McAfee ESM v10 and v11 (Deprecated)
Deprecated
We recommend using McAfee ESM v2 instead
Use the McAfee ESM v10 integration to get actionable intelligence and integrations to prioritize, investigate, and respond to threats.
Configure McAfee ESM-v10 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for McAfee ESM-v10.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Port
- ESM IP (e.g. 78.125.0.209)
- Username
- Fetch incidents
- Incident type
- Fetch Types: cases, alarms, both (relevant only for fetch incident mode)
- Start fetch after Case ID: (relevant only for fetch incident mode)
- Trust any certificate (not secure)
- Version: (one of 10.0, 10.1, 10.2, 10.3)
- ESM time format, e.g., %Y/%m/%d %H:%M:%S. Select “auto-discovery” to extract the format automatically.
- __McAfee ESM Timezone in hours (e.g if ESM timezone is +0300 => then insert 3) __
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get a list of all fields: esm-fetch-fields
- Perform a search in McAfee ESM: esm-search
- Get a list of triggered alarms: esm-fetch-alarms
- Get a list of cases: esm-get-case-list
- Add a case: esm-add-case
- Edit a case: esm-edit-case
- Get a list of case statuses: esm-get-case-statuses
- Edit the status of a case: esm-edit-case-status
- Get details of a case: esm-get-case-detail
- Get details of a case event: esm-get-case-event-list
- Add a status to a case: esm-add-case-status
- Remove a status from a case: esm-delete-case-status
- Get a list of case organizations: esm-get-organization-list
- Get a list of all users: esm-get-user-list
- Mark triggered alarms as acknowledged: esm-acknowledge-alarms
- Mark triggered alarms as unacknowledgedesm-unacknowledge-alarms
- Delete triggered alarms: esm-delete-alarms
- Get details for a triggered alarm: esm-get-alarm-event-details
- Get an event list related to an alarm: esm-list-alarm-events
1. Get list of all fields
Returns a list of all fields (and the field type) that can be used in query filters.
Base Command
esm-fetch-fields
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
esm-fetch-fields
Human Readable
This output is truncated.
Result:
| name | types |
|---|---|
| AppID | STRING |
| CommandID | STRING |
| DomainID | STRING |
| HostID | STRING |
| ObjectID | STRING |
| UserIDDst | STRING |
| UserIDSrc | STRING |
| URL | SSTRING |
| Database_Name | STRING |
| Message_Text | SSTRING |
| Response_Time | UINT32,UINT32 |
| Application_Protocol | STRING |
| Object_Type | STRING |
| Filename | SSTRING |
| From | SSTRING |
| To | SSTRING |
| Cc | SSTRING |
| Bcc | SSTRING |
| Subject | SSTRING |
| Method | STRING |
| User_Agent | SSTRING |
| Cookie | SSTRING |
| Referer | SSTRING |
| File_Operation | STRING |
| File_Operation_Succeeded | STRING |
2. Perform a search in McAfee ESM
Performs a query against McAfee ESM.
Base Command
esm-search
Input
| Argument Name | Description | Required |
|---|---|---|
| timeRange | The time period for the search | Required |
| filters | Filter on the query results in the format EsmFilter. Should be a JSON string. | Required |
| queryType | Query type to preform, by default EVENT (other possible values are : FLOW/ASSET) | Optional |
| maxWait | Maximum time to wait (in minutes), default is 30 | Optional |
| customStart | if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| customEnd | if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| fields | The fields that will be selected when this query is executed. | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-search timeRange=LAST_10_MINUTES filters=`[{"type": "EsmFieldFilter", "field": {"name": "SrcIP"}, "operator": "EQUALS", "values": [{"type": "EsmBasicValue", "value": "52.15.91.198"}]}]
Context Example
{
"SearchResults": [
{
"AlertIPSIDAlertID": "144115188075855872|10201"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 14:57:38"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10202"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 14:58:37"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10203"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 14:59:35"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10204"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:00:36"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10208"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:01:37"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10209"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:02:38"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10210"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:03:36"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10211"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:04:36"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10212"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:05:37"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10213"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:06:38"
},
{
"ActionName": "success"
}
]
}
Human Readable Output
results:
| Alert.IPSIDAlertID | Alert.SrcIP | Alert.SrcPort | Alert.DstIP | Alert.DstPort | Alert.Protocol | Alert.LastTime | Action.Name |
|---|---|---|---|---|---|---|---|
| 144115188075855872|10201 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:57:38 | success |
| 144115188075855872|10202 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:58:37 | success |
| 144115188075855872|10203 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:59:35 | success |
| 144115188075855872|10204 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:00:36 | success |
| 144115188075855872|10208 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:01:37 | success |
| 144115188075855872|10209 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:02:38 | success |
| 144115188075855872|10210 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:03:36 | success |
| 144115188075855872|10211 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:04:36 | success |
| 144115188075855872|10212 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:05:37 | success |
| 144115188075855872|10213 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:06:38 | success |
3. Get a list of triggered alarms
Retrieves a list of triggered alarms.
