McAfee ESM v10 and v11
Use the McAfee ESM v10 integration to get actionable intelligence and integrations to prioritize, investigate, and respond to threats.
Configure McAfee ESM-v10 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for McAfee ESM-v10.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Port
- ESM IP (e.g. 78.125.0.209)
- Username
- Fetch incidents
- Incident type
- Fetch Types: cases, alarms, both (relevant only for fetch incident mode)
- Start fetch after Case ID: (relevant only for fetch incident mode)
- Trust any certificate (not secure)
- Version: (one of 10.0, 10.1, 10.2, 10.3)
- ESM time format, e.g., %Y/%m/%d %H:%M:%S. Select “auto-discovery” to extract the format automatically.
- __McAfee ESM Timezone in hours (e.g if ESM timezone is +0300 => then insert 3) __
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get a list of all fields: esm-fetch-fields
- Perform a search in McAfee ESM: esm-search
- Get a list of triggered alarms: esm-fetch-alarms
- Get a list of cases: esm-get-case-list
- Add a case: esm-add-case
- Edit a case: esm-edit-case
- Get a list of case statuses: esm-get-case-statuses
- Edit the status of a case: esm-edit-case-status
- Get details of a case: esm-get-case-detail
- Get details of a case event: esm-get-case-event-list
- Add a status to a case: esm-add-case-status
- Remove a status from a case: esm-delete-case-status
- Get a list of case organizations: esm-get-organization-list
- Get a list of all users: esm-get-user-list
- Mark triggered alarms as acknowledged: esm-acknowledge-alarms
- Mark triggered alarms as unacknowledgedesm-unacknowledge-alarms
- Delete triggered alarms: esm-delete-alarms
- Get details for a triggered alarm: esm-get-alarm-event-details
- Get an event list related to an alarm: esm-list-alarm-events
1. Get list of all fields
Returns a list of all fields (and the field type) that can be used in query filters.
Base Command
esm-fetch-fields
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
esm-fetch-fields
Human Readable
This output is truncated.
Result:
| name | types |
|---|---|
| AppID | STRING |
| CommandID | STRING |
| DomainID | STRING |
| HostID | STRING |
| ObjectID | STRING |
| UserIDDst | STRING |
| UserIDSrc | STRING |
| URL | SSTRING |
| Database_Name | STRING |
| Message_Text | SSTRING |
| Response_Time | UINT32,UINT32 |
| Application_Protocol | STRING |
| Object_Type | STRING |
| Filename | SSTRING |
| From | SSTRING |
| To | SSTRING |
| Cc | SSTRING |
| Bcc | SSTRING |
| Subject | SSTRING |
| Method | STRING |
| User_Agent | SSTRING |
| Cookie | SSTRING |
| Referer | SSTRING |
| File_Operation | STRING |
| File_Operation_Succeeded | STRING |
2. Perform a search in McAfee ESM
Performs a query against McAfee ESM.
Base Command
esm-search
Input
| Argument Name | Description | Required |
|---|---|---|
| timeRange | The time period for the search | Required |
| filters | Filter on the query results in the format EsmFilter. Should be a JSON string. | Required |
| queryType | Query type to preform, by default EVENT (other possible values are : FLOW/ASSET) | Optional |
| maxWait | Maximum time to wait (in minutes), default is 30 | Optional |
| customStart | if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| customEnd | if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| fields | The fields that will be selected when this query is executed. | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-search timeRange=LAST_10_MINUTES filters=`[{"type": "EsmFieldFilter", "field": {"name": "SrcIP"}, "operator": "EQUALS", "values": [{"type": "EsmBasicValue", "value": "52.15.91.198"}]}]
Context Example
{
"SearchResults": [
{
"AlertIPSIDAlertID": "144115188075855872|10201"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 14:57:38"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10202"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 14:58:37"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10203"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 14:59:35"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10204"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:00:36"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10208"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:01:37"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10209"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:02:38"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10210"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:03:36"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10211"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:04:36"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10212"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:05:37"
},
{
"ActionName": "success"
},
{
"AlertIPSIDAlertID": "144115188075855872|10213"
},
{
"AlertSrcIP": "52.15.91.198"
},
{
"AlertSrcPort": "0"
},
{
"AlertDstIP": "192.168.1.25"
},
{
"AlertDstPort": "0"
},
{
"AlertProtocol": "n/a"
},
{
"AlertLastTime": "03/11/2019 15:06:38"
},
{
"ActionName": "success"
}
]
}
Human Readable Output
results:
| Alert.IPSIDAlertID | Alert.SrcIP | Alert.SrcPort | Alert.DstIP | Alert.DstPort | Alert.Protocol | Alert.LastTime | Action.Name |
|---|---|---|---|---|---|---|---|
| 144115188075855872|10201 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:57:38 | success |
| 144115188075855872|10202 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:58:37 | success |
| 144115188075855872|10203 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:59:35 | success |
| 144115188075855872|10204 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:00:36 | success |
| 144115188075855872|10208 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:01:37 | success |
| 144115188075855872|10209 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:02:38 | success |
| 144115188075855872|10210 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:03:36 | success |
| 144115188075855872|10211 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:04:36 | success |
| 144115188075855872|10212 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:05:37 | success |
| 144115188075855872|10213 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:06:38 | success |
3. Get a list of triggered alarms
Retrieves a list of triggered alarms.
