McAfee ESM v10 and v11 (Deprecated)
Deprecated
Use the McAfee ESM v2 integration instead.
Deprecated. Use the McAfee ESM v2 integration instead.
Configure McAfee ESM-v10 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for McAfee ESM-v10.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Port
- ESM IP (e.g. 78.125.0.209)
- Username
- Fetch incidents
- Incident type
- Fetch Types: cases, alarms, both (relevant only for fetch incident mode)
- Start fetch after Case ID: (relevant only for fetch incident mode)
- Trust any certificate (not secure)
- Version: (one of 10.0, 10.1, 10.2, 10.3)
- ESM time format, e.g., %Y/%m/%d %H:%M:%S. Select “auto-discovery” to extract the format automatically.
- __McAfee ESM Timezone in hours (e.g if ESM timezone is +0300 => then insert 3) __
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get a list of all fields: esm-fetch-fields
- Perform a search in McAfee ESM: esm-search
- Get a list of triggered alarms: esm-fetch-alarms
- Get a list of cases: esm-get-case-list
- Add a case: esm-add-case
- Edit a case: esm-edit-case
- Get a list of case statuses: esm-get-case-statuses
- Edit the status of a case: esm-edit-case-status
- Get details of a case: esm-get-case-detail
- Get details of a case event: esm-get-case-event-list
- Add a status to a case: esm-add-case-status
- Remove a status from a case: esm-delete-case-status
- Get a list of case organizations: esm-get-organization-list
- Get a list of all users: esm-get-user-list
- Mark triggered alarms as acknowledged: esm-acknowledge-alarms
- Mark triggered alarms as unacknowledgedesm-unacknowledge-alarms
- Delete triggered alarms: esm-delete-alarms
- Get details for a triggered alarm: esm-get-alarm-event-details
- Get an event list related to an alarm: esm-list-alarm-events
1. Get list of all fields
Returns a list of all fields (and the field type) that can be used in query filters.
Base Command
esm-fetch-fields
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
esm-fetch-fields
Human Readable
This output is truncated.
Result:
name | types |
---|---|
AppID | STRING |
CommandID | STRING |
DomainID | STRING |
HostID | STRING |
ObjectID | STRING |
UserIDDst | STRING |
UserIDSrc | STRING |
URL | SSTRING |
Database_Name | STRING |
Message_Text | SSTRING |
Response_Time | UINT32,UINT32 |
Application_Protocol | STRING |
Object_Type | STRING |
Filename | SSTRING |
From | SSTRING |
To | SSTRING |
Cc | SSTRING |
Bcc | SSTRING |
Subject | SSTRING |
Method | STRING |
User_Agent | SSTRING |
Cookie | SSTRING |
Referer | SSTRING |
File_Operation | STRING |
File_Operation_Succeeded | STRING |
2. Perform a search in McAfee ESM
Performs a query against McAfee ESM.
Base Command
esm-search
Input
Argument Name | Description | Required |
---|---|---|
timeRange | The time period for the search | Required |
filters | Filter on the query results in the format EsmFilter. Should be a JSON string. | Required |
queryType | Query type to preform, by default EVENT (other possible values are : FLOW/ASSET) | Optional |
maxWait | Maximum time to wait (in minutes), default is 30 | Optional |
customStart | if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
customEnd | if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
fields | The fields that will be selected when this query is executed. | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-search timeRange=LAST_10_MINUTES filters=`[{"type": "EsmFieldFilter", "field": {"name": "SrcIP"}, "operator": "EQUALS", "values": [{"type": "EsmBasicValue", "value": "52.15.91.198"}]}]
Context Example
{ "SearchResults": [ { "AlertIPSIDAlertID": "144115188075855872|10201" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 14:57:38" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10202" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 14:58:37" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10203" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 14:59:35" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10204" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:00:36" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10208" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:01:37" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10209" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:02:38" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10210" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:03:36" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10211" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:04:36" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10212" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:05:37" }, { "ActionName": "success" }, { "AlertIPSIDAlertID": "144115188075855872|10213" }, { "AlertSrcIP": "52.15.91.198" }, { "AlertSrcPort": "0" }, { "AlertDstIP": "192.168.1.25" }, { "AlertDstPort": "0" }, { "AlertProtocol": "n/a" }, { "AlertLastTime": "03/11/2019 15:06:38" }, { "ActionName": "success" } ] }
Human Readable Output
results:
Alert.IPSIDAlertID | Alert.SrcIP | Alert.SrcPort | Alert.DstIP | Alert.DstPort | Alert.Protocol | Alert.LastTime | Action.Name |
---|---|---|---|---|---|---|---|
144115188075855872|10201 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:57:38 | success |
144115188075855872|10202 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:58:37 | success |
144115188075855872|10203 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 14:59:35 | success |
144115188075855872|10204 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:00:36 | success |
144115188075855872|10208 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:01:37 | success |
144115188075855872|10209 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:02:38 | success |
144115188075855872|10210 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:03:36 | success |
144115188075855872|10211 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:04:36 | success |
144115188075855872|10212 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:05:37 | success |
144115188075855872|10213 | 52.15.91.198 | 0 | 192.168.1.25 | 0 | n/a | 03/11/2019 15:06:38 | success |
3. Get a list of triggered alarms
Retrieves a list of triggered alarms.