Base Command
esm-fetch-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| timeRange | The time period for the fetch. | Required |
| customStart | if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| customEnd | if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| assignedUser | user assigned to handle this triggered alarm (use ‘ME’ option to use instance user, or use format EsmUser (read more on that here - https://:/rs/esm/help/types/EsmUser) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Alarm.ID | number | Alarm ID |
| Alarm.summary | string | Alarm summary |
| Alarm.assignee | string | Alarm assignee |
| Alarm.severity | number | Alarm severity |
| Alarm.triggeredDate | date | Alarm triggered date |
| Alarm.acknowledgedDate | date | Alarm acknowledged date |
| Alarm.acknowledgedUsername | string | Alarm acknowledged username |
| Alarm.alarmName | string | Alarm name |
| Alarm.conditionType | number | Alarm condition type |
Command Example
!esm-fetch-alarms timeRange="LAST_3_DAYS"
Context Example
{
"Alarm": [
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:48:10",
"acknowledgedDate": "03/11/2019 08:16:19",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "NGCP",
"ID": 25
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:44:40",
"acknowledgedDate": "03/11/2019 08:16:20",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "NGCP",
"ID": 24
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:41:10",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 23
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:27:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 22
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:24:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 21
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:21:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 20
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:19:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 19
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:14:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 18
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:07:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 17
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:06:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 16
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:01:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 15
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/10/2019 17:01:30",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 14
}
]
}
Human Readable Output
Result:
| conditionType | severity | triggeredDate | acknowledgedDate | summary | assignee | alarmName | ID | acknowledgedUsername |
|---|---|---|---|---|---|---|---|---|
| 13 | 50 | 03/11/2019 01:48:10 | 03/11/2019 08:16:19 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 25 | NGCP |
| 13 | 50 | 03/11/2019 01:44:40 | 03/11/2019 08:16:20 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 24 | NGCP |
| 13 | 50 | 03/11/2019 01:41:10 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 23 | ||
| 13 | 50 | 03/11/2019 01:27:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 22 | ||
| 13 | 50 | 03/11/2019 01:24:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 21 | ||
| 13 | 50 | 03/11/2019 01:21:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 20 | ||
| 13 | 50 | 03/11/2019 01:19:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 19 | ||
| 13 | 50 | 03/11/2019 01:14:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 18 | ||
| 13 | 50 | 03/11/2019 01:07:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 17 | ||
| 13 | 50 | 03/11/2019 01:06:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 16 | ||
| 13 | 50 | 03/11/2019 01:01:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 15 | ||
| 13 | 50 | 03/10/2019 17:01:30 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 14 |
4. Get a list of cases
Returns a list of cases from the McAfee ESM.