Base Command
esm-fetch-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| timeRange | The time period for the fetch. | Required |
| customStart | if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| customEnd | if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
| assignedUser | user assigned to handle this triggered alarm (use ‘ME’ option to use instance user, or use format EsmUser (read more on that here - https://:/rs/esm/help/types/EsmUser) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Alarm.ID | number | Alarm ID |
| Alarm.summary | string | Alarm summary |
| Alarm.assignee | string | Alarm assignee |
| Alarm.severity | number | Alarm severity |
| Alarm.triggeredDate | date | Alarm triggered date |
| Alarm.acknowledgedDate | date | Alarm acknowledged date |
| Alarm.acknowledgedUsername | string | Alarm acknowledged username |
| Alarm.alarmName | string | Alarm name |
| Alarm.conditionType | number | Alarm condition type |
Command Example
!esm-fetch-alarms timeRange="LAST_3_DAYS"
Context Example
{
"Alarm": [
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:48:10",
"acknowledgedDate": "03/11/2019 08:16:19",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "NGCP",
"ID": 25
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:44:40",
"acknowledgedDate": "03/11/2019 08:16:20",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "NGCP",
"ID": 24
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:41:10",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 23
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:27:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 22
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:24:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 21
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:21:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 20
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:19:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 19
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:14:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 18
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:07:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 17
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:06:09",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 16
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/11/2019 01:01:39",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 15
},
{
"conditionType": 13,
"severity": 50,
"triggeredDate": "03/10/2019 17:01:30",
"acknowledgedDate": "",
"summary": "408944640 - Failed Login Attempts - 306-31",
"assignee": "NGCP",
"alarmName": "Failed Login Attempts",
"acknowledgedUsername": "",
"ID": 14
}
]
}
Human Readable Output
Result:
| conditionType | severity | triggeredDate | acknowledgedDate | summary | assignee | alarmName | ID | acknowledgedUsername |
|---|---|---|---|---|---|---|---|---|
| 13 | 50 | 03/11/2019 01:48:10 | 03/11/2019 08:16:19 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 25 | NGCP |
| 13 | 50 | 03/11/2019 01:44:40 | 03/11/2019 08:16:20 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 24 | NGCP |
| 13 | 50 | 03/11/2019 01:41:10 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 23 | ||
| 13 | 50 | 03/11/2019 01:27:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 22 | ||
| 13 | 50 | 03/11/2019 01:24:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 21 | ||
| 13 | 50 | 03/11/2019 01:21:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 20 | ||
| 13 | 50 | 03/11/2019 01:19:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 19 | ||
| 13 | 50 | 03/11/2019 01:14:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 18 | ||
| 13 | 50 | 03/11/2019 01:07:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 17 | ||
| 13 | 50 | 03/11/2019 01:06:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 16 | ||
| 13 | 50 | 03/11/2019 01:01:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 15 | ||
| 13 | 50 | 03/10/2019 17:01:30 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 14 |
4. Get a list of cases
Returns a list of cases from the McAfee ESM.
