Skip to main content

McAfee ePO v2

This Integration is part of the McAfee ePO Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

McAfee ePolicy Orchestrator This integration was integrated and tested with version 5.3.2 and 5.10 of McAfee ePO

Permissions#

McAfee ePO has a highly flexible and powerful permissions system. The permissions required for the user who uses this integration depend on which operations they need to perform. The API user should have the same permissions a regular user would have in order to access the data via the UI. It is possible to view the exact permissions needed for a specific command by running the !epo-help command. The !epo-help command's output will include help information for the specific command including required permissions. More information about McAfee ePO's permissions model is available here.

Example !epo-help outputs with permission information:

  • !epo-help command="repository.findPackages":
  • !epo-help command="repository.deletePackage":

Configure McAfee ePO v2 in Cortex#

ParameterDescriptionRequired
McAfee ePO Server URITrue
UsernameTrue
PasswordTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
HTTP TimeoutThe timeout of the HTTP requests sent to McAfee ePO API (in seconds).False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

epo-help#


Displays help (information) for ePO commands. If no command argument is specified, returns all ePO commands.

Base Command#

epo-help

Input#

Argument NameDescriptionRequired
searchString to search for in the core.help command output.Optional
commandThe command for which to display help information.Optional
prefixDisplays help information for commands with the specified prefix.Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-help command="core.help"

Human Readable Output#

ePO Help - core.help#

core.help [command][prefix=<>] Lists all registered commands and displays help strings. Returns the list of commands or throws on error. Parameters: command (param 1) - If specified, the help string for a specific command is displayed. If omitted, a list of all commands is displayed. prefix - if specified, only commands with the given prefix are listed. This is useful for showing the commands for a single plug-in. This has no effect if the 'command' argument is specified.

epo-get-latest-dat#


Checks the latest available DAT file version in the public McAfee repository.

Base Command#

epo-get-latest-dat

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
McAfee.ePO.latestDATnumberLatest available McAfee DAT file version.

Command Example#

!epo-get-latest-dat

Context Example#

{
"McAfee": {
"ePO": {
"latestDAT": "10200"
}
}
}

Human Readable Output#

McAfee ePO Latest DAT file version available is: 10200

epo-get-current-dat#


Checks the existing DAT file version in the ePO repository.

Base Command#

epo-get-current-dat

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
McAfee.ePO.epoDATnumberCurrent installed McAfee DAT file in ePO repository

Command Example#

!epo-get-current-dat

Context Example#

{
"McAfee": {
"ePO": {
"epoDAT": "10200"
}
}
}

Human Readable Output#

McAfee ePO Current DAT file version in repository is: 10200

epo-command#


Executes the ePO command. Receives the mandatory 'command' argument, and other optional arguments. Run the 'epo-help' command to get a list of available commands. You can control the response format to be text instead of the default json format using resp_type=text, You can also specify the 'headers' argument to filter table headers. Example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName

Base Command#

epo-command

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!epo-command command="system.find" searchText="10.0.0.1" headers="EPOBranchNode.AutoID,EPOComputerProperties.ComputerName"

Human Readable Output#

ePO command system.find results:#

EPOBranchNode.AutoIDEPOComputerProperties.ComputerName
210.0.0.1
210.0.0.11

epo-update-client-dat#


Runs a client task to update the DAT file on the given endpoints.

Base Command#

epo-update-client-dat

Input#

Argument NameDescriptionRequired
systemsA CSV list of IP addresses or system names.Required
retryAttemptsNumber of times the server will attempt to send the task to the client. Default is 1 retry.Optional
retryIntervalInSecondsRetry interval in seconds. Default is 30.Optional
abortAfterMinutesThe threshold (in minutes) after which attempts to send the task to the client are aborted. Default is 5.Optional
stopAfterMinutesThe threshold (in minutes) that the client task is allowed to run. Default is 20.Optional
randomizationIntervalDuration (in minutes) over which to randomly spread task execution. Default is 0 (executes on all clients immediately).Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-update-client-dat systems="TIE"

Human Readable Output#

ePO client DAT update task started: Succeeded

epo-update-repository#


Triggers a server task in specific ePO servers to retrieve the latest signatures from the updated server.

Base Command#

epo-update-repository

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

!epo-update-repository

Human Readable Output#

ePO repository update started. success skipped: Current\LMASECORE2000\2.2.0.9309\SpamEngine\0000 skipped: Current\BOCVSE__1000\657\DAT\0000 skipped: Current\AMCORDAT1000\1359.1\DAT\0000 skipped: Current\VIRUSCAN8700\8.7.0\LangPack\0000 skipped: Current\VIRUSCAN8800\8.8.0\LangPack\0000 skipped: Current\SUPPMVTCT1000\8.3.0.357\MVTContentUpdate\0000 skipped: Current\PHCONTENMETA\6006\PHContent\0000 skipped: Current\MASECORE2000\2.2.0.9309\SpamEngine\0000 skipped: Current\DBSECDAMMETA\97.3112\DAT\0000 skipped: Current\MVEDR_R_3000\3.5.2\DAT\0000 skipped: Current\DBSECDVMMETA\195.2097\DVMCHECKS\0000 skipped: Current\Findings\1310\FNDContent\0000 skipped: Current\AUENGINEMETA\1335\BMContent\0000 skipped: Current\ENDPCNT_1000_LYNX\10.7.0\DAT\0000 skipped: Current\ENCPTCNT6000\8.0.0.11953\DAT\0000

epo-get-system-tree-group#


Returns a system tree group.