Base Command
esm-get-case-list
Input
| Argument Name | Description | Required |
|---|---|---|
| since | Filter for a case opened before this date. Given in format " | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The Assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-get-case-list
Context Example
{
"Case": [
{
"Status": "Open",
"Summary": "case to be deleted",
"OpenTime": "03/11/2019 08:15:02",
"ID": 1,
"Severity": 1
},
{
"Status": "Open",
"Summary": "New Virus Detected",
"OpenTime": "03/11/2019 11:39:18",
"ID": 2,
"Severity": 1
},
{
"Status": "Open",
"Summary": "408944640 - Failed Login Attempts - 306-31",
"OpenTime": "03/11/2019 11:41:02",
"ID": 3,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 12:54:50",
"ID": 4,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 13:27:22",
"ID": 5,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 13:29:47",
"ID": 6,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 13:33:13",
"ID": 7,
"Severity": 1
}
]
}
Human Readable Output
All cases:
| ID | Summary | Status | Severity | OpenTime |
|---|---|---|---|---|
| 1 | case to be deleted | Open | 1 | 03/11/2019 08:15:02 |
| 2 | New Virus Detected | Open | 1 | 03/11/2019 11:39:18 |
| 3 | 408944640 - Failed Login Attempts - 306-31 | Open | 1 | 03/11/2019 11:41:02 |
| 4 | this is the first case | Open | 1 | 03/11/2019 12:54:50 |
| 5 | this is the first case | Open | 1 | 03/11/2019 13:27:22 |
| 6 | this is the first case | Open | 1 | 03/11/2019 13:29:47 |
| 7 | this is the first case | Open | 1 | 03/11/2019 13:33:13 |
5. Add a case
Adds a case to McAfee ESM.
Base Command
esm-add-case
Input
| Argument Name | Description | Required |
|---|---|---|
| summary | The name of the case | Required |
| status |
The status of the case (use
esm-get-case-statuses
to view all statuses)
|
Optional |
| assignee | The user the case is assigned to | Optional |
| severity | The severity of the case (1 - 100) | Optional |
| organization |
The organization assigned to the case (use
esm-get-organization-list
to view all organizations)
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-add-case summary="this is the first case"
Context Example
{
"Case": [
{
"Status": "Open",
"OpenTime": "03/11/2019 15:07:22",
"Severity": 1,
"EventList": [],
"Notes": [
{
"action": "Open",
"content": "",
"username": "NGCP",
"changes": [],
"timestamp": "03/11/2019 15:07:22(GMT)"
}
],
"Summary": "this is the first case",
"Assignee": "NGCP",
"Organization": "None",
"ID": 8
}
]
}
Human Readable Output
New Case:
| ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
|---|---|---|---|---|---|---|---|---|
| 8 | this is the first case | Open | 1 | 03/11/2019 15:07:22 | NGCP | None | [] | [{“action”: “Open”, “timestamp”: “03/11/2019 15:07:22(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}] |
6. Edit a case
Modifies an existing case.
Base Command
esm-edit-case
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the case | Required |
| summary | The name of the case | Optional |
| severity | The new severity of the case (1 - 100) | Optional |
| assignee | The user that the case should be assigned to | Optional |
| status |
The new status of the case (use the
esm-get-case-statuses
command to view all statuses)
|
Optional |
| organization |
The organization assigned to the case (use the
esm-get-organization-list
command to view all organizations)
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The Assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-edit-case id="2" summary="editing first case" severity="50" organization="LuthorCorp"
Context Example
{
"Case": [
{
"Status": "Open",
"OpenTime": "03/11/2019 11:39:18",
"Severity": 50,
"EventList": [],
"Notes": [
{
"action": "Changes",
"content": "Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: New Virus Detected",
"new: editing first case"
]
},
{
"changeType": "Severity",
"changes": [
"old: 1",
"new: 50"
]
}
],
"timestamp": "03/11/2019 15:07:26(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: editing first case",
"new: New Virus Detected"
]
},
{
"changeType": "Severity",
"changes": [
"old: 50",
"new: 1"
]
}
],
"timestamp": "03/11/2019 15:01:28(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: New Virus Detection",
"new: editing first case"
]
},
{
"changeType": "Severity",
"changes": [
"old: 1",
"new: 50"
]
}
],
"timestamp": "03/11/2019 13:33:16(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: editing first New Virus Detection\n new: New Virus Detection",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: editing first New Virus Detection",
"new: New Virus Detection"
]
}
],
"timestamp": "03/11/2019 13:31:59(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: editing first case",
"new: editing first New Virus Detection"
]
},
{
"changeType": "Severity",
"changes": [
"old: 50",
"new: 1"
]
}
],
"timestamp": "03/11/2019 13:31:45(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: New Virus Detection",
"new: editing first case"
]
},
{
"changeType": "Severity",
"changes": [
"old: 1",
"new: 50"
]
}
],
"timestamp": "03/11/2019 13:27:25(GMT)"
},
{
"action": "Open",
"content": "",
"username": "NGCP",
"changes": [],
"timestamp": "03/11/2019 11:39:18(GMT)"
}
],
"Summary": "editing first case",
"Assignee": "NGCP",
"Organization": "None",
"ID": 2
}
]
}
Human Readable Output
Edited Case:
| ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
|---|---|---|---|---|---|---|---|---|
| 2 | editing first case | Open | 50 | 03/11/2019 11:39:18 | NGCP | None | [] | [{“action”: “Changes”, “timestamp”: “03/11/2019 15:07:26(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detected”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 15:01:28(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: New Virus Detected”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:33:16(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:59(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first New Virus Detection\n new: New Virus Detection”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first New Virus Detection”, “new: New Virus Detection”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:45(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: editing first New Virus Detection”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:27:25(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Open”, “timestamp”: “03/11/2019 11:39:18(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}] |
7. Get a list of case statuses
Returns a list of valid case statuses from McAfee ESM.