Base Command
esm-fetch-alarms
Input
Argument Name | Description | Required |
---|---|---|
timeRange | The time period for the fetch. | Required |
customStart | if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
customEnd | if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) | Optional |
assignedUser | user assigned to handle this triggered alarm (use ‘ME’ option to use instance user, or use format EsmUser (read more on that here - https://:/rs/esm/help/types/EsmUser) | Optional |
Context Output
Path | Type | Description |
---|---|---|
Alarm.ID | number | Alarm ID |
Alarm.summary | string | Alarm summary |
Alarm.assignee | string | Alarm assignee |
Alarm.severity | number | Alarm severity |
Alarm.triggeredDate | date | Alarm triggered date |
Alarm.acknowledgedDate | date | Alarm acknowledged date |
Alarm.acknowledgedUsername | string | Alarm acknowledged username |
Alarm.alarmName | string | Alarm name |
Alarm.conditionType | number | Alarm condition type |
Command Example
!esm-fetch-alarms timeRange="LAST_3_DAYS"
Context Example
{ "Alarm": [ { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:48:10", "acknowledgedDate": "03/11/2019 08:16:19", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "NGCP", "ID": 25 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:44:40", "acknowledgedDate": "03/11/2019 08:16:20", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "NGCP", "ID": 24 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:41:10", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 23 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:27:39", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 22 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:24:39", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 21 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:21:39", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 20 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:19:09", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 19 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:14:09", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 18 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:07:09", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 17 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:06:09", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 16 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/11/2019 01:01:39", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 15 }, { "conditionType": 13, "severity": 50, "triggeredDate": "03/10/2019 17:01:30", "acknowledgedDate": "", "summary": "408944640 - Failed Login Attempts - 306-31", "assignee": "NGCP", "alarmName": "Failed Login Attempts", "acknowledgedUsername": "", "ID": 14 } ] }
Human Readable Output
Result:
conditionType | severity | triggeredDate | acknowledgedDate | summary | assignee | alarmName | ID | acknowledgedUsername |
---|---|---|---|---|---|---|---|---|
13 | 50 | 03/11/2019 01:48:10 | 03/11/2019 08:16:19 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 25 | NGCP |
13 | 50 | 03/11/2019 01:44:40 | 03/11/2019 08:16:20 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 24 | NGCP |
13 | 50 | 03/11/2019 01:41:10 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 23 | ||
13 | 50 | 03/11/2019 01:27:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 22 | ||
13 | 50 | 03/11/2019 01:24:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 21 | ||
13 | 50 | 03/11/2019 01:21:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 20 | ||
13 | 50 | 03/11/2019 01:19:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 19 | ||
13 | 50 | 03/11/2019 01:14:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 18 | ||
13 | 50 | 03/11/2019 01:07:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 17 | ||
13 | 50 | 03/11/2019 01:06:09 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 16 | ||
13 | 50 | 03/11/2019 01:01:39 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 15 | ||
13 | 50 | 03/10/2019 17:01:30 | 408944640 - Failed Login Attempts - 306-31 | NGCP | Failed Login Attempts | 14 |
4. Get a list of cases
Returns a list of cases from the McAfee ESM.