Base Command#

epo-get-system-tree-group

Input#

Argument NameDescriptionRequired
searchString to search for in the system tree group.Optional

Context Output#

PathTypeDescription
McAfee.ePO.SystemTreeGroups.groupIdnumberSystem tree group ID.
McAfee.ePO.SystemTreeGroups.groupPathstringSystem tree group path.

Command Example#

!epo-get-system-tree-group search="Lost"

Context Example#

{
"McAfee": {
"ePO": {
"SystemTreeGroups": {
"groupId": 3,
"groupPath": "My Organization\\Lost&Found"
}
}
}
}

Human Readable Output#

ePO System Tree groups#

Group IDGroup path
3My Organization\Lost&Found

epo-find-systems#


Finds computers within a specified group in the McAfee ePO system tree.

Base Command#

epo-find-systems

Input#

Argument NameDescriptionRequired
groupIdSystem tree group ID.Required
verboseWhether to return all system data. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.DomainstringEndpoint domain.
Endpoint.HostnamestringEndpoint hostname.
Endpoint.IPAddressstringEndpoint IP address.
Endpoint.OSstringEndpoint OS.
Endpoint.OSVersionstringEndpoint OS version.
Endpoint.ProcessorstringProcessor model.
Endpoint.ProcessorsnumberNumber of processors.
Endpoint.MemorynumberThe amount of memory in the endpoint.
McAfee.ePO.Endpoint.ParentIDNumberEndpoint parent ID.
McAfee.ePO.Endpoint.ComputerNameStringEndpoint computer name.
McAfee.ePO.Endpoint.DescriptionStringEndpoint description.
McAfee.ePO.Endpoint.SystemDescriptionStringEndpoint system description.
McAfee.ePO.Endpoint.TimeZoneStringEndpoint time zone.
McAfee.ePO.Endpoint.DefaultLangIDStringEndpoint default language ID.
McAfee.ePO.Endpoint.UserNameStringEndpoint username.
McAfee.ePO.Endpoint.DomainStringEndpoint domain name.
McAfee.ePO.Endpoint.HostnameStringEndpoint IP host name
McAfee.ePO.Endpoint.IPV6StringEndpoint IPv6 address.
McAfee.ePO.Endpoint.IPAddressStringEndpoint IP address.
McAfee.ePO.Endpoint.IPSubnetStringEndpoint IP subnet.
McAfee.ePO.Endpoint.IPSubnetMaskStringEndpoint IP subnet mask
McAfee.ePO.Endpoint.IPV4xNumberEndpoint IPV4x address.
McAfee.ePO.Endpoint.IPXAddressStringEndpoint IPX address.
McAfee.ePO.Endpoint.SubnetAddressStringEndpoint subnet address.
McAfee.ePO.Endpoint.SubnetMaskStringEndpoint subnet mask.
McAfee.ePO.Endpoint.NetAddressStringEndpoint net address.
McAfee.ePO.Endpoint.OSTypeStringEndpoint OS type.
McAfee.ePO.Endpoint.OSVersionStringEndpoint OS version.
McAfee.ePO.Endpoint.OSServicePackVerStringEndpoint OS service pack version.
McAfee.ePO.Endpoint.OSBuildNumNumberEndpoint OS build number.
McAfee.ePO.Endpoint.OSPlatformStringEndpoint OS platform.
McAfee.ePO.Endpoint.OSOEMIDStringEndpoint OS OEM ID.
McAfee.ePO.Endpoint.ProcessorStringEndpoint CPU type.
McAfee.ePO.Endpoint.CPUSpeedNumberEndpoint CPU speed.
McAfee.ePO.Endpoint.ProcessorsNumberThe number of CPUs in the endpoint.
McAfee.ePO.Endpoint.CPUSerialNumStringThe CPU serial number in the endpoint.
McAfee.ePO.Endpoint.MemoryNumberThe total amount of physical memory in the endpoint.
McAfee.ePO.Endpoint.FreeMemoryNumberThe amount of free memory in the endpoint.
McAfee.ePO.Endpoint.FreeDiskSpaceNumberThe amount of free disk space in the endpoint.
McAfee.ePO.Endpoint.TotalDiskSpaceNumberThe total amount of disk space in the endpoint.
McAfee.ePO.Endpoint.UserProperty1StringEndpoint user property 1.
McAfee.ePO.Endpoint.UserProperty2StringEndpoint user property 2.
McAfee.ePO.Endpoint.UserProperty3StringEndpoint user property 3.
McAfee.ePO.Endpoint.UserProperty4StringEndpoint user property 4.
McAfee.ePO.Endpoint.SysvolFreeSpaceNumberEThe amount of system volume free space in the endpoint.
McAfee.ePO.Endpoint.SysvolTotalSpaceNumberThe amount of system volume total space in the endpoint.
McAfee.ePO.Endpoint.TagsStringEndpoint EPO tags.
McAfee.ePO.Endpoint.ExcludedTagsStringEndpoint EPO excluded tags.
McAfee.ePO.Endpoint.LastUpdateDateThe date the endpoint ePO was last updated.
McAfee.ePO.Endpoint.ManagedStateNumberEndpoint EPO managed state.
McAfee.ePO.Endpoint.AgentGUIDStringEndpoint EPO agent GUID.
McAfee.ePO.Endpoint.AgentVersionStringEndpoint EPO agent version.
McAfee.ePO.Endpoint.AutoIDNumberEndpoint EPO auto ID.

