Skip to main content

McAfee ESM v2

This Integration is part of the McAfee ESM Pack.#

Run queries and receive alarms from Intel Security ESM. This integration was integrated and tested with version 11.3 of McAfee ESM v2. Previous versions have been declared EOL by the vendor.

Configure McAfee ESM v2 in Cortex#

ParameterDescriptionRequired
urlBase URL (e.g. https://example.com\)True
credentialsUsernameTrue
versionVersion: (one of 10.0, 10.1, 10.2, 10.3, 11.1, 11.3)True
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetchTypeFetch Types: cases, alarms, both (relevant only for fetch incident mode)False
startingFetchIDStart fetch after ID: (relevant only for fetch incident mode)False
fetchLimitCasesFetch cases limitFalse
fetchTimeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
fetchLimitAlarmsFetch alarms limitFalse
timezoneMcAfee ESM Timezone in hours (e.g if ESM timezone is +0300 => then insert 3)False
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Required Permissions#

ComponentPermission
AlarmsAlarm Management and View Data
CasesIncident Management Administrator and Incident Management User
WatchlistsWatchlists

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

esm-fetch-fields#


Gets all fields that can be used in query filters, including type information for each field

Base Command#

esm-fetch-fields

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!esm-fetch-fields

Human Readable Output#

Fields#

nametypes
AppIDSTRING
CommandIDSTRING
DomainIDSTRING
HostIDSTRING
ObjectIDSTRING
UserIDDstSTRING
UserIDSrcSTRING
URLSSTRING
Database_NameSTRING
Message_TextSSTRING
Response_TimeUINT32
Application_ProtocolSTRING
Object_TypeSTRING
FilenameSSTRING
FromSSTRING
ToSSTRING
CcSSTRING
BccSSTRING
SubjectSSTRING
MethodSTRING
User_AgentSSTRING
CookieSSTRING
RefererSSTRING
File_OperationSTRING
File_Operation_SucceededSTRING
Destination_FilenameSSTRING
User_NicknameSTRING
Contact_NameSTRING
Contact_NicknameSTRING
Client_VersionSSTRING
Job_NameSSTRING
LanguageSSTRING
SWF_URLSSTRING
TC_URLSSTRING
RTMP_ApplicationSSTRING
VersionSSTRING
Local_User_NameSSTRING
NAT_DetailsUINT16,IPV4
Network_LayerSIGID
Transport_LayerSIGID
Session_LayerSIGID
Application_LayerSIGID
HTTP_LayerSIGID
HTTP_Req_URLSSTRING
HTTP_Req_CookieSSTRING
HTTP_Req_RefererSSTRING
HTTP_Req_HostSSTRING
HTTP_Req_MethodSSTRING
HTTP_User_AgentSSTRING
DNS_NameSSTRING
DNS_TypeSTRING
DNS_ClassSTRING
Query_ResponseSTRING
Authoritative_AnswerSTRING
SNMP_OperationSTRING
SNMP_Item_TypeSTRING
SNMP_VersionSTRING
SNMP_Error_CodeSTRING
NTP_Client_ModeSTRING
NTP_Server_ModeSTRING
NTP_RequestSTRING
NTP_OpcodeSTRING
SNMP_ItemSSTRING
InterfaceSTRING
DirectionSTRING
Sensor_NameSTRING
Sensor_UUIDSSTRING
Sensor_TypeSTRING
Signature_NameSSTRING
Threat_NameSSTRING
Destination_HostnameSSTRING
CategorySSTRING
Process_NameSSTRING
Grid_Master_IPIP
Response_CodeSTRING
Device_PortUINT64
Device_IPIP
PIDUINT64
Target_ContextSSTRING
Source_ContextSSTRING
Target_ClassSSTRING
Policy_NameSSTRING