Base Command
esm-get-case-list
Input
Argument Name | Description | Required |
---|---|---|
since | Filter for a case opened before this date. Given in format " | Optional |
Context Output
Path | Type | Description |
---|---|---|
Case.ID | number | The ID of the case |
Case.Summary | string | The summary of the case |
Case.Status | string | The status of the case |
Case.OpenTime | date | The open time of the case |
Case.Severity | number | The severity of the case |
Case.Assignee | string | The Assignee of the case |
Case.Organization | string | The organization of the case |
Case.EventList | unknown | List of case’s events |
Case.Notes | unknown | List of case’s notes |
Command Example
!esm-get-case-list
Context Example
{ "Case": [ { "Status": "Open", "Summary": "case to be deleted", "OpenTime": "03/11/2019 08:15:02", "ID": 1, "Severity": 1 }, { "Status": "Open", "Summary": "New Virus Detected", "OpenTime": "03/11/2019 11:39:18", "ID": 2, "Severity": 1 }, { "Status": "Open", "Summary": "408944640 - Failed Login Attempts - 306-31", "OpenTime": "03/11/2019 11:41:02", "ID": 3, "Severity": 1 }, { "Status": "Open", "Summary": "this is the first case", "OpenTime": "03/11/2019 12:54:50", "ID": 4, "Severity": 1 }, { "Status": "Open", "Summary": "this is the first case", "OpenTime": "03/11/2019 13:27:22", "ID": 5, "Severity": 1 }, { "Status": "Open", "Summary": "this is the first case", "OpenTime": "03/11/2019 13:29:47", "ID": 6, "Severity": 1 }, { "Status": "Open", "Summary": "this is the first case", "OpenTime": "03/11/2019 13:33:13", "ID": 7, "Severity": 1 } ] }
Human Readable Output
All cases:
ID | Summary | Status | Severity | OpenTime |
---|---|---|---|---|
1 | case to be deleted | Open | 1 | 03/11/2019 08:15:02 |
2 | New Virus Detected | Open | 1 | 03/11/2019 11:39:18 |
3 | 408944640 - Failed Login Attempts - 306-31 | Open | 1 | 03/11/2019 11:41:02 |
4 | this is the first case | Open | 1 | 03/11/2019 12:54:50 |
5 | this is the first case | Open | 1 | 03/11/2019 13:27:22 |
6 | this is the first case | Open | 1 | 03/11/2019 13:29:47 |
7 | this is the first case | Open | 1 | 03/11/2019 13:33:13 |
5. Add a case
Adds a case to McAfee ESM.
Base Command
esm-add-case
Input
Argument Name | Description | Required |
---|---|---|
summary | The name of the case | Required |
status |
The status of the case (use
esm-get-case-statuses
to view all statuses)
|
Optional |
assignee | The user the case is assigned to | Optional |
severity | The severity of the case (1 - 100) | Optional |
organization |
The organization assigned to the case (use
esm-get-organization-list
to view all organizations)
|
Optional |
Context Output
Path | Type | Description |
---|---|---|
Case.ID | number | The ID of the case |
Case.Summary | string | The summary of the case |
Case.Status | string | The status of the case |
Case.OpenTime | date | The open time of the case |
Case.Severity | number | The severity of the case |
Case.Assignee | string | The assignee of the case |
Case.Organization | string | The organization of the case |
Case.EventList | unknown | List of case’s events |
Case.Notes | unknown | List of case’s notes |
Command Example
!esm-add-case summary="this is the first case"
Context Example
{ "Case": [ { "Status": "Open", "OpenTime": "03/11/2019 15:07:22", "Severity": 1, "EventList": [], "Notes": [ { "action": "Open", "content": "", "username": "NGCP", "changes": [], "timestamp": "03/11/2019 15:07:22(GMT)" } ], "Summary": "this is the first case", "Assignee": "NGCP", "Organization": "None", "ID": 8 } ] }
Human Readable Output
New Case:
ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
---|---|---|---|---|---|---|---|---|
8 | this is the first case | Open | 1 | 03/11/2019 15:07:22 | NGCP | None | [] | [{“action”: “Open”, “timestamp”: “03/11/2019 15:07:22(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}] |
6. Edit a case
Modifies an existing case.
