McAfee ePO

Use the McAfee EPO integration to manage security threats and responses.

This integration was integrated and tested with McAfee ePO v5.3.2.

Configure McAfee ePO on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for McAfee ePO.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Url: for example: https://****:port
    • Username
    • Password
    • Trust any certificate (not secure) Mark to trust Certificate Authority.
    • Use system proxy settings
  4. Click Test to validate the URLs, credentials, and connection.

Permissions

McAfee ePO has a highly flexible and powerful permissions system. The permissions required for the user that uses this integration depend on which operations they need to perform. The API user should have the same permissions a regular user would have in order to access the data via the UI. It is possible to view the exact permissions needed for a specific command by running the !epo-help command. The !epo-help command's output will include help information for the specific command including required permissions. More info about McAfee ePO's permissions model is available here.

Example !epo-help outputs with permission information:

  • !epo-help command="repository.findPackages":
  • !epo-help command="repository.deletePackage":

Playbooks

  • McAfee ePO Endpoint Connectivity Diagnostics - Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.
  • McAfee ePO Endpoint Compliance - Discover endpoints that are not using the latest McAfee AV Signatures
  • McAfee ePO Repository Compliance - Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
  • Endpoint Enrichment - Generic v2: uses epo-find-systems to enrich an endpoint by hostname.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Print help for ePO commands: epo-help
  2. Get the latest DAT file: epo-get-latest-dat
  3. Check the current DAT file version: epo-get-current-dat
  4. Update the DAT file: epo-update-client-dat
  5. Update a repository: epo-update-repository
  6. Get system tree groups: epo-get-system-tree-group
  7. Find systems in the system tree: epo-find-systems
  8. epo-command
  9. epo-advanced-command
  10. Wake up an agent: epo-wakeup-agent
  11. Apply a tag: epo-apply-tag
  12. Clear a tag: epo-clear-tag
  13. Query an ePO table: epo-query-table
  14. Get an ePO table: epo-get-table
  15. Get the ePO version: epo-get-version
  16. Find systems in the system tree: epo-find-system
  17. Move a system to a different group: epo-move-system

1. Print help for ePO commands

Prints help (information) for ePO commands. If no command argument is specified, returns all ePO commands.

Base Command
epo-help
Input
Argument NameDescriptionRequired
searchString to search for in help.Optional
commandCommand for which to print help.Optional
Context Output

There is no context output for this command.

Command Example

!epo-help search="agent"

Human Readable Output

screen shot 2018-08-26 at 10 28 00

2. Get the latest DAT file

Checks for the latest DAT file in the McAfee repository.

Base Command
epo-get-latest-dat
Input

There is no input for this command. 

Context Output
PathTypeDescription
McAfee.ePO.latestDATNumberLatest McAfee DAT file version.
Command Example

!epo-get-latest-dat

Human Readable Output

screen shot 2018-08-26 at 10 15 58

3. Check the current DAT file version

Checks the existing DAT file version in ePO.

Base Command
epo-get-current-dat
Input

There is no input for this command.

Context Output
PathTypeDescription
McAfee.ePO.epoDATnumberCurrent McAfee DAT file in the ePO repository.
Command Example

!epo-get-current-dat

Human Readable Output

screen shot 2018-08-26 at 10 18 36

4. Update the DAT file

Run client task to update the DAT file.

To run this command, you need to create a task on the ePO server with a specific name.

  1. Log on to the ePO server.
  2. Select System Tree.
  3. Select Assigned Client Tasks > Actions > New Client Task Assignment.
  4. Configure the Select Task section.
FieldValue
ProductMcAfee Agent
Task TypeProduct Update
Task NameDAT Update
  1. Select Create New Task.
FieldValue
Task NameVSEContentUpdateDemisto
Package SelectionSelected packages
Signatures and EnginesDAT
Base Command
epo-update-client-dat
Input
Argument NameDescriptionRequired
systemsA CSV list of IP addresses or system names.Required
retryAttemptsNumber of times the server will attempt to send the task to the client. Default is 1 retry.Optional
retryIntervalInSecondsRetry interval in seconds. Default is 30 seconds.Optional
abortAfterMinutesThe threshold (in minutes) after which attempts to send the task to the client are aborted. Default is 5.Optional
stopAfterMinutesThe threshold (in minutes) that the client task is allowed to run. Defaults to 20.Optional
randomizationIntervalDuration (in minutes) over which to randomly spread task execution. Default is 0 (executes on all clients immediately).Optional
Context Output

There is no context output for this command.