Destination_ZoneSSTRING
Source_ZoneSSTRING
Queue_IDSTRLIT
Delivery_IDSSTRING
Recipient_IDSSTRING
Spam_ScoreFLOAT
Mail_IDSSTRING
To_AddressSSTRING
From_AddressSSTRING
Message_IDSSTRING
Request_TypeSSTRING
SQL_StatementSSTRING
External_EventIDUINT64
Event_ClassSSTRING
DescriptionSSTRING
File_HashGUID
Mainframe_Job_NameSSTRING
External_SubEventIDUINT64
Destination_UserIDSSTRING
Source_UserIDSSTRING
Volume_IDSSTRING
Step_NameSSTRING
Step_CountSSTRING
LPAR_DB2_SubsystemSSTRING
Logical_Unit_NameSSTRING
Job_TypeSSTRING
FTP_CommandSSTRING
File_TypeSSTRING
DB2_Plan_NameSSTRING
Catalog_NameSSTRING
Access_ResourceSSTRING
Table_NameSSTRING
External_DB2_ServerSSTRING
External_ApplicationSSTRING
Creator_NameSSTRING
Return_CodeSTRING
Database_IDSSTRING
Incoming_IDSSTRING
Handle_IDUINT64
Destination_NetworkSSTRING
Source_NetworkSSTRING
Malware_Insp_ResultSSTRING
Malware_Insp_ActionSSTRING
External_HostnameSSTRING
Privileged_UserSSTRING
FacilitySSTRING
AreaSSTRING
Instance_GUIDGUID
Logon_TypeSSTRING
Operating_SystemSSTRING
File_PathSSTRING
Agent_GUIDGUID
ReputationUINT64
URL_CategorySSTRING
Session_StatusSSTRING
Destination_Logon_IDSSTRING
Source_Logon_IDSSTRING
UUIDGUID
External_SessionIDSSTRING
Management_ServerSSTRING
Detection_MethodSSTRING
Target_Process_NameSSTRING
Analyzer_DAT_VersionFLOAT
Forwarding_StatusSSTRING
ReasonSSTRING
Threat_HandledSSTRING
Threat_CategorySSTRING
Device_ActionSSTRING
Database_GUIDGUID
SQL_CommandSSTRING
Destination_DirectorySSTRING
DirectorySSTRING
MailboxSSTRING
Handheld_IDUINT64
Policy_IDUINT64
Server_IDUINT64
Registry_ValueSSTRING
Registry_KeySSTRING
Caller_ProcessSSTRING
DAT_VersionFLOAT
Interface_DestSSTRING
Datacenter_NameSSTRING
Datacenter_IDSSTRING
Virtual_Machine_IDSSTRING
Virtual_Machine_NameSSTRING
PCAP_NameSSTRING
Search_QuerySSTRING
Service_NameSSTRING
External_Device_NameSSTRING
External_Device_IDSSTRING
External_Device_TypeSSTRING
Organizational_UnitSSTRING
PrivilegesSSTRING
Reputation_NameSSTRING
Vulnerability_ReferencesSSTRING
Web_DomainSSTRING
Sub_StatusSSTRING
StatusSSTRING
Access_PrivilegesSSTRING
Rule_NameSSTRING
App_Layer_ProtocolSSTRING
Group_NameSSTRING
Authentication_TypeSSTRING
New_ValueSSTRING
Old_ValueSSTRING
Security_IDSSTRING
SHA1SSTRING
Reputation_ScoreFLOAT
Parent_File_HashGUID
File_IDSSTRING
Engine_ListSSTRING
Device_URLSSTRING
Attacker_IPIPV4
Victim_IPIPV4
Incident_IDINT64
Attribute_TypeSSTRING
Access_MaskSSTRING
Object_GUIDGUID
VPN_Feature_NameSSTRING
Reputation_Server_IPIP
DNS_Server_IPIP
Hash_TypeSSTRING
HashSSTRING
SubcategorySSTRING
Wireless_SSIDSSTRING
Share_NameSSTRING
CnC_HostSSTRING
Device_ConfidenceUINT64
SHA256SSTRING
AppIDSTRING
CommandIDSTRING
DSIDSigIDSIGID
ActionUINT8
ASNGeoDstUINT64
DSIDUINT64
ZoneDstUINT16
SigIDSIGID
GUIDSrcGUID
NDDevIDSrcUINT16
IDUINT64
ProtocolUINT8
NormIDUINT32
ZoneSrcUINT16
FirstTimeUINT32
SrcPortUINT16
AvgSeverityFLOAT
DstPortUINT16
SrcIPIP
GUIDDstGUID
DstIPIP
NDDevIDDstUINT16
SrcMacMAC_ADDRESS
SessionIDUINT64
ASNGeoSrcUINT64
DstMacMAC_ADDRESS
LastTimeUINT32