Base Command
esm-edit-case
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the case | Required |
summary | The name of the case | Optional |
severity | The new severity of the case (1 - 100) | Optional |
assignee | The user that the case should be assigned to | Optional |
status |
The new status of the case (use the
esm-get-case-statuses
command to view all statuses)
|
Optional |
organization |
The organization assigned to the case (use the
esm-get-organization-list
command to view all organizations)
|
Optional |
Context Output
Path | Type | Description |
---|---|---|
Case.ID | number | The ID of the case |
Case.Summary | string | The summary of the case |
Case.Status | string | The status of the case |
Case.OpenTime | date | The open time of the case |
Case.Severity | number | The severity of the case |
Case.Assignee | string | The Assignee of the case |
Case.Organization | string | The organization of the case |
Case.EventList | unknown | List of case’s events |
Case.Notes | unknown | List of case’s notes |
Command Example
!esm-edit-case id="2" summary="editing first case" severity="50" organization="LuthorCorp"
Context Example
{ "Case": [ { "Status": "Open", "OpenTime": "03/11/2019 11:39:18", "Severity": 50, "EventList": [], "Notes": [ { "action": "Changes", "content": "Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50", "username": "NGCP", "changes": [ { "changeType": "Summary", "changes": [ "old: New Virus Detected", "new: editing first case" ] }, { "changeType": "Severity", "changes": [ "old: 1", "new: 50" ] } ], "timestamp": "03/11/2019 15:07:26(GMT)" }, { "action": "Changes", "content": "Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1", "username": "NGCP", "changes": [ { "changeType": "Summary", "changes": [ "old: editing first case", "new: New Virus Detected" ] }, { "changeType": "Severity", "changes": [ "old: 50", "new: 1" ] } ], "timestamp": "03/11/2019 15:01:28(GMT)" }, { "action": "Changes", "content": "Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50", "username": "NGCP", "changes": [ { "changeType": "Summary", "changes": [ "old: New Virus Detection", "new: editing first case" ] }, { "changeType": "Severity", "changes": [ "old: 1", "new: 50" ] } ], "timestamp": "03/11/2019 13:33:16(GMT)" }, { "action": "Changes", "content": "Summary\n old: editing first New Virus Detection\n new: New Virus Detection", "username": "NGCP", "changes": [ { "changeType": "Summary", "changes": [ "old: editing first New Virus Detection", "new: New Virus Detection" ] } ], "timestamp": "03/11/2019 13:31:59(GMT)" }, { "action": "Changes", "content": "Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1", "username": "NGCP", "changes": [ { "changeType": "Summary", "changes": [ "old: editing first case", "new: editing first New Virus Detection" ] }, { "changeType": "Severity", "changes": [ "old: 50", "new: 1" ] } ], "timestamp": "03/11/2019 13:31:45(GMT)" }, { "action": "Changes", "content": "Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50", "username": "NGCP", "changes": [ { "changeType": "Summary", "changes": [ "old: New Virus Detection", "new: editing first case" ] }, { "changeType": "Severity", "changes": [ "old: 1", "new: 50" ] } ], "timestamp": "03/11/2019 13:27:25(GMT)" }, { "action": "Open", "content": "", "username": "NGCP", "changes": [], "timestamp": "03/11/2019 11:39:18(GMT)" } ], "Summary": "editing first case", "Assignee": "NGCP", "Organization": "None", "ID": 2 } ] }
Human Readable Output
Edited Case:
ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
---|---|---|---|---|---|---|---|---|
2 | editing first case | Open | 50 | 03/11/2019 11:39:18 | NGCP | None | [] | [{“action”: “Changes”, “timestamp”: “03/11/2019 15:07:26(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detected”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 15:01:28(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: New Virus Detected”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:33:16(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:59(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first New Virus Detection\n new: New Virus Detection”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first New Virus Detection”, “new: New Virus Detection”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:45(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: editing first New Virus Detection”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:27:25(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Open”, “timestamp”: “03/11/2019 11:39:18(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}] |
7. Get a list of case statuses
Returns a list of valid case statuses from McAfee ESM.