Base Command
esm-get-case-list
Input
| Argument Name | Description | Required |
|---|---|---|
| since | Filter for a case opened before this date. Given in format " | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The Assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-get-case-list
Context Example
{
"Case": [
{
"Status": "Open",
"Summary": "case to be deleted",
"OpenTime": "03/11/2019 08:15:02",
"ID": 1,
"Severity": 1
},
{
"Status": "Open",
"Summary": "New Virus Detected",
"OpenTime": "03/11/2019 11:39:18",
"ID": 2,
"Severity": 1
},
{
"Status": "Open",
"Summary": "408944640 - Failed Login Attempts - 306-31",
"OpenTime": "03/11/2019 11:41:02",
"ID": 3,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 12:54:50",
"ID": 4,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 13:27:22",
"ID": 5,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 13:29:47",
"ID": 6,
"Severity": 1
},
{
"Status": "Open",
"Summary": "this is the first case",
"OpenTime": "03/11/2019 13:33:13",
"ID": 7,
"Severity": 1
}
]
}
Human Readable Output
All cases:
| ID | Summary | Status | Severity | OpenTime |
|---|---|---|---|---|
| 1 | case to be deleted | Open | 1 | 03/11/2019 08:15:02 |
| 2 | New Virus Detected | Open | 1 | 03/11/2019 11:39:18 |
| 3 | 408944640 - Failed Login Attempts - 306-31 | Open | 1 | 03/11/2019 11:41:02 |
| 4 | this is the first case | Open | 1 | 03/11/2019 12:54:50 |
| 5 | this is the first case | Open | 1 | 03/11/2019 13:27:22 |
| 6 | this is the first case | Open | 1 | 03/11/2019 13:29:47 |
| 7 | this is the first case | Open | 1 | 03/11/2019 13:33:13 |
5. Add a case
Adds a case to McAfee ESM.
Base Command
esm-add-case
Input
| Argument Name | Description | Required |
|---|---|---|
| summary | The name of the case | Required |
| status |
The status of the case (use
esm-get-case-statuses
to view all statuses)
|
Optional |
| assignee | The user the case is assigned to | Optional |
| severity | The severity of the case (1 - 100) | Optional |
| organization |
The organization assigned to the case (use
esm-get-organization-list
to view all organizations)
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-add-case summary="this is the first case"
Context Example
{
"Case": [
{
"Status": "Open",
"OpenTime": "03/11/2019 15:07:22",
"Severity": 1,
"EventList": [],
"Notes": [
{
"action": "Open",
"content": "",
"username": "NGCP",
"changes": [],
"timestamp": "03/11/2019 15:07:22(GMT)"
}
],
"Summary": "this is the first case",
"Assignee": "NGCP",
"Organization": "None",
"ID": 8
}
]
}
Human Readable Output
New Case:
| ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
|---|---|---|---|---|---|---|---|---|
| 8 | this is the first case | Open | 1 | 03/11/2019 15:07:22 | NGCP | None | [] | [{“action”: “Open”, “timestamp”: “03/11/2019 15:07:22(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}] |
6. Edit a case
Modifies an existing case.
Base Command
esm-edit-case
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the case | Required |
| summary | The name of the case | Optional |
| severity | The new severity of the case (1 - 100) | Optional |
| assignee | The user that the case should be assigned to | Optional |
| status |
The new status of the case (use the
esm-get-case-statuses
command to view all statuses)
|
Optional |
| organization |
The organization assigned to the case (use the
esm-get-organization-list
command to view all organizations)
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The Assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-edit-case id="2" summary="editing first case" severity="50" organization="LuthorCorp"
Context Example
{
"Case": [
{
"Status": "Open",
"OpenTime": "03/11/2019 11:39:18",
"Severity": 50,
"EventList": [],
"Notes": [
{
"action": "Changes",
"content": "Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: New Virus Detected",
"new: editing first case"
]
},
{
"changeType": "Severity",
"changes": [
"old: 1",
"new: 50"
]
}
],
"timestamp": "03/11/2019 15:07:26(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: editing first case",
"new: New Virus Detected"
]
},
{
"changeType": "Severity",
"changes": [
"old: 50",
"new: 1"
]
}
],
"timestamp": "03/11/2019 15:01:28(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: New Virus Detection",
"new: editing first case"
]
},
{
"changeType": "Severity",
"changes": [
"old: 1",
"new: 50"
]
}
],
"timestamp": "03/11/2019 13:33:16(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: editing first New Virus Detection\n new: New Virus Detection",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: editing first New Virus Detection",
"new: New Virus Detection"
]
}
],
"timestamp": "03/11/2019 13:31:59(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: editing first case",
"new: editing first New Virus Detection"
]
},
{