Command Example#

!epo-find-systems groupId="2"

Context Example#

{
"Endpoint": [
{
"ID": "10.0.0.1"
},
{
"Domain": "WORKGROUP",
"ID": "WIN-AQ0LQQOG4Q7",
"Memory": 8589398016,
"OS": "Windows Server 2012 R2",
"OSVersion": "6.3",
"Processor": "Intel(R) Xeon(R) Silver 4216 CPU @ 2.10GHz",
"Processors": 4
}
],
"McAfee": {
"ePO": {
"Endpoint": [
{
"AgentGUID": null,
"AgentVersion": null,
"AutoID": 2,
"CPUSerialNum": "",
"CPUSpeed": 0,
"CPUType": "",
"ComputerName": "10.0.0.1",
"DefaultLangID": "",
"Description": null,
"DomainName": "",
"ExcludedTags": "",
"FreeDiskSpace": 0,
"FreeMemory": 0,
"Hostname": "",
"IPAddress": "",
"IPSubnet": null,
"IPSubnetMask": null,
"IPV4x": null,
"IPV6": null,
"IPXAddress": "",
"LastUpdate": null,
"ManagedState": 0,
"NetAddress": "",
"NumOfCPU": 0,
"OSBuildNum": 0,
"OSOEMID": "",
"OSPlatform": "",
"OSServicePackVer": "",
"OSType": "",
"OSVersion": "",
"ParentID": 7,
"SubnetAddress": "",
"SubnetMask": "",
"SystemDescription": null,
"SysvolFreeSpace": 0,
"SysvolTotalSpace": 0,
"Tags": "Scan Now",
"TimeZone": "",
"TotalDiskSpace": 0,
"TotalPhysicalMemory": 0,
"UserName": "",
"UserProperty1": null,
"UserProperty2": null,
"UserProperty3": null,
"UserProperty4": null,
},
{
"AgentGUID": "CA0CE11A-DCE8-11E8-0805-000C2994FF62
"AutoID": 2,
"CPUSerialNum": "N/A",
"CPUSpeed": 2095,
"CPUType": "Intel(R) Xeon(R) Silver 4216 CPU @ 2.10GHz",
"ComputerName": "WIN-AQ0LQQOG4Q7",
"DefaultLangID": "0409",
"Description": null,
"DomainName": "WORKGROUP",
"ExcludedTags": "",
"FreeDiskSpace": 145005,
"FreeMemory": 1195880448,
"Hostname": "",
"IPAddress": "",
"IPV4x": null,
"IPXAddress": "N/A",
"LastUpdate": "2021-12-16T14:44:41-08:00",
"ManagedState": 1,
"NetAddress": "",
"NumOfCPU": 4,
"OSBuildNum": 9600,
"OSOEMID": "00252-00112-50691-AA377",
"OSPlatform": "Server",
"OSServicePackVer": "",
"OSType": "Windows Server 2012 R2",
"OSVersion": "6.3",
"ParentID": 17,
"SubnetAddress": "",
"SubnetMask": "",
"SystemDescription": "N/A",
"SysvolFreeSpace": 145005,
"SysvolTotalSpace": 204447,
"Tags": "Server",
"TimeZone": "Pacific Standard Time",
"TotalDiskSpace": 204447,
"TotalPhysicalMemory": 8589398016,
"UserName": "Administrator",
"UserProperty1": null,
"UserProperty2": null,
"UserProperty3": null,
"UserProperty4": null,
}
]
}
}
}

Human Readable Output#

Endpoint information:#

MemoryNameProcessors
010.0.0.10

epo-find-system#


Finds systems in the McAfee ePO system tree.

Base Command#

epo-find-system

Input#

Argument NameDescriptionRequired
searchTextHostname to search for.Required
verboseWhether to display all system data. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.DomainstringEndpoint domain.
Endpoint.HostnamestringEndpoint hostname.
Endpoint.IPAddressstringEndpoint IP address.
Endpoint.OSstringEndpoint OS.
Endpoint.OSVersionstringEndpoint OS version.
Endpoint.ProcessorstringProcessor model.
Endpoint.ProcessorsnumberNumber of processors.
Endpoint.MemorynumberThe amount of memory in the endpoint.
McAfee.ePO.Endpoint.ParentIDNumberEndpoint Parent ID.
McAfee.ePO.Endpoint.ComputerNameStringEndpoint computer name.
McAfee.ePO.Endpoint.DescriptionStringEndpoint description.
McAfee.ePO.Endpoint.SystemDescriptionStringEndpoint system description.
McAfee.ePO.Endpoint.TimeZoneStringEndpoint time zone.
McAfee.ePO.Endpoint.DefaultLangIDStringEndpoint default language ID.
McAfee.ePO.Endpoint.UserNameStringEndpoint username.
McAfee.ePO.Endpoint.DomainStringEndpoint domain name.
McAfee.ePO.Endpoint.HostnameStringEndpoint IP host name.
McAfee.ePO.Endpoint.IPV6StringEndpoint IPv6 address.
McAfee.ePO.Endpoint.IPAddressStringEndpoint IP address.
McAfee.ePO.Endpoint.IPSubnetStringEndpoint IP subnet.
McAfee.ePO.Endpoint.IPSubnetMaskStringEndpoint IP subnet mask.
McAfee.ePO.Endpoint.IPV4xNumberEndpoint IPV4x address.
McAfee.ePO.Endpoint.IPXAddressStringEndpoint IPX address.
McAfee.ePO.Endpoint.SubnetAddressStringEndpoint subnet address.
McAfee.ePO.Endpoint.SubnetMaskStringEndpoint subnet mask.
McAfee.ePO.Endpoint.NetAddressStringEndpoint net address.
McAfee.ePO.Endpoint.OSTypeStringEndpoint OS type.
McAfee.ePO.Endpoint.OSVersionStringEndpoint OS version.
McAfee.ePO.Endpoint.OSServicePackVerStringEndpoint OS service pack version.
McAfee.ePO.Endpoint.OSBuildNumNumberEndpoint OS build number.
McAfee.ePO.Endpoint.OSPlatformStringEndpoint OS platform.
McAfee.ePO.Endpoint.OSOEMIDStringEndpoint OS OEM ID.
McAfee.ePO.Endpoint.ProcessorStringEndpoint CPU type.
McAfee.ePO.Endpoint.CPUSpeedNumberEndpoint CPU speed.
McAfee.ePO.Endpoint.ProcessorsNumberNumber of CPUs in the endpoint.
McAfee.ePO.Endpoint.CPUSerialNumStringEndpoint CPU serial number.
McAfee.ePO.Endpoint.MemoryNumberThe total amount of physical memory in the endpoint.
McAfee.ePO.Endpoint.FreeMemoryNumberThe amount of free memory in the endpoint.
McAfee.ePO.Endpoint.FreeDiskSpaceNumberThe amount of free disk space in the endpoint.
McAfee.ePO.Endpoint.TotalDiskSpaceNumberThe total amount of disk space in the endpoint.
McAfee.ePO.Endpoint.UserProperty1StringEndpoint user property 1.
McAfee.ePO.Endpoint.UserProperty2StringEndpoint user property 2.
McAfee.ePO.Endpoint.UserProperty3StringEndpoint user property 3.
McAfee.ePO.Endpoint.UserProperty4StringEndpoint user property 4.
McAfee.ePO.Endpoint.SysvolFreeSpaceNumberThe amount of system volume free space in the endpoint.
McAfee.ePO.Endpoint.SysvolTotalSpaceNumberThe total amount of system volume space in the endpoint.
McAfee.ePO.Endpoint.TagsStringEndpoint ePO tags.
McAfee.ePO.Endpoint.ExcludedTagsStringEndpoint EPO excluded tags.
McAfee.ePO.Endpoint.LastUpdateDateEndpoint he date the endpoint was last updated.
McAfee.ePO.Endpoint.ManagedStateNumberEndpoint managed state.
McAfee.ePO.Endpoint.AgentGUIDStringEndpoint agent GUID.
McAfee.ePO.Endpoint.AgentVersionStringEndpoint agent version.
McAfee.ePO.Endpoint.AutoIDNumberEndpoint auto ID.