Base Command
esm-get-case-statuses
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!esm-get-case-statuses
Human Readable Output
Result:
ID | Name | Is Default | Show In Case Pane |
---|---|---|---|
2 | Closed | false | false |
1 | Open | true | true |
8 | Pending | false | true |
4 | Research | false | false |
8. Edit the status of a case
Modifies a case status.
Base Command
esm-edit-case-status
Input
Argument Name | Description | Required |
---|---|---|
original_name | The name of the case status to edit | Required |
new_name | The new name for the case status | Required |
show_in_case_pane | Whether the status will be shown in the case pane | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-edit-case-status original_name=Research new_name=RnD
Human Readable Output
Edit case status with ID: 4
9. Get details of a case
Returns details about an existing case.
Base Command
esm-get-case-detail
Input
Argument Name | Description | Required |
---|---|---|
id | The ID of the case | Required |
Context Output
Path | Type | Description |
---|---|---|
Case.ID | number | The ID of the case |
Case.Summary | string | The summary of the case |
Case.Status | string | The status of the case |
Case.OpenTime | date | The open time of the case |
Case.Severity | number | The severity of the case |
Case.Assignee | string | The assignee of the case |
Case.Organization | string | The organization of the case |
Case.EventList | unknown | List of case’s events |
Case.Notes | unknown | List of case’s notes |
Command Example
!esm-get-case-detail id=3
Context Example
{ "Case": [ { "Status": "Open", "OpenTime": "03/11/2019 11:41:02", "Severity": 1, "EventList": [ { "message": "Failed User Logon", "lastTime": "03/11/2019 01:01:13", "id": { "value": "144115188075855872|8850" } } ], "Notes": [ { "action": "Open", "content": "Events Added: 144115188075855872|8850\n Events Removed:", "username": "NGCP", "changes": [ { "changeType": "Events Added", "changes": [ "144115188075855872|8850" ] }, { "changeType": "Events Removed", "changes": [] } ], "timestamp": "03/11/2019 11:41:02(GMT)" } ], "Summary": "408944640 - Failed Login Attempts - 306-31", "Assignee": "NGCP", "Organization": "None", "ID": 3 } ] }
Human Readable Output
Case 3:
ID | Summary | Status | Severity | OpenTime | Assignee | Organization | Event List | Notes |
---|---|---|---|---|---|---|---|---|
3 | 408944640 - Failed Login Attempts - 306-31 | Open | 1 | 03/11/2019 11:41:02 | NGCP | None | [{“message”: “Failed User Logon”, “lastTime”: “03/11/2019 01:01:13”, “id”: {“value”: “144115188075855872|8850”}}] | [{“action”: “Open”, “timestamp”: “03/11/2019 11:41:02(GMT)”, “username”: “NGCP”, “content”: “Events Added: 144115188075855872|8850\n Events Removed:”, “changes”: [{“changeType”: “Events Added”, “changes”: [“144115188075855872|8850”]}, {“changeType”: “Events Removed”, “changes”: []}]}] |
10. Get details of a case event
Returns case event details.
Base Command
esm-get-case-event-list
Input
Argument Name | Description | Required |
---|---|---|
ids | CSV list of event IDs | Required |
Context Output
Path | Type | Description |
---|---|---|
CaseEvents.ID | string | The ID of the event |
CaseEvents.LastTime | date | The last updated time of the event |
CaseEvents.Message | string | The message of the event |
Command Example
!esm-get-case-event-list ids=144115188075855872|8850,144115188075855872|9718
Context Example
{ "CaseEvents": [ { "Message": "Failed User Logon", "LastTime": "03/11/2019 01:01:13", "ID": "144115188075855872|8850" }, { "Message": "User Logon", "LastTime": "03/11/2019 11:09:37", "ID": "144115188075855872|9718" } ] }
Human Readable Output
Case Events:
ID | LastTime | Message |
---|---|---|
144115188075855872|8850 | 03/11/2019 01:01:13 | Failed User Logon |
144115188075855872|9718 | 03/11/2019 11:09:37 | User Logon |
11. Add a status to a case
Adds a case status to a case.