Base Command
esm-get-case-statuses
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!esm-get-case-statuses
Human Readable Output
Result:
| ID | Name | Is Default | Show In Case Pane |
|---|---|---|---|
| 2 | Closed | false | false |
| 1 | Open | true | true |
| 8 | Pending | false | true |
| 4 | Research | false | false |
8. Edit the status of a case
Modifies a case status.
Base Command
esm-edit-case-status
Input
| Argument Name | Description | Required |
|---|---|---|
| original_name | The name of the case status to edit | Required |
| new_name | The new name for the case status | Required |
| show_in_case_pane | Whether the status will be shown in the case pane | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-edit-case-status original_name=Research new_name=RnD
Human Readable Output
Edit case status with ID: 4
9. Get details of a case
Returns details about an existing case.
Base Command
esm-get-case-detail
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the case | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-get-case-detail id=3
Context Example
{
"Case": [
{
"Status": "Open",
"OpenTime": "03/11/2019 11:41:02",
"Severity": 1,
"EventList": [
{
"message": "Failed User Logon",
"lastTime": "03/11/2019 01:01:13",
"id": {
"value": "144115188075855872|8850"
}
}
],
"Notes": [
{
"action": "Open",
"content": "Events Added: 144115188075855872|8850\n Events Removed:",
"username": "NGCP",
"changes": [
{
"changeType": "Events Added",
"changes": [
"144115188075855872|8850"
]
},
{
"changeType": "Events Removed",
"changes": []
}
],
"timestamp": "03/11/2019 11:41:02(GMT)"
}
],
"Summary": "408944640 - Failed Login Attempts - 306-31",
"Assignee": "NGCP",
"Organization": "None",
"ID": 3
}
]
}
Human Readable Output
Case 3:
| ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
|---|---|---|---|---|---|---|---|---|
| 3 | 408944640 - Failed Login Attempts - 306-31 | Open | 1 | 03/11/2019 11:41:02 | NGCP | None | [{“message”: “Failed User Logon”, “lastTime”: “03/11/2019 01:01:13”, “id”: {“value”: “144115188075855872|8850”}}] | [{“action”: “Open”, “timestamp”: “03/11/2019 11:41:02(GMT)”, “username”: “NGCP”, “content”: “Events Added: 144115188075855872|8850\n Events Removed:”, “changes”: [{“changeType”: “Events Added”, “changes”: [“144115188075855872|8850”]}, {“changeType”: “Events Removed”, “changes”: []}]}] |
10. Get details of a case event
Returns case event details.