Command Example#

!epo-find-system searchText="TIE"

Context Example#

{
"Endpoint": {
"Domain": "(none)",
"ID": "tie",
"IPAddress": "192.168.1.102",
"Memory": 8364199936,
"OS": "Linux",
"OSVersion": "4.9",
"Processor": "Intel(R) Xeon(R) CPU E5-2697A v4 @ 2.60GHz",
"Processors": 8
},
"McAfee": {
"ePO": {
"Endpoint": {
"AgentGUID": "E0F52A7C-A841-11E7-0467-000C2936A49A",
"AutoID": 3,
"CPUSerialNum": "N/A",
"CPUSpeed": 2600,
"CPUType": "Intel(R) Xeon(R) CPU E5-2697A v4 @ 2.60GHz",
"ComputerName": "tie",
"DefaultLangID": "0409",
"Description": null,
"DomainName": "(none)",
"ExcludedTags": "",
"FreeDiskSpace": 93781,
"FreeMemory": 240263168,
"Hostname": "tie",
"IPV4x": 1084752230,
"IPXAddress": "N/A",
"LastUpdate": "2021-12-16T14:19:25-08:00",
"ManagedState": 1,
"NetAddress": "000C29B1EE8E",
"NumOfCPU": 8,
"OSBuildNum": 0,
"OSOEMID": "McAfee TIE Platform Server 3.0.0.480",
"OSPlatform": "Server",
"OSServicePackVer": "189-1.mlos2.x86_64",
"OSType": "Linux",
"OSVersion": "4.9",
"ParentID": 2,
"SubnetAddress": "",
"SubnetMask": "",
"SystemDescription": "N/A",
"SysvolFreeSpace": 0,
"SysvolTotalSpace": 0,
"Tags": "DXLBROKER, Server, TIESERVER",
"TimeZone": "UTC",
"TotalDiskSpace": 104488,
"TotalPhysicalMemory": 8364199936,
"UserName": "root",
"UserProperty1": null,
"UserProperty2": null,
"UserProperty3": null,
"UserProperty4": null,
}
}
}
}

Human Readable Output#

Systems in the System Tree#

NameDomainHostnameIPAddressOSOSVersionProcessorProcessorsMemory
tie(none)tie192.168.1.102Linux4.9Intel(R) Xeon(R) CPU E5-2697A v4 @ 2.60GHz88364199936

epo-wakeup-agent#


Wakes up an agent.

Base Command#

epo-wakeup-agent

Input#

Argument NameDescriptionRequired
namesA comma-separated list of agent host names.Required

Context Output#

There is no context output for this command.

Command Example#

!epo-wakeup-agent names="TIE"

Human Readable Output#

ePO agents was awaken.#

CompletedFailedExpired
100

epo-apply-tag#


Applies a tag to the specified host names.

Base Command#

epo-apply-tag

Input#

Argument NameDescriptionRequired
namesA comma-separated list of host names on which to apply tags.Required
tagNameTag name.Required

Context Output#

There is no context output for this command.

Command Example#

!epo-apply-tag names="TIE" tagName="Server"

Human Readable Output#

ePO could not find server or server already assigned to the given tag.

epo-clear-tag#


Clears a tag from the specified host names.

Base Command#

epo-clear-tag

Input#

Argument NameDescriptionRequired
namesA comma-separated list of host names from which to clear tags.Required
tagNameTag name.Required

Context Output#

There is no context output for this command.