Base Command
esm-add-case-status
Input
Argument Name | Description | Required |
---|---|---|
name | The name of the case status | Required |
show_in_case_pane | Whether the status will be shown in case pane | Optional |
Context Output
There is no context output for this command.
Command Example
!esm-add-case-status name=Deprecated
Human Readable Output
Added case status : Deprecated
12. Remove a status from a case
Deletes a case status from a case.
Base Command
esm-delete-case-status
Input
Argument Name | Description | Required |
---|---|---|
name | The name of the case status to delete | Required |
Context Output
There is no context output for this command.
Command Example
esm-delete-case-status name=Pending
Human Readable Output
Deleted case status with ID: 8
13. Get a list of case organizations
Returns a list case organizations.
Base Command
esm-get-organization-list
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
Organizations.ID | number | Organization ID |
Organizations.Name | string | Organization Name |
Command Example
!esm-get-organization-list
Context Example
{ "Organizations": [ { "ID": 1, "Name": "None" } ] }
Human Readable Output
Organizations:
ID | Name |
---|---|
1 | None |
14. Get a list of all users
Returns a list of all users.
Base Command
esm-get-user-list
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
EsmUser.ID | number | The ID of the user |
EsmUser.Name | string | The ESM user name |
EsmUser.Email | string | The email address of the user |
EsmUser.SMS | string | The SMS details of the user |
EsmUser.IsMaster | boolean | Whether the user is a master user |
EsmUser.IsAdmin | boolean | Whether the user is an admin |
Command Example
!esm-get-user-list
Context Example
{ "EsmUser": [ { "IsMaster": true, "Name": "NGCP", "SMS": "", "ID": 1, "IsAdmin": false, "Email": "" }, { "IsMaster": false, "Name": "POLICY", "SMS": "", "ID": 3, "IsAdmin": false, "Email": "" }, { "IsMaster": false, "Name": "REPORT", "SMS": "", "ID": 2, "IsAdmin": false, "Email": "" } ] }
Human Readable Output
Users:
ID | Name | SMS | IsMaster | IsAdmin | |
---|---|---|---|---|---|
1 | NGCP | true | false | ||
3 | POLICY | false | false | ||
2 | REPORT | false | false |
15. Mark triggered alarms as acknowledged
Marks triggered alarms as acknowledged.
Base Command
esm-acknowledge-alarms
Input
Argument Name | Description | Required |
---|---|---|
alarmIds | A CSV list of triggered alarm IDs to be marked acknowledged | Required |
Context Output
There is no context output for this command.
Command Example
!esm-acknowledge-alarms alarmIds=2,5,6
Human Readable Output
Alarms has been Acknowledged.
16. Mark triggered alarms as unacknowledged
Marks triggered alarms as unacknowledged.
Base Command
esm-unacknowledge-alarms
Input
Argument Name | Description | Required |
---|---|---|
alarmIds | A CSV list of triggered alarm IDs to be marked unacknowledged | Required |
Context Output
There is no context output for this command.
Command Example
!esm-unacknowledge-alarms alarmIds="1,8,7"
Human Readable Output
Alarms has been Unacknowledged.
17. Delete triggered alarms
Deletes triggered alarms.
Base Command
esm-delete-alarms
Input
Argument Name | Description | Required |
---|---|---|
alarmIds | A CSV list of triggered alarm IDs to be deleted | Required |
Context Output
There is no context output for this command.
Command Example
!esm-delete-alarms alarmIds=26
Human Readable Output
Alarms has been Deleted.
18. Get details for a triggered alarm
Returns details for a triggered alarm.