Base Command
esm-get-case-event-list
Input
| Argument Name | Description | Required |
|---|---|---|
| ids | CSV list of event IDs | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CaseEvents.ID | string | The ID of the event |
| CaseEvents.LastTime | date | The last updated time of the event |
| CaseEvents.Message | string | The message of the event |
Command Example
!esm-get-case-event-list ids=144115188075855872|8850,144115188075855872|9718
Context Example
{
"CaseEvents": [
{
"Message": "Failed User Logon",
"LastTime": "03/11/2019 01:01:13",
"ID": "144115188075855872|8850"
},
{
"Message": "User Logon",
"LastTime": "03/11/2019 11:09:37",
"ID": "144115188075855872|9718"
}
]
}
Human Readable Output
Case Events:
| ID | LastTime | Message |
|---|---|---|
| 144115188075855872|8850 | 03/11/2019 01:01:13 | Failed User Logon |
| 144115188075855872|9718 | 03/11/2019 11:09:37 | User Logon |
11. Add a status to a case
Adds a case status to a case.
Base Command
esm-add-case-status
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the case status | Required |
| show_in_case_pane | Whether the status will be shown in case pane | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-add-case-status name=Deprecated
Human Readable Output
Added case status : Deprecated
12. Remove a status from a case
Deletes a case status from a case.
Base Command
esm-delete-case-status
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the case status to delete | Required |
Context Output
There is no context output for this command.
Command Example
esm-delete-case-status name=Pending
Human Readable Output
Deleted case status with ID: 8
13. Get a list of case organizations
Returns a list case organizations.
Base Command
esm-get-organization-list
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Organizations.ID | number | Organization ID |
| Organizations.Name | string | Organization Name |
Command Example
!esm-get-organization-list
Context Example
{
"Organizations": [
{
"ID": 1,
"Name": "None"
}
]
}
Human Readable Output
Organizations:
| ID | Name |
|---|---|
| 1 | None |
14. Get a list of all users
Returns a list of all users.
Base Command
esm-get-user-list
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| EsmUser.ID | number | The ID of the user |
| EsmUser.Name | string | The ESM user name |
| EsmUser.Email | string | The email address of the user |
| EsmUser.SMS | string | The SMS details of the user |
| EsmUser.IsMaster | boolean | Whether the user is a master user |
| EsmUser.IsAdmin | boolean | Whether the user is an admin |
Command Example
!esm-get-user-list
Context Example
{
"EsmUser": [
{
"IsMaster": true,
"Name": "NGCP",
"SMS": "",
"ID": 1,
"IsAdmin": false,
"Email": ""
},
{
"IsMaster": false,
"Name": "POLICY",
"SMS": "",
"ID": 3,
"IsAdmin": false,
"Email": ""
},
{
"IsMaster": false,
"Name": "REPORT",
"SMS": "",
"ID": 2,
"IsAdmin": false,
"Email": ""
}
]
}
Human Readable Output
Users:
| ID | Name | SMS | IsMaster | IsAdmin | |
|---|---|---|---|---|---|
| 1 | NGCP | true | false | ||
| 3 | POLICY | false | false | ||
| 2 | REPORT | false | false |
15. Mark triggered alarms as acknowledged
Marks triggered alarms as acknowledged.
Base Command
esm-acknowledge-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmIds | A CSV list of triggered alarm IDs to be marked acknowledged | Required |
Context Output
There is no context output for this command.
Command Example
!esm-acknowledge-alarms alarmIds=2,5,6
Human Readable Output
Alarms has been Acknowledged.
16. Mark triggered alarms as unacknowledged
Marks triggered alarms as unacknowledged.
Base Command
esm-unacknowledge-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmIds | A CSV list of triggered alarm IDs to be marked unacknowledged | Required |
Context Output
There is no context output for this command.
Command Example
!esm-unacknowledge-alarms alarmIds="1,8,7"
Human Readable Output
Alarms has been Unacknowledged.
17. Delete triggered alarms
Deletes triggered alarms.
Base Command
esm-delete-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmIds | A CSV list of triggered alarm IDs to be deleted | Required |
Context Output
There is no context output for this command.
Command Example
!esm-delete-alarms alarmIds=26
Human Readable Output
Alarms has been Deleted.
18. Get details for a triggered alarm
Returns details for a triggered alarm.