Command Example#

!epo-clear-tag names="TIE" tagName="MARSERVER"

Human Readable Output#

ePO could not find server or server already assigned to the given tag.

epo-list-tag#


List tags that contain the searchText. If no searchText is specified, list all tags available in the ePO system.

Base Command#

epo-list-tag

Input#

Argument NameDescriptionRequired
searchTextList tags that contains the searchText in their name field.Optional

Context Output#

PathTypeDescription
McAfee.ePO.Tags.tagIdnumberTag ID..
McAfee.ePO.Tags.tagNamestringTag name.
McAfee.ePO.Tags.tagNotesstringTag notes.

Command Example#

!epo-list-tag searchText="server"

Context Example#

{
"McAfee": {
"ePO": {
"Tags": [
{
"tagId": 1,
"tagName": "Server",
"tagNotes": "Default tag for systems identified as a Server"
},
{
"tagId": 4,
"tagName": "TIESERVER",
"tagNotes": "Apply Tag to TIEServers"
},
{
"tagId": 5,
"tagName": "MARSERVER",
"tagNotes": "Apply Tag to Active Response Server"
}
]
}
}
}

Human Readable Output#

ePO Tags#

tagIdtagNametagNotes
1ServerDefault tag for systems identified as a Server
4TIESERVERApply Tag to TIEServers
5MARSERVERApply Tag to Active Response Server

epo-get-tables#


Returns the ePO table of the table argument that is specified. If no table argument is specified, returns all ePO tables.

Base Command#

epo-get-tables

Input#

Argument NameDescriptionRequired
tableName of the table to retrieve.Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-get-tables table="Client Events"

Human Readable Output#

ePO tables:#

nametargettypedatabaseTypedescriptioncolumnsrelatedTablesforeignKeys
Client EventsEPOProductEventstargetRetrieves information on client events from managed systems.
Name Type Select? Condition? GroupBy? Order? Number?
------------- -------------- ------- ---------- -------- ------ -------
AutoID long False False False True True
AgentGUID string True False False True False
NodeID int False False False True True
TVDEventID eventIdInt True True True True True
TVDSeverity enum True True True True False
ReceivedUTC timestamp True True True True False
DetectedUTC timestamp True True True True False
HostName string True True True True False
UserName string True True True True False
IPV6 ipv6 True True True True False
ProductCode string False False False True False
version productVersion True True True True False
SPHotFix string True True True True False
ExtraDATNames string True True True True False
Type string_lookup True True True True False
Error enum True True True True False
Locale int True True True True True
SiteName string True True True True False
InitiatorID string True True True True False
InitiatorType string_lookup True True True True False
TenantId int False False False True True

Name
------------------
EPOLeafNode
EPOSoftwareView
EPOEventFilterDesc

Source table Source Columns Destination table Destination columns Allows inverse? One-to-one? Many-to-one?
---------------- -------------- ----------------- ------------------- --------------- ----------- ------------
EPOProductEvents AgentGUID EPOLeafNode AgentGUID False False True
EPOProductEvents TVDEventID EPOEventFilterDesc EventId False False True
EPOProductEvents ProductCode EPOSoftwareView ProductCode False False True

epo-query-table#


Queries an ePO table.

Base Command#

epo-query-table

Input#

Argument NameDescriptionRequired
targetName of the table.Required
selectThe columns to return, in SQUID syntax. Example: "(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)".Optional
whereFilter results, in SQUID syntax. Example: "(where ( eq ( OrionTaskLogTask .UserName "ga" )))".Optional
orderOrder in which to return the results, in SQUID syntax. Example: "(order (asc OrionTaskLogTask.StartDate) )").Optional
groupGroup the results, in SQUID Syntax. Example: "(group EPOBranchNode.NodeName)".Optional
joinTablesPerform join, in SQUID syntax.Optional
query_nameName for the query to appear in the context.Optional

Context Output#

PathTypeDescription
McAfee.ePO.QueryunknownQuery result.

Command Example#

!epo-query-table target="FW_Rule" query_name="Test Query"

Context Example#

{
"McAfee": {
"ePO": {
"Query": {
"Test Query": [
{
"FW_Rule.action": "JUMP",
"FW_Rule.direction": "EITHER",
"FW_Rule.enabled": 1,
"FW_Rule.intrusion": false,
"FW_Rule.lastModified": "2014-06-20T11:42:38-07:00",
"FW_Rule.lastModifyingUsername": "system",
"FW_Rule.localServiceList": "",
"FW_Rule.mediaFlags": 7,
"FW_Rule.name": "Outlook",
"FW_Rule.note": "",
"FW_Rule.remoteServiceList": "",
"FW_Rule.schedule_end": "0:00",
"FW_Rule.schedule_offHours": "NONE",
"FW_Rule.schedule_start": "0:00",
"FW_Rule.trafficLogged": false,
"FW_Rule.transportProtocol": 1024
},
{
"FW_Rule.action": "ALLOW",
"FW_Rule.direction": "IN",
"FW_Rule.enabled": 1,
"FW_Rule.intrusion": false,
"FW_Rule.lastModified": "2010-03-29T11:54:22-07:00",
"FW_Rule.lastModifyingUsername": "admin",
"FW_Rule.localServiceList": "0",
"FW_Rule.mediaFlags": 7,
"FW_Rule.name": "Allow ICMP Echo Reply Incoming for Services",
"FW_Rule.note": "",
"FW_Rule.remoteServiceList": "",
"FW_Rule.schedule_end": "0:00",
"FW_Rule.schedule_offHours": "NONE",
"FW_Rule.schedule_start": "0:00",
"FW_Rule.trafficLogged": false,
"FW_Rule.transportProtocol": 1
},
{
"FW_Rule.action": "BLOCK",
"FW_Rule.direction": "IN",
"FW_Rule.enabled": 1,
"FW_Rule.intrusion": false,
"FW_Rule.lastModified": "2009-10-22T17:32:08-07:00",
"FW_Rule.lastModifyingUsername": "admin",
"FW_Rule.localServiceList": "",
"FW_Rule.mediaFlags": 7,
"FW_Rule.name": "Block System TCP Incoming",
"FW_Rule.note": "",
"FW_Rule.remoteServiceList": "",
"FW_Rule.schedule_end": "0:00",
"FW_Rule.schedule_offHours": "NONE",
"FW_Rule.schedule_start": "0:00",
"FW_Rule.trafficLogged": false,
"FW_Rule.transportProtocol": 6
}
]
}
}
}
}
}