Base Command
esm-get-alarm-event-details
Input
Argument Name | Description | Required |
---|---|---|
eventId | The event to get the details for. The ID can be retrieved from the esm-list-alarm-events command. | Required |
Context Output
Path | Type | Description |
---|---|---|
EsmAlarmEvent.ID | string | Event ID |
EsmAlarmEvent.SubType | string | Event type |
EsmAlarmEvent.Severity | number | Event severity |
EsmAlarmEvent.Message | string | Event message |
EsmAlarmEvent.LastTime | date | Event time |
EsmAlarmEvent.SrcIP | string | Source IP of the event |
EsmAlarmEvent.DstIP | string | Destination IP of the event |
EsmAlarmEvent.Cases | unknown | A list of related cases to the event |
EsmAlarmEvent.Cases.ID | string | Case ID |
EsmAlarmEvent.Cases.OpenTime | date | Case creation time |
EsmAlarmEvent.Cases.Severity | number | Case severity |
EsmAlarmEvent.Cases.Status | string | Case status |
EsmAlarmEvent.Cases.Summary | string | Case summary |
EsmAlarmEvent.DstMac | string | Destination MAC of the event |
EsmAlarmEvent.SrcMac | string | Source MAC of the event |
EsmAlarmEvent.DstPort | string | Destination port of the event |
EsmAlarmEvent.SrcPort | string | Source port of the event |
EsmAlarmEvent.FirstTime | date | The first time for the event |
EsmAlarmEvent.NormalizedDescription | string | Normalized description of the event |
Command Example
!esm-get-alarm-event-details eventId="144115188075855872|9718"
Context Example
{ "EsmAlarmEvent": [ { "DstIP": "192.168.1.25", "FirstTime": "03/11/2019 11:09:37", "Severity": 19, "DstPort": "0", "SrcPort": "0", "DstMac": "00:00:00:00:00:00", "SubType": "success", "SrcIP": "52.15.91.198", "Message": "User Logon", "LastTime": "03/11/2019 11:09:37", "ID": "144115188075855872|9718", "NormalizedDescription": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.", "SrcMac": "00:00:00:00:00:00" } ] }
Human Readable Output
Alarm Events:
ID | SubType | Severity | Message | LastTime | SrcIP | SrcPort | DstIP | DstPort |
---|---|---|---|---|---|---|---|---|
144115188075855872|9718 | success | 19 | User Logon | 03/11/2019 11:09:37 | 52.15.91.198 | 0 | 192.168.1.25 | 0 |
19. Get an event list related to an alarm
Returns an event list related to an alarm.
Base Command
esm-list-alarm-events
Input
Argument Name | Description | Required |
---|---|---|
alarmId | The alarm to get the details for. The ID can be retrieved from the esm-fetch-alarms command. | Required |
Context Output
Path | Type | Description |
---|---|---|
EsmAlarmEvent.ID | string | Event ID |
EsmAlarmEvent.SubType | string | Event type |
EsmAlarmEvent.Severity | number | Event severity |
EsmAlarmEvent.Message | string | Event message |
EsmAlarmEvent.LastTime | date | Event time |
EsmAlarmEvent.SrcIP | string | Source IP of the event |
EsmAlarmEvent.DstIP | string | Destination IP of the event |
EsmAlarmEvent.Cases | unknown | A list of related cases to the event |
EsmAlarmEvent.Cases.ID | string | Case ID |
EsmAlarmEvent.Cases.OpenTime | date | Case creation time |
EsmAlarmEvent.Cases.Severity | number | Case severity |
EsmAlarmEvent.Cases.Status | string | Case status |
EsmAlarmEvent.Cases.Summary | string | Case summary |
Command Example
!esm-list-alarm-events alarmId="24"
Context Example
{ "EsmAlarmEvent": [ { "DstIP": "192.168.1.25", "Severity": 25, "SubType": "failure", "SrcIP": "186.29.149.40", "Message": "Failed User Logon", "LastTime": "03/11/2019 01:44:27", "ID": "144115188075855872|8919" } ] }
Human Readable Output
Alarm Events:
ID | SubType | Severity | Message | LastTime | SrcIP | SrcPort | DstIP | DstPort |
---|---|---|---|---|---|---|---|---|
144115188075855872|8919 | failure | 25 | Failed User Logon | 03/11/2019 01:44:27 | 186.29.149.40 | 192.168.1.25 |