoint memory.
Human Readable Output#

!epo-find-system searchText=mar

screen shot 2018-11-06 at 15 46 12

17. Move a system to a different group#

Moves a system to a different group.

Base Command#

epo-move-system

Input#
Argument NameDescriptionRequired
namesAsset name.Required
parentGroupIdGroup ID.Required
Context Output#

There is no context output for this command.

Command Example#

!epo-move-system names=tie parentGroupId=3

Human Readable Output#

Screen Shot 2019-07-31 at 11 34 28