"changeType": "Severity",
"changes": [
"old: 50",
"new: 1"
]
}
],
"timestamp": "03/11/2019 13:31:45(GMT)"
},
{
"action": "Changes",
"content": "Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50",
"username": "NGCP",
"changes": [
{
"changeType": "Summary",
"changes": [
"old: New Virus Detection",
"new: editing first case"
]
},
{
"changeType": "Severity",
"changes": [
"old: 1",
"new: 50"
]
}
],
"timestamp": "03/11/2019 13:27:25(GMT)"
},
{
"action": "Open",
"content": "",
"username": "NGCP",
"changes": [],
"timestamp": "03/11/2019 11:39:18(GMT)"
}
],
"Summary": "editing first case",
"Assignee": "NGCP",
"Organization": "None",
"ID": 2
}
]
}
Human Readable Output
Edited Case:
| ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
|---|---|---|---|---|---|---|---|---|
| 2 | editing first case | Open | 50 | 03/11/2019 11:39:18 | NGCP | None | [] | [{“action”: “Changes”, “timestamp”: “03/11/2019 15:07:26(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detected”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 15:01:28(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: New Virus Detected”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:33:16(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:59(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first New Virus Detection\n new: New Virus Detection”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first New Virus Detection”, “new: New Virus Detection”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:45(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: editing first New Virus Detection”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:27:25(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Open”, “timestamp”: “03/11/2019 11:39:18(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}] |
7. Get a list of case statuses
Returns a list of valid case statuses from McAfee ESM.
Base Command
esm-get-case-statuses
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!esm-get-case-statuses
Human Readable Output
Result:
| ID | Name | Is Default | Show In Case Pane |
|---|---|---|---|
| 2 | Closed | false | false |
| 1 | Open | true | true |
| 8 | Pending | false | true |
| 4 | Research | false | false |
8. Edit the status of a case
Modifies a case status.
Base Command
esm-edit-case-status
Input
| Argument Name | Description | Required |
|---|---|---|
| original_name | The name of the case status to edit | Required |
| new_name | The new name for the case status | Required |
| show_in_case_pane | Whether the status will be shown in the case pane | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-edit-case-status original_name=Research new_name=RnD
Human Readable Output
Edit case status with ID: 4
9. Get details of a case
Returns details about an existing case.
Base Command
esm-get-case-detail
Input
| Argument Name | Description | Required |
|---|---|---|
| id | The ID of the case | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| Case.ID | number | The ID of the case |
| Case.Summary | string | The summary of the case |
| Case.Status | string | The status of the case |
| Case.OpenTime | date | The open time of the case |
| Case.Severity | number | The severity of the case |
| Case.Assignee | string | The assignee of the case |
| Case.Organization | string | The organization of the case |
| Case.EventList | unknown | List of case’s events |
| Case.Notes | unknown | List of case’s notes |
Command Example
!esm-get-case-detail id=3
Context Example
{
"Case": [
{
"Status": "Open",
"OpenTime": "03/11/2019 11:41:02",
"Severity": 1,
"EventList": [
{
"message": "Failed User Logon",
"lastTime": "03/11/2019 01:01:13",
"id": {
"value": "144115188075855872|8850"
}
}
],
"Notes": [
{
"action": "Open",
"content": "Events Added: 144115188075855872|8850\n Events Removed:",
"username": "NGCP",
"changes": [
{
"changeType": "Events Added",
"changes": [
"144115188075855872|8850"
]
},
{
"changeType": "Events Removed",
"changes": []
}
],
"timestamp": "03/11/2019 11:41:02(GMT)"
}
],
"Summary": "408944640 - Failed Login Attempts - 306-31",
"Assignee": "NGCP",
"Organization": "None",
"ID": 3
}
]
}
Human Readable Output
Case 3:
| ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
|---|---|---|---|---|---|---|---|---|
| 3 | 408944640 - Failed Login Attempts - 306-31 | Open | 1 | 03/11/2019 11:41:02 | NGCP | None | [{“message”: “Failed User Logon”, “lastTime”: “03/11/2019 01:01:13”, “id”: {“value”: “144115188075855872|8850”}}] | [{“action”: “Open”, “timestamp”: “03/11/2019 11:41:02(GMT)”, “username”: “NGCP”, “content”: “Events Added: 144115188075855872|8850\n Events Removed:”, “changes”: [{“changeType”: “Events Added”, “changes”: [“144115188075855872|8850”]}, {“changeType”: “Events Removed”, “changes”: []}]}] |
10. Get details of a case event
Returns case event details.