Human Readable Output#

ePO Table Query:#

FW_Rule.localServiceListFW_Rule.trafficLoggedFW_Rule.lastModifyingUsernameFW_Rule.transportProtocolFW_Rule.remoteServiceListFW_Rule.nameFW_Rule.schedule_offHoursFW_Rule.noteFW_Rule.schedule_startFW_Rule.mediaFlagsFW_Rule.intrusionFW_Rule.schedule_endFW_Rule.actionFW_Rule.directionFW_Rule.lastModifiedFW_Rule.enabled
falsesystem1024OutlookNONE0:007false0:00JUMPEITHER2014-06-20T11:42:38-07:001
0falseadmin1Allow ICMP Echo Reply Incoming for ServicesNONE0:007false0:00ALLOWIN2010-03-29T11:54:22-07:001
falseadmin6Block System TCP IncomingNONE0:007false0:00BLOCKIN2009-10-22T17:32:08-07:001

epo-get-version#


Returns the ePO version.

Base Command#

epo-get-version

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
McAfee.ePO.VersionstringePO version.

Command Example#

!epo-get-version

Context Example#

{
"McAfee": {
"ePO": {
"Version": "5.3.2"
}
}
}

Human Readable Output#

ePO version is: 5.3.2#

epo-move-system#


Moves a system to a different group in the McAfee ePO.

Base Command#

epo-move-system

Input#

Argument NameDescriptionRequired
namesA comma-separated list of asset names.Required
parentGroupIdGroup ID.Required

Context Output#

There is no context output for this command.

Command Example#

!epo-move-system names="TIE" parentGroupId="3"

Human Readable Output#

System(s) TIE moved successfully to GroupId 3

epo-advanced-command#


Executes the ePO command. Run the 'epo-help' command to get a list of available commands. For example/:/ !epo-advanced-command command=clienttask.find commandArgs=searchText:On-Demand. You can specify the 'headers' argument to filter table headers, for example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName.

Base Command#

epo-advanced-command

Input#

Argument NameDescriptionRequired
commandThe command to execute. Run either the core.help command or the !epo-help to get all available commands.Required
commandArgsCSV list of key value pairs as additional arguments to pass, for example, "argName1:argValue1,argName2:argValue2".Required

Context Output#

There is no context output for this command.

Command Example#

!epo-advanced-command command="clienttask.find" commandArgs="searchText:On-Demand"

Human Readable Output#

ePO command clienttask.find results:#

objectNameproductIdproductNameobjectIdtypeNametypeId
On-Demand Scan - Full ScanENDP_AM_1000Endpoint Security Threat Prevention26Endpoint Security Threat Prevention: Policy Based On-Demand Scan11
On-Demand Scan - Quick ScanENDP_AM_1000Endpoint Security Threat Prevention27Endpoint Security Threat Prevention: Policy Based On-Demand Scan11

epo-find-client-task#


Finds client tasks.

Base Command#

epo-find-client-task

Input#

Argument NameDescriptionRequired
searchTextList client tasks that contains the searchText in their name field.Optional

Context Output#

PathTypeDescription
McAfee.ePO.ClientTask.objectIdnumberClient task object ID.
McAfee.ePO.ClientTask.objectNamestringClient task object name.
McAfee.ePO.ClientTask.productIdstringClient task product ID.
McAfee.ePO.ClientTask.productNamestringClient task product name.
McAfee.ePO.ClientTask.typeIdnumberClient task type ID.
McAfee.ePO.ClientTask.typeNamestringClient task type name.

Command Example#

!epo-find-client-task searchText="On-Demand"

Context Example#

{
"McAfee": {
"ePO": {
"ClientTask": [
{
"objectId": 26,
"objectName": "On-Demand Scan - Full Scan",
"productId": "ENDP_AM_1000",
"productName": "Endpoint Security Threat Prevention ",
"typeId": 11,
"typeName": "Endpoint Security Threat Prevention: Policy Based On-Demand Scan"
},
{
"objectId": 27,
"objectName": "On-Demand Scan - Quick Scan",
"productId": "ENDP_AM_1000",
"productName": "Endpoint Security Threat Prevention ",
"typeId": 11,
"typeName": "Endpoint Security Threat Prevention: Policy Based On-Demand Scan"
}
]
}
}
}

Human Readable Output#

ePO Client Tasks:#

productNameobjectNameproductIdtypeIdobjectIdtypeName
Endpoint Security Threat PreventionOn-Demand Scan - Full ScanENDP_AM_10001126Endpoint Security Threat Prevention: Policy Based On-Demand Scan
Endpoint Security Threat PreventionOn-Demand Scan - Quick ScanENDP_AM_10001127Endpoint Security Threat Prevention: Policy Based On-Demand Scan

epo-find-policy#


Finds policy.