Base Command
esm-get-alarm-event-details
Input
| Argument Name | Description | Required |
|---|---|---|
| eventId | The event to get the details for. The ID can be retrieved from the esm-list-alarm-events command. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EsmAlarmEvent.ID | string | Event ID |
| EsmAlarmEvent.SubType | string | Event type |
| EsmAlarmEvent.Severity | number | Event severity |
| EsmAlarmEvent.Message | string | Event message |
| EsmAlarmEvent.LastTime | date | Event time |
| EsmAlarmEvent.SrcIP | string | Source IP of the event |
| EsmAlarmEvent.DstIP | string | Destination IP of the event |
| EsmAlarmEvent.Cases | unknown | A list of related cases to the event |
| EsmAlarmEvent.Cases.ID | string | Case ID |
| EsmAlarmEvent.Cases.OpenTime | date | Case creation time |
| EsmAlarmEvent.Cases.Severity | number | Case severity |
| EsmAlarmEvent.Cases.Status | string | Case status |
| EsmAlarmEvent.Cases.Summary | string | Case summary |
| EsmAlarmEvent.DstMac | string | Destination MAC of the event |
| EsmAlarmEvent.SrcMac | string | Source MAC of the event |
| EsmAlarmEvent.DstPort | string | Destination port of the event |
| EsmAlarmEvent.SrcPort | string | Source port of the event |
| EsmAlarmEvent.FirstTime | date | The first time for the event |
| EsmAlarmEvent.NormalizedDescription | string | Normalized description of the event |
Command Example
!esm-get-alarm-event-details eventId="144115188075855872|9718"
Context Example
{
"EsmAlarmEvent": [
{
"DstIP": "192.168.1.25",
"FirstTime": "03/11/2019 11:09:37",
"Severity": 19,
"DstPort": "0",
"SrcPort": "0",
"DstMac": "00:00:00:00:00:00",
"SubType": "success",
"SrcIP": "52.15.91.198",
"Message": "User Logon",
"LastTime": "03/11/2019 11:09:37",
"ID": "144115188075855872|9718",
"NormalizedDescription": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.",
"SrcMac": "00:00:00:00:00:00"
}
]
}
Human Readable Output
Alarm Events:
| ID | SubType | Severity | Message | LastTime | SrcIP | SrcPort | DstIP | DstPort |
|---|---|---|---|---|---|---|---|---|
| 144115188075855872|9718 | success | 19 | User Logon | 03/11/2019 11:09:37 | 52.15.91.198 | 0 | 192.168.1.25 | 0 |
19. Get an event list related to an alarm
Returns an event list related to an alarm.
Base Command
esm-list-alarm-events
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmId | The alarm to get the details for. The ID can be retrieved from the esm-fetch-alarms command. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EsmAlarmEvent.ID | string | Event ID |
| EsmAlarmEvent.SubType | string | Event type |
| EsmAlarmEvent.Severity | number | Event severity |
| EsmAlarmEvent.Message | string | Event message |
| EsmAlarmEvent.LastTime | date | Event time |
| EsmAlarmEvent.SrcIP | string | Source IP of the event |
| EsmAlarmEvent.DstIP | string | Destination IP of the event |
| EsmAlarmEvent.Cases | unknown | A list of related cases to the event |
| EsmAlarmEvent.Cases.ID | string | Case ID |
| EsmAlarmEvent.Cases.OpenTime | date | Case creation time |
| EsmAlarmEvent.Cases.Severity | number | Case severity |
| EsmAlarmEvent.Cases.Status | string | Case status |
| EsmAlarmEvent.Cases.Summary | string | Case summary |
Command Example
!esm-list-alarm-events alarmId="24"
Context Example
{
"EsmAlarmEvent": [
{
"DstIP": "192.168.1.25",
"Severity": 25,
"SubType": "failure",
"SrcIP": "186.29.149.40",
"Message": "Failed User Logon",
"LastTime": "03/11/2019 01:44:27",
"ID": "144115188075855872|8919"
}
]
}
Human Readable Output
Alarm Events:
| ID | SubType | Severity | Message | LastTime | SrcIP | SrcPort | DstIP | DstPort |
|---|---|---|---|---|---|---|---|---|
| 144115188075855872|8919 | failure | 25 | Failed User Logon | 03/11/2019 01:44:27 | 186.29.149.40 | 192.168.1.25 |