esm-search#


Perform a query against Mcafee ESM SIEM

Base Command#

esm-search

Input#

Argument NameDescriptionRequired
timeRangeThe time period for the search. Can be LAST_3_DAYS, LAST_2_DAYS, LAST_24_HOURS, PREVIOUS_DAY, CURRENT_DAY, LAST_HOUR, LAST_30_MINUTES, LAST_10_MINUTES, LAST_MINUTE, CUSTOM, PREVIOUS_YEAR, CURRENT_YEAR, PREVIOUS_QUARTER, CURRENT_QUARTER, PREVIOUS_MONTH, CURRENT_MONTH, PREVIOUS_WEEK, or CURRENT_WEEK.Optional
filtersFilter on the query results, should be a JSON string, of the format EsmFilter (read more on that here - https://<esm-ip>:<esm-port>/rs/esm/help/types/EsmFilter)Required
queryTypeType of query to run. Can be "EVENT", "FLOW", or "ASSETS". Default is "EVENT".Optional
timeOutMaximum time to wait before timeout (in minutes). Default is 30.Optional
customStartIf the timeRange argument is set to CUSTOM, the start time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
customEndIf the timeRange argument is set to CUSTOM, the end time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
fieldsThe fields that will be selected when this query is executed.Optional
limitQuery results can be limited to a maximum row count.Optional

Context Output#

There is no context output for this command.

Command Example#

!esm-search timeRange="CURRENT_YEAR" filters="[{\"type\":\"EsmFieldFilter\",\"field\":{\"name\":\"SrcIP\"},\"operator\":\"IN\"}]" limit="3"

Context Example#

{
"McAfeeESM": {
"results": [
{
"ActionName": "success",
"AlertDstIP": "192.168.1.111",
"AlertDstPort": "0",
"AlertIPSIDAlertID": "144115188075855872|779674",
"AlertLastTime": "2020-01-01T05:48:20Z",
"AlertProtocol": "n/a",
"AlertSrcIP": "22.22.22.22",
"AlertSrcPort": "0"
},
{
"ActionName": "success",
"AlertDstIP": "192.168.1.111",
"AlertDstPort": "0",
"AlertIPSIDAlertID": "144115188075855872|779675",
"AlertLastTime": "2020-01-01T05:48:22Z",
"AlertProtocol": "n/a",
"AlertSrcIP": "22.22.22.22",
"AlertSrcPort": "0"
},
{
"ActionName": "success",
"AlertDstIP": "192.168.1.111",
"AlertDstPort": "0",
"AlertIPSIDAlertID": "144115188075855872|779676",
"AlertLastTime": "2020-01-01T10:51:57Z",
"AlertProtocol": "n/a",
"AlertSrcIP": "33.33.33.33",
"AlertSrcPort": "0"
}
]
}
}

Human Readable Output#

Search results |Alert.IPSIDAlertID|Alert.SrcIP|Alert.SrcPort|Alert.DstIP|Alert.DstPort|Alert.Protocol|Alert.LastTime|Action.Name| |--|--|--|--|--|--|--|--| | 144115188075855872|779674|22.22.22.22|0|192.168.1.111|0|n/a|2020-01-01T05:48:20Z|success | | 144115188075855872|779675|22.22.22.22|0|192.168.1.111|0|n/a|2020-01-01T05:48:22Z|success | | 144115188075855872|779676|33.33.33.33|0|192.168.1.111|0|n/a|2020-01-01T10:51:57Z|success |

esm-fetch-alarms#


Retrieves a list of triggered alarms.

Base Command#

esm-fetch-alarms

Input#

Argument NameDescriptionRequired
timeRangeThe time period for the search. Can be LAST_3_DAYS, LAST_2_DAYS, LAST_24_HOURS, PREVIOUS_DAY, CURRENT_DAY, LAST_HOUR, LAST_30_MINUTES, LAST_10_MINUTES, LAST_MINUTE, CUSTOM, PREVIOUS_YEAR, CURRENT_YEAR, PREVIOUS_QUARTER, CURRENT_QUARTER, PREVIOUS_MONTH, CURRENT_MONTH, PREVIOUS_WEEK, or CURRENT_WEEK.Optional
customStartIf the timeRange argument is set to CUSTOM, the start time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
customEndIf the timeRange argument is set to CUSTOM, the end time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
assignedUserUser assigned to handle the triggered alarm. Use the 'ME' option to use the instance user, or use format EsmUser.Optional