Command Example

!epo-update-client-dat systems=ADMIN-PC

Human Readable Output

screen shot 2018-08-26 at 10 41 04

5. Update a repository

Triggers a server task in specific ePO servers to retrieve the latest signatures from the update server.

Base Command
epo-update-repository
Input

There is no input for this command.

Context Output

There is no context output for this command.

Command Example

!epo-update-repository

Human Readable Output

screen shot 2018-08-26 at 10 00 40

6. Get system tree groups

Returns system tree groups.

Base Command

epo-get-system-tree-group

Input
Argument NameDescriptionRequired
searchString to search for in the system tree group.Optional
Context Output
PathTypeDescription
McAfee.ePO.SystemTreeGroups.groupIdnumberSystem tree group ID.
McAfee.ePO.SystemTreeGroups.groupPathstringSystem tree group path.
Human Readable Output

screen shot 2018-08-26 at 9 59 49

7. Find systems in the system tree

Find systems in the System Tree - by group ID or by search

Base Command

epo-find-systems

Input
Argument NameDescriptionRequired
groupIdSystem tree group ID.Required
verboseWhether to return all system data.Optional
Context Output
PathTypeDescription
Endpoint.NamestringEndpoint name.
Endpoint.DomainstringEndpoint domain.
Endpoint.HostnamestringEndpoint hostname.
Endpoint.IPAddressstringEndpoint IP address.
Endpoint.OSstringEndpoint OS.
Endpoint.OSVersionstringEndpoint OS version.
Endpoint.ProcessorstringProcessor model.
Endpoint.ProcessorsnumberNumber of processors.
Endpoint.MemorynumberEndpoint memory.
McAfee.ePO.Endpoint.NamestringEndpoint name.
McAfee.ePO.Endpoint.DomainstringEndpoint domain.
McAfee.ePO.Endpoint.HostnamestringEndpoint hostname.
McAfee.ePO.Endpoint.IPAddressstringEndpoint IP address.
McAfee.ePO.Endpoint.OSstringEndpoint OS.
McAfee.ePO.Endpoint.OSVersionstringEndpoint OS version.
McAfee.ePO.Endpoint.ProcessorstringProcessor model.
McAfee.ePO.Endpoint.ProcessorsnumberNumber of processors
McAfee.ePO.Endpoint.MemorynumberEndpoint memory.

8. epo-command

Executes the ePO command. Receives the mandatory ''command'' argument, and other optional arguments.

To get a list of available commands, run the ''epo-help'' command to get a list of available commands. You can also specify the ''headers'' argument to filter table headers. Example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName

Base Command

epo-command

Command Example

!epo-command command=system.find searchText=10.0.0.1

screen shot 2018-10-02 at 9 44 34

!epo-command command=agentmgmt.listAgentHandlers

screen shot 2018-10-02 at 9 46 00

9. epo-advanced-command

Executes the ePO command.

To get a list of available commands, run the ''epo-help'' command. For example/:/ !epo-advanced-command command=clienttask.find commandArgs=searchText:On-demand. You can also specify the ''headers'' argument to filter table headers, for example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName.

Base Command
epo-advanced-command
Input
Argument NameDescriptionRequired
commandThe command to execute. Run either the core.help command or the !epo-help to get all available commands.Required
commandArgsCSV list of key value pairs as additional arguments to pass, for example, "argName1:argValue1,argName2:argValue2".Required
Context Output

 There is no context output for this command.

Command Example

!epo-advanced-command command="clienttask.find" commandArgs="searchText:On-demand"

screen shot 2018-10-29 at 13 31 53

10. Wake up an agent

Wakes up an agent.

Input
Argument NameDescriptionRequired
namesAgent hostname.Required

11. Apply a tag

Applies a tag to hostnames.

Input
Argument NameDescriptionRequired
namesHostnames on which to apply tags.Required
tagNameTag name.Required

Command Example

!epo-apply-tag names="ADMIN-PC" tagName="Compromised"

12. Clear a tag

Clears a tag from hostnames.

Input
Argument NameDescriptionRequired
namesHostnames from which to clear tags.Required
tagNameTag name.Required

Command Example

!epo-clear-tag names="ADMIN-PC" tagName="Compromised"

13. Query an ePO table

Queries an ePO table.