Base Command#

epo-find-policy

Input#

Argument NameDescriptionRequired
searchTextList policies that contains the searchText in their name field. If no searchText is specified, list all policies in the ePO system.Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-find-policy searchText="On-Access"

Context Example#

{
"McAfee": {
"ePO": {
"Policy": [
{
"featureId": "ENDP_AM_1000",
"featureName": " Policy Category",
"objectId": 84,
"objectName": "McAfee Default",
"objectNotes": "",
"productId": "ENDP_AM_1000",
"productName": "Endpoint Security Threat Prevention ",
"typeId": 40,
"typeName": "On-Access Scan"
},
{
"featureId": "ENDP_AM_1000",
"featureName": " Policy Category",
"objectId": 86,
"objectName": "On-Access Scan for Exchange",
"objectNotes": "",
"productId": "ENDP_AM_1000",
"productName": "Endpoint Security Threat Prevention ",
"typeId": 40,
"typeName": "On-Access Scan"
},
{
"featureId": "ENDP_AM_1000",
"featureName": " Policy Category",
"objectId": 90,
"objectName": "My Default",
"objectNotes": "",
"productId": "ENDP_AM_1000",
"productName": "Endpoint Security Threat Prevention ",
"typeId": 40,
"typeName": "On-Access Scan"
}
]
}
}
}

Human Readable Output#

ePO Policies:#

objectNamefeatureNameproductIdproductNameobjectIdtypeNamefeatureIdtypeId
McAfee DefaultPolicy CategoryENDP_AM_1000Endpoint Security Threat Prevention84On-Access ScanENDP_AM_100040
On-Access Scan for ExchangePolicy CategoryENDP_AM_1000Endpoint Security Threat Prevention86On-Access ScanENDP_AM_100040
My DefaultPolicy CategoryENDP_AM_1000Endpoint Security Threat Prevention90On-Access ScanENDP_AM_100040

epo-assign-policy-to-group#


Assigns a policy to the specified group or resets the group's inheritance for the specified policy.

Base Command#

epo-assign-policy-to-group

Input#

Argument NameDescriptionRequired
groupIdSystem tree group ID (as returned by system.findGroups).Required
productIdProduct ID (as returned by policy.find).Required
objectIdObject ID (as returned by policy.find).Required
resetInheritanceIf true, resets the inheritance for the specified policy on the given group. Default is false. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-assign-policy-to-group groupId="2" productId="ENDP_AM_1000" objectId="86"

Human Readable Output#

Policy productId:ENDP_AM_1000 objectId:86 assigned successfully to GroupId 2

epo-assign-policy-to-system#


Assigns a policy to a supplied list of systems or resets the systems' inheritance for the specified policy.

Base Command#

epo-assign-policy-to-system

Input#

Argument NameDescriptionRequired
namesEEither supply a comma-separated list of names/ip addresses or a comma-separated list of IDs to which the policy is to be assigned.Required
productIdProduct ID (as returned by policy.find).Required
typeIdType ID (as returned by policy.find).Required
objectIdObject ID (as returned by policy.find).Required
resetInheritanceIf true, resets the inheritance for the specified object. Default is false. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-assign-policy-to-system names="TIE" productId="ENDP_AM_1000" typeId="40" objectId="84"

Human Readable Output#

ePO Policies:#

statusnamemessageid
0TIEAssign policy succeeded2

epo-list-issues#


List the issue for the ID that is specified. If no ID is specified, list all issues in the McAfee ePO system.

Base Command#

epo-list-issues

Input#

Argument NameDescriptionRequired
idThe ID of the issue to display.Optional

Context Output#

PathTypeDescription
McAfee.ePO.Issue.activityLog.datestringDate of the issue activity log.
McAfee.ePO.Issue.activityLog.detailsstringDetails of the issue activity log.
McAfee.ePO.Issue.activityLog.idnumberThe ID of the issue activity log.
McAfee.ePO.Issue.activityLog.issueIdnumberThe issue ID of the activity log.
McAfee.ePO.Issue.activityLog.titlestringThe title of the issue activity log.
McAfee.ePO.Issue.activityLog.usernamestringThe username of the issue activity log.
McAfee.ePO.Issue.idnumberIssue ID.
McAfee.ePO.Issue.namestringIssue name.
McAfee.ePO.Issue.typestringIssue type.
McAfee.ePO.Issue.descriptionstringIssue description.
McAfee.ePO.Issue.statestringIssue state.
McAfee.ePO.Issue.prioritystringIssue priority.
McAfee.ePO.Issue.severitystringIssue severity.
McAfee.ePO.Issue.resolutionstringIssue resolution.
McAfee.ePO.Issue.creatorNamestringIssue creator name.
McAfee.ePO.Issue.assigneenumberIssue assignee ID.
McAfee.ePO.Issue.assigneeNamestringIssue assignee name.
McAfee.ePO.Issue.createdDatestringDate the issue was created.
McAfee.ePO.Issue.dueDatestringDate the issue is due.
McAfee.ePO.Issue.ticketIdstringTicket ID of the issue.
McAfee.ePO.Issue.ticketServerNamestringIssue ticket server name.