Context Output#

PathTypeDescription
McAfeeESM.Alarm.IDnumberAlarm ID.
McAfeeESM.Alarm.summarystringAlarm summary.
McAfeeESM.Alarm.assigneestringAlarm assignee.
McAfeeESM.Alarm.severitynumberAlarm severity.
McAfeeESM.Alarm.triggeredDatedateAlarm triggered date.
McAfeeESM.Alarm.acknowledgedDatedateAlarm acknowledged date.
McAfeeESM.Alarm.acknowledgedUsernamestringAlarm acknowledged username.
McAfeeESM.Alarm.alarmNamestringAlarm name.
McAfeeESM.Alarm.conditionTypenumberAlarm condition type.

Command Example#

!esm-fetch-alarms timeRange=CURRENT_MONTH

Context Example#

{
"McAfeeESM": {
"Alarm": [
{
"ID": 42710,
"acknowledgedDate": "",
"acknowledgedUsername": "",
"alarmName": "Alarm Test",
"assignee": "ANALYST",
"conditionType": 22,
"severity": 50,
"summary": "Event rate exceeded 10 by 17",
"triggeredDate": "2020-06-24T13:05:43Z"
},
{
"ID": 42709,
"acknowledgedDate": "",
"acknowledgedUsername": "",
"alarmName": "Alarm Test",
"assignee": "ANALYST",
"conditionType": 22,
"severity": 50,
"summary": "Event rate exceeded 10 by 1",
"triggeredDate": "2020-06-24T12:53:12Z"
},
{
"ID": 42708,
"acknowledgedDate": "",
"acknowledgedUsername": "",
"alarmName": "Alarm Test",
"assignee": "ANALYST",
"conditionType": 22,
"severity": 50,
"summary": "Event rate exceeded 10 by 2",
"triggeredDate": "2020-06-24T11:32:08Z"
}
]
}
}

Human Readable Output#

Alarms#

idacknowledgedDateacknowledgedUsernamealarmNameassigneeconditionTypeseveritysummarytriggeredDate
42710Alarm TestANALYST2250Event rate exceeded 10 by 172020-06-24T13:05:43Z
42709Alarm TestANALYST2250Event rate exceeded 10 by 12020-06-24T12:53:12Z
42708Alarm TestANALYST2250Event rate exceeded 10 by 22020-06-24T11:32:08Z

esm-get-case-list#


Gets a list of cases from McAfee ESM.

Base Command#

esm-get-case-list

Input#

Argument NameDescriptionRequired
sinceFilters for cases that were opened before this date. In the format "<number><timeunit>", for example: 1 day,30 minutes,2 weeks,6 months,1 yearOptional

Context Output#

PathTypeDescription
McAfeeESM.Case.IDnumberCase ID.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe date and time when the case was opened.
McAfeeESM.Case.SeveritynumberThe severity of the case.

Command Example#

!esm-get-case-list since="1 month"

Context Example#

{
"McAfeeESM": {
"Case": [
{
"ID": 33262,
"OpenTime": "2020-06-23T06:38:03Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
},
{
"ID": 33261,
"OpenTime": "2020-06-22T12:04:09Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
},
{
"ID": 33264,
"OpenTime": "2020-06-23T12:13:08Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
}
]
}
}

Human Readable Output#

cases since 1 month#

IDOpenTimeSeverityStatusSummary
332622020-06-23T06:38:03Z50OpenSignature ID 'Failed User Logon' (306-31) match found
332612020-06-22T12:04:09Z50OpenSignature ID 'Failed User Logon' (306-31) match found
332642020-06-23T12:13:08Z50OpenSignature ID 'Failed User Logon' (306-31) match found

esm-add-case#


Adds a case to the system.

Base Command#

esm-add-case

Input#

Argument NameDescriptionRequired
summaryThe name of the case.Required
statusThe status of the case. Run the esm-get-case-statuses command to view all statuses.Optional
assigneeUser assigned to the case.Optional
severityThe severity of the case (1 - 100).Optional
organizationThe organization assigned to the case. Run the esm-get-organization-list command to view all organizations.Optional

Context Output#

PathTypeDescription
McAfeeESM.Case.IDnumberThe ID of the case.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe open time of the case.
McAfeeESM.Case.SeveritynumberThe severity of the case.
McAfeeESM.Case.AssigneestringThe assignee of the case.
McAfeeESM.Case.OrganizationstringThe organization of the case.
McAfeeESM.Case.EventListUnknownList of the case's events.
McAfeeESM.Case.NotesUnknownList of the case's notes.