Base Command
esm-get-case-event-list
Input
| Argument Name | Description | Required |
|---|---|---|
| ids | CSV list of event IDs | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| CaseEvents.ID | string | The ID of the event |
| CaseEvents.LastTime | date | The last updated time of the event |
| CaseEvents.Message | string | The message of the event |
Command Example
!esm-get-case-event-list ids=144115188075855872|8850,144115188075855872|9718
Context Example
{
"CaseEvents": [
{
"Message": "Failed User Logon",
"LastTime": "03/11/2019 01:01:13",
"ID": "144115188075855872|8850"
},
{
"Message": "User Logon",
"LastTime": "03/11/2019 11:09:37",
"ID": "144115188075855872|9718"
}
]
}
Human Readable Output
Case Events:
| ID | LastTime | Message |
|---|---|---|
| 144115188075855872|8850 | 03/11/2019 01:01:13 | Failed User Logon |
| 144115188075855872|9718 | 03/11/2019 11:09:37 | User Logon |
11. Add a status to a case
Adds a case status to a case.
Base Command
esm-add-case-status
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the case status | Required |
| show_in_case_pane | Whether the status will be shown in case pane | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-add-case-status name=Deprecated
Human Readable Output
Added case status : Deprecated
12. Remove a status from a case
Deletes a case status from a case.
Base Command
esm-delete-case-status
Input
| Argument Name | Description | Required |
|---|---|---|
| name | The name of the case status to delete | Required |
Context Output
There is no context output for this command.
Command Example
esm-delete-case-status name=Pending
Human Readable Output
Deleted case status with ID: 8
13. Get a list of case organizations
Returns a list case organizations.
Base Command
esm-get-organization-list
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Organizations.ID | number | Organization ID |
| Organizations.Name | string | Organization Name |
Command Example
!esm-get-organization-list
Context Example
{
"Organizations": [
{
"ID": 1,
"Name": "None"
}
]
}
Human Readable Output
Organizations:
| ID | Name |
|---|---|
| 1 | None |
14. Get a list of all users
Returns a list of all users.
Base Command
esm-get-user-list
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| EsmUser.ID | number | The ID of the user |
| EsmUser.Name | string | The ESM user name |
| EsmUser.Email | string | The email address of the user |
| EsmUser.SMS | string | The SMS details of the user |
| EsmUser.IsMaster | boolean | Whether the user is a master user |
| EsmUser.IsAdmin | boolean | Whether the user is an admin |
Command Example
!esm-get-user-list
Context Example
{
"EsmUser": [
{
"IsMaster": true,
"Name": "NGCP",
"SMS": "",
"ID": 1,
"IsAdmin": false,
"Email": ""
},
{
"IsMaster": false,
"Name": "POLICY",
"SMS": "",
"ID": 3,
"IsAdmin": false,
"Email": ""
},
{
"IsMaster": false,
"Name": "REPORT",
"SMS": "",
"ID": 2,
"IsAdmin": false,
"Email": ""
}
]
}
Human Readable Output
Users:
| ID | Name | SMS | IsMaster | IsAdmin | |
|---|---|---|---|---|---|
| 1 | NGCP | true | false | ||
| 3 | POLICY | false | false | ||
| 2 | REPORT | false | false |
15. Mark triggered alarms as acknowledged
Marks triggered alarms as acknowledged.
Base Command
esm-acknowledge-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmIds | A CSV list of triggered alarm IDs to be marked acknowledged | Required |
Context Output
There is no context output for this command.
Command Example
!esm-acknowledge-alarms alarmIds=2,5,6
Human Readable Output
Alarms has been Acknowledged.
16. Mark triggered alarms as unacknowledged
Marks triggered alarms as unacknowledged.
Base Command
esm-unacknowledge-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmIds | A CSV list of triggered alarm IDs to be marked unacknowledged | Required |
Context Output
There is no context output for this command.
Command Example
!esm-unacknowledge-alarms alarmIds="1,8,7"
Human Readable Output
Alarms has been Unacknowledged.
17. Delete triggered alarms
Deletes triggered alarms.
Base Command
esm-delete-alarms
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmIds | A CSV list of triggered alarm IDs to be deleted | Required |
Context Output
There is no context output for this command.
Command Example
!esm-delete-alarms alarmIds=26
Human Readable Output
Alarms has been Deleted.
18. Get details for a triggered alarm
Returns details for a triggered alarm.