Command Example#

!epo-list-issues

Context Example#

{
"McAfee": {
"ePO": {
"Issue": [
{
"activityLog": [
{
"date": "2021-05-09T03:36:56-07:00",
"details": "",
"id": 1,
"issueId": 1,
"title": "Issue Created",
"username": "admin"
}
],
"assignee": null,
"assigneeName": "dxl",
"createdDate": "2021-05-09T03:36:56-07:00",
"creatorName": "admin",
"description": "aaaa",
"dueDate": null,
"id": 1,
"name": "aaaa",
"priority": "MEDIUM",
"resolution": "NONE",
"severity": "LOWEST",
"state": "NEW",
"subtype": null,
"ticketId": null,
"ticketServerName": null,
"type": "issue.type.untyped"
},
{
"activityLog": [
{
"date": "2021-11-23T00:46:25-08:00",
"details": "",
"id": 2,
"issueId": 2,
"title": "Issue Created",
"username": "admin"
},
{
"date": "2021-11-23T23:26:20-08:00",
"details": "assignee changed from test_api to admin",
"id": 3,
"issueId": 2,
"title": "Issue Changed",
"username": "admin"
},
{
"date": "2021-11-23T23:32:08-08:00",
"details": "yakovi",
"id": 4,
"issueId": 2,
"title": "User Comment",
"username": "admin"
}
],
"assignee": null,
"assigneeName": "admin",
"createdDate": "2021-11-23T00:46:25-08:00",
"creatorName": "admin",
"description": "test1",
"dueDate": null,
"id": 2,
"name": "Wissam",
"priority": "HIGH",
"resolution": "NONE",
"severity": "MEDIUM",
"state": "NEW",
"subtype": null,
"ticketId": null,
"ticketServerName": null,
"type": "issue.type.untyped"
}
]
}
}
}

Human Readable Output#

ePO Issue List:#

ticketIddueDatecreatedDatecreatorNameresolutionsubtypeassigneeNamedescriptionprioritytypeticketServerNamenameassigneeseverityactivityLogidstate
2021-05-09T03:36:56-07:00adminNONEdxlaaaaMEDIUMissue.type.untypedaaaaLOWEST{'date': '2021-05-09T03:36:56-07:00', 'details': '', 'id': 1, 'issueId': 1, 'title': 'Issue Created', 'username': 'admin'}1NEW
2021-11-23T00:46:25-08:00adminNONEadmintest1HIGHissue.type.untypedWissamMEDIUM{'date': '2021-11-23T00:46:25-08:00', 'details': '', 'id': 2, 'issueId': 2, 'title': 'Issue Created', 'username': 'admin'},
{'date': '2021-11-23T23:26:20-08:00', 'details': 'assignee changed from test_api to admin', 'id': 3, 'issueId': 2, 'title': 'Issue Changed', 'username': 'admin'},
{'date': '2021-11-23T23:32:08-08:00', 'details': 'yakovi', 'id': 4, 'issueId': 2, 'title': 'User Comment', 'username': 'admin'}
2NEW

epo-delete-issue#


Delete an issue.

Base Command#

epo-delete-issue

Input#

Argument NameDescriptionRequired
idThe ID of the issue to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!epo-delete-issue id=8

Human Readable Output#

Issue with id=0 was deleted

epo-create-issue#


Create an issue.

Base Command#

epo-create-issue

Input#

Argument NameDescriptionRequired
nameIssue name.Required
descriptionIssue description.Required
typeIssue type.Optional
stateIssue state. Possible values are: UNKNOWN, NEW, ASSIGNED, RESOLVED, CLOSED, TICKETED, TICKET_PENDING.Optional
priorityIssue priority. Possible values are: UNKNOWN, LOWEST, LOW, MEDIUM, HIGH, HIGHEST.Optional
severityIssue severity. Possible values are: UNKNOWN, LOWEST, LOW, MEDIUM, HIGH, HIGHEST.Optional
resolutionIssue resolution. Possible values are: NONE, FIXED, WAIVED, WILLNOTFIX.Optional
dueDue date of the issue in the format yyyy-mm-dd hh:mm:ss.Optional
assignee_nameName of the user assigned to the issue.Optional
ticketServerNameTicket server name of the issue.Optional
ticketIdTicket ID of the issue.Optional
propertiesProperties of the issue.Optional

Context Output#

PathTypeDescription
McAfee.ePO.Issue.idnumberIssue ID.
McAfee.ePO.Issue.namestringIssue name.
McAfee.ePO.Issue.descriptionstringIssue description.

Command Example#

!epo-create-issue name="test-epo-integration" description="automatically generated by epo integration" assignee_name="admin"

Context Example#

{
"McAfee": {
"ePO": {
"Issue": {
"description": "automatically generated by epo integration",
"id": 35,
"name": "test-epo-integration"
}
}
}
}

Human Readable Output#

Issue with the following ID: 35 was created successfully

epo-update-issue#


Update an issue.

Base Command#

epo-update-issue

Input#

Argument NameDescriptionRequired
idThe ID of the issue to update.Required
nameName of the issue to update.Required
descriptionDescription of the issue to update.Required
stateState of the issue to update. Possible values are: UNKNOWN, NEW, ASSIGNED, RESOLVED, CLOSED, TICKETED, TICKET_PENDING.Optional
priorityPriority of the issue to update. Possible values are: UNKNOWN, LOWEST, LOW, MEDIUM, HIGH, HIGHEST.Optional
severitySeverity of the issue to update. Possible values are: UNKNOWN, LOWEST, LOW, MEDIUM, HIGH, HIGHEST.Optional
resolutionResolution of the issue to update. Possible values are: NONE, FIXED, WAIVED, WILLNOTFIX.Optional
dueDue date of the issue to update.Optional
assignee_nameName of the user assigned to the issue.Optional
ticketServerNameTicket server name of the issue.Optional
ticketIdTicket ID of the issue.Optional
propertiesProperties of the issue.Optional

Context Output#

There is no context output for this command.

Command Example#

!epo-update-issue id=10 name="test" description="testing epo integration" state="NEW"

Human Readable Output#

Issue with id=10 was updated