Command Example#

!esm-add-case summary="McAfee ESM v2 add case"

Context Example#

{
"McAfeeESM": {
"Case": {
"Assignee": "ANALYST",
"ID": 33272,
"OpenTime": "2020-06-24T13:10:01Z",
"Organization": "None",
"Severity": 1,
"Status": "Open",
"Summary": "McAfee ESM v2 add case"
}
}
}

Human Readable Output#

Case#

AssigneeIDOpenTimeOrganizationSeverityStatusSummary
ANALYST332722020-06-24T13:10:01ZNone1OpenMcAfee ESM v2 add case

esm-edit-case#


Edit the details of an existing case.

Base Command#

esm-edit-case

Input#

Argument NameDescriptionRequired
idThe ID of the case.Required
summaryThe name of the case.Optional
severityThe new severity of the case (1 - 100).Optional
assigneeUser assigned to the case.Optional
statusThe new status of the case. Run the esm-get-case-statuses command to view all statuses.Optional
organizationThe organization assigned to the case. Run the esm-get-organization-list command to view all organizations.Optional

Context Output#

PathTypeDescription
McAfeeESM.Case.IDnumberThe ID of the case.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe open time of the case.
McAfeeESM.Case.SeveritynumberThe severity of the case.
McAfeeESM.Case.AssigneestringThe assignee of the case.
McAfeeESM.Case.OrganizationstringThe organization of the case.
McAfeeESM.Case.EventListUnknownList of the case's events.
McAfeeESM.Case.NotesUnknownList of the case's notes.

Command Example#

!esm-edit-case id="33266" summary="McAfee ESM v2 edit case"

Context Example#

{
"McAfeeESM": {
"Case": {
"Assignee": "ANALYST",
"ID": 33266,
"OpenTime": "2020-06-24T10:54:21Z",
"Organization": "None",
"Severity": 1,
"Status": "Open",
"Summary": "McAfee ESM v2 edit case"
}
}
}

Human Readable Output#

Case#

AssigneeIDOpenTimeOrganizationSeverityStatusSummary
ANALYST332662020-06-24T10:54:21ZNone1OpenMcAfee ESM v2 edit case

esm-get-case-statuses#


Gets a list of valid case statuses from the system.

Base Command#

esm-get-case-statuses

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!esm-get-case-statuses

Human Readable Output#

case statuses#

idnamedefaultshowInCasePane
2Closedfalsefalse
11830McAfee_ESM_v2_add_casefalsefalse
1Opentruetrue
11725Research_1563355610148falsetrue
11825TestMcAfee_ESM_v2falsefalse
11758bbbbfalsefalse
11776testfalsetrue
11777test1falsefalse
11268test2falsetrue
11267test3falsetrue
11890test_delete_casefalsefalse
11889test_edit_casefalsefalse

esm-edit-case-status#


Edits the status of a case.

Base Command#

esm-edit-case-status

Input#

Argument NameDescriptionRequired
original_nameThe name of the case status to edit.Required
new_nameThe new name for the case status.Required
show_in_case_paneWhether the status will display in the case pane. Can be "True" or "False". Default is "True".Optional

Context Output#

There is no context output for this command.

Command Example#

!esm-edit-case-status original_name=test_edit_case new_name=edited_case

Human Readable Output#

Edited case status with ID: 11889

esm-get-case-detail#


Gets the details of an existing case.

Base Command#

esm-get-case-detail

Input#

Argument NameDescriptionRequired
idThe ID of the case.Required

Context Output#

PathTypeDescription
McAfeeESM.Case.IDnumberThe ID of the case.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe open time of the case.
McAfeeESM.Case.SeveritynumberThe severity of the case.
McAfeeESM.Case.AssigneestringThe assignee of the case.
McAfeeESM.Case.OrganizationstringThe organization of the case.
McAfeeESM.Case.EventListUnknownList of the case's events.
McAfeeESM.Case.NotesUnknownList of the case's notes.

Command Example#

!esm-get-case-detail id="33264"

Context Example#

{
"McAfeeESM": {
"Case": {
"Assignee": "ANALYST",
"ID": 33264,
"OpenTime": "2020-06-23T12:13:08Z",
"Organization": "None",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
}
}
}

Human Readable Output#

Case#

AssigneeIDOpenTimeOrganizationSeverityStatusSummary
ANALYST332642020-06-23T12:13:08ZNone50OpenSignature ID 'Failed User Logon' (306-31) match found

esm-get-case-event-list#


Gets case event details.

Base Command#

esm-get-case-event-list

Input#

Argument NameDescriptionRequired
idsComma-separated list of event IDs.Required

Context Output#

PathTypeDescription
McAfeeESM.CaseEvent.IDstringThe ID of the event.
McAfeeESM.CaseEvent.LastTimedateThe time the event was last updated.
McAfeeESM.CaseEvent.MessagestringThe message of the event.

Command Example#

!esm-get-case-event-list ids="42687"

esm-add-case-status#


Adds a status to the specified case.

Base Command#

esm-add-case-status

Input#

Argument NameDescriptionRequired
nameThe name of the case status.Required
show_in_case_paneWhether the status will display in the case pane. Can be "True" or "False". Default is "True".Optional

Context Output#

There is no context output for this command.

Command Example#

!esm-add-case-status name=test_add_case

Human Readable Output#

Added case status : test_add_case

esm-delete-case-status#


Deletes the status of a case.

Base Command#

esm-delete-case-status

Input#

Argument NameDescriptionRequired
nameThe name of the case status to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!esm-delete-case-status name=test_delete_case

Human Readable Output#

Deleted case status with ID: 11890

esm-get-organization-list#


Gets a case organization.

Base Command#

esm-get-organization-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
McAfeeESM.Organization.IDnumberOrganization ID.
McAfeeESM.Organization.NamestringOrganization name.

Command Example#

!esm-get-organization-list

Context Example#

{
"McAfeeESM": {
"Organization": [
{
"ID": 2,
"Name": "ABC"
},
{
"ID": 1,
"Name": "Org"
}
]
}
}

Human Readable Output#

Organizations#

idname
2ABC
1Org

esm-get-user-list#


Gets a list of all users.

Base Command#

esm-get-user-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
McAfeeESM.User.IDnumberThe ID of the user.
McAfeeESM.User.NamestringThe ESM user name.
McAfeeESM.User.EmailstringThe email address of the user.
McAfeeESM.User.SMSstringThe SMS details of the user.
McAfeeESM.User.IsMasterbooleanWhether the user is a master user.
McAfeeESM.User.IsAdminbooleanWhether the user is an admin.

Command Example#

!esm-get-user-list

Context Example#

{
"McAfeeESM": {
"User": [
{
"Email": "",
"Groups": "[]",
"ID": 6,
"IsAdmin": false,
"IsMaster": false,
"Name": "abcd",
"SMS": ""
},
{
"Email": "",
"Groups": "[1, 2]",
"ID": 7,
"IsAdmin": true,
"IsMaster": true,
"Name": "gavrieltest",
"SMS": ""
},
{
"Email": "",
"Groups": "[2]",
"ID": 1,
"IsAdmin": false,
"IsMaster": true,
"Name": "ANALYST",
"SMS": ""
}
]
}
}

Human Readable Output#

User list#

IDNameEmailGroupsIsMasterIsAdminSMS
6abcd[]falsefalse
7gavrieltest[1, 2]truetrue
1ANALYST[2]truefalse

esm-acknowledge-alarms#


Marks triggered alarms as acknowledged.

Base Command#

esm-acknowledge-alarms

Input#

Argument NameDescriptionRequired
alarmIdsComma-separated list of triggered alarm IDs to be marked as acknowledged.Required

Context Output#

There is no context output for this command.

Command Example#

!esm-acknowledge-alarms alarmIds="42710"

Human Readable Output#

Alarms has been Acknowledged.

esm-unacknowledge-alarms#


Marks triggered alarms as unacknowledged.

Base Command#

esm-unacknowledge-alarms

Input#

Argument NameDescriptionRequired
alarmIdsComma-separated list of triggered alarm IDs to be marked as unacknowledged.Required

Context Output#

There is no context output for this command.

Command Example#

!esm-unacknowledge-alarms alarmIds="42687"

Human Readable Output#

Alarms has been Unacknowledged.

esm-delete-alarms#


Deletes triggered