Base Command
esm-get-alarm-event-details
Input
| Argument Name | Description | Required |
|---|---|---|
| eventId | The event to get the details for. The ID can be retrieved from the esm-list-alarm-events command. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EsmAlarmEvent.ID | string | Event ID |
| EsmAlarmEvent.SubType | string | Event type |
| EsmAlarmEvent.Severity | number | Event severity |
| EsmAlarmEvent.Message | string | Event message |
| EsmAlarmEvent.LastTime | date | Event time |
| EsmAlarmEvent.SrcIP | string | Source IP of the event |
| EsmAlarmEvent.DstIP | string | Destination IP of the event |
| EsmAlarmEvent.Cases | unknown | A list of related cases to the event |
| EsmAlarmEvent.Cases.ID | string | Case ID |
| EsmAlarmEvent.Cases.OpenTime | date | Case creation time |
| EsmAlarmEvent.Cases.Severity | number | Case severity |
| EsmAlarmEvent.Cases.Status | string | Case status |
| EsmAlarmEvent.Cases.Summary | string | Case summary |
| EsmAlarmEvent.DstMac | string | Destination MAC of the event |
| EsmAlarmEvent.SrcMac | string | Source MAC of the event |
| EsmAlarmEvent.DstPort | string | Destination port of the event |
| EsmAlarmEvent.SrcPort | string | Source port of the event |
| EsmAlarmEvent.FirstTime | date | The first time for the event |
| EsmAlarmEvent.NormalizedDescription | string | Normalized description of the event |
Command Example
!esm-get-alarm-event-details eventId="144115188075855872|9718"
Context Example
{
"EsmAlarmEvent": [
{
"DstIP": "192.168.1.25",
"FirstTime": "03/11/2019 11:09:37",
"Severity": 19,
"DstPort": "0",
"SrcPort": "0",
"DstMac": "00:00:00:00:00:00",
"SubType": "success",
"SrcIP": "52.15.91.198",
"Message": "User Logon",
"LastTime": "03/11/2019 11:09:37",
"ID": "144115188075855872|9718",
"NormalizedDescription": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.",
"SrcMac": "00:00:00:00:00:00"
}
]
}
Human Readable Output
Alarm Events:
| ID | SubType | Severity | Message | LastTime | SrcIP | SrcPort | DstIP | DstPort |
|---|---|---|---|---|---|---|---|---|
| 144115188075855872|9718 | success | 19 | User Logon | 03/11/2019 11:09:37 | 52.15.91.198 | 0 | 192.168.1.25 | 0 |
19. Get an event list related to an alarm
Returns an event list related to an alarm.
Base Command
esm-list-alarm-events
Input
| Argument Name | Description | Required |
|---|---|---|
| alarmId | The alarm to get the details for. The ID can be retrieved from the esm-fetch-alarms command. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| EsmAlarmEvent.ID | string | Event ID |
| EsmAlarmEvent.SubType | string | Event type |
| EsmAlarmEvent.Severity | number | Event severity |
| EsmAlarmEvent.Message | string | Event message |
| EsmAlarmEvent.LastTime | date | Event time |
| EsmAlarmEvent.SrcIP | string | Source IP of the event |
| EsmAlarmEvent.DstIP | string | Destination IP of the event |
| EsmAlarmEvent.Cases | unknown | A list of related cases to the event |
| EsmAlarmEvent.Cases.ID | string | Case ID |
| EsmAlarmEvent.Cases.OpenTime | date | Case creation time |
| EsmAlarmEvent.Cases.Severity | number | Case severity |
| EsmAlarmEvent.Cases.Status | string | Case status |
| EsmAlarmEvent.Cases.Summary | string | Case summary |
Command Example
!esm-list-alarm-events alarmId="24"
Context Example
{
"EsmAlarmEvent": [
{
"DstIP": "192.168.1.25",
"Severity": 25,
"SubType": "failure",
"SrcIP": "186.29.149.40",
"Message": "Failed User Logon",
"LastTime": "03/11/2019 01:44:27",
"ID": "144115188075855872|8919"
}
]
}
Human Readable Output
Alarm Events:
| ID | SubType | Severity | Message | LastTime | SrcIP | SrcPort | DstIP | DstPort |
|---|---|---|---|---|---|---|---|---|
| 144115188075855872|8919 | failure | 25 | Failed User Logon | 03/11/2019 01:44:27 | 186.29.149.40 | 192.168.1.25 |