Base Command
epo-query-table
Input
Argument NameDescriptionRequired
targetTable name.Required
selectThe columns to select, in SQUID syntax. Example: "(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)".Optional
whereFilter results, in SQUID syntax. Example: "(where ( eq ( OrionTaskLogTask .UserName "ga" )))".Optional
orderOrder in which to return the results, in SQUID syntax. Example: "(order (asc OrionTaskLogTask.StartDate) )").Optional
groupGroup the results, in SQUID Syntax. Example: "(group EPOBranchNode.NodeName)".Optional
joinTablesPerform join, in SQUID syntax.Optional
query_nameName for the query to appear in the context.Optional
Context Output
PathDescription
McAfee.ePO.QueryQuery result.
Human Readable Output

!epo-query-table target=EPOLeafNode select="(select EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)" where="(hasTag EPOLeafNode.AppliedTags 4)"

screen shot 2018-10-29 at 15 17 18

!epo-query-table target=EPOLeafNode select="(select (top 3) EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)"

screen shot 2018-10-29 at 15 17 43

!epo-query-table target="EPOEvents" select="(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)" order="(order(desc EPOEvents.DetectedUTC))"

screen shot 2018-10-29 at 16 35 41

!epo-query-table target="EPExtendedEvent" select="(select (top 250) EPOEvents.ThreatName EPOEvents.AutoID EPExtendedEvent.EventAutoID EPExtendedEvent.TargetHash EPExtendedEvent.TargetPath EPOEvents.SourceHostName)" order="(order(desc EPExtendedEvent.TargetHash))" joinTables="EPOEvents"where="(where(eq EPOEvents.ThreatName "real Protect-LS!d5435f1fea5e"))"

screen shot 2018-10-31 at 10 03 49

14. Get an ePO table

Returns an ePO table.

Base Command
epo-get-tables
Input
Argument NameDescriptionRequired
tableName of the table to return.Optional
Context Output

There is no context output for this command.

Command Example

!epo-get-tables

Human Readable Output
screen shot 2018-10-29 at 15 19 13

15. Get the ePO version

Gets the ePO version. This command requires global admin permissions.

Base Command
epo-get-version
Context Output
PathTypeDescription
McAfee.ePO.VersionstringePO version.
Human Readable Output

!epo-get-version

screen shot 2018-11-06 at 15 43 18

16. Find systems in the system tree

Finds systems in the system tree.

Base Command
epo-find-system
Input
Argument NameDescriptionRequired
searchTextHostname to search.Optional
verbosePrint all system dataOptional
Context Output
PathTypeDescription
Endpoint.NamestringEndpoint name.
Endpoint.DomainstringEndpoint domain.
Endpoint.HostnamestringEndpoint hostname.
Endpoint.IPAddressstringEndpoint IP address.
Endpoint.OSstringEndpoint OS.
Endpoint.OSVersionstringEndpoint OS version.
Endpoint.ProcessorstringProcessor model.
Endpoint.ProcessorsnumberNumber of processors.
Endpoint.MemorynumberEndpoint memory.
McAfee.ePO.Endpoint.NamestringEndpoint name.
McAfee.ePO.Endpoint.DomainstringEndpoint domain.
McAfee.ePO.Endpoint.HostnamestringEndpoint hostname.
McAfee.ePO.Endpoint.IPAddressstringEndpoint IP address.
McAfee.ePO.Endpoint.OSstringEndpoint OS.
McAfee.ePO.Endpoint.OSVersionstringEndpoint OS version.
McAfee.ePO.Endpoint.ProcessorstringProcessor model.
McAfee.ePO.Endpoint.ProcessorsnumberNumber of processors.
McAfee.ePO.Endpoint.MemorynumberEndpoint memory.
Human Readable Output

!epo-find-system searchText=mar

screen shot 2018-11-06 at 15 46 12

17. Move a system to a different group

Moves a system to a different group.

Base Command

epo-move-system

Input
Argument NameDescriptionRequired
namesAsset name.Required
parentGroupIdGroup ID.Required
Context Output

There is no context output for this command.

Command Example

!epo-move-system names=tie parentGroupId=3

Human Readable Output

Screen Shot 2019-07-31 at 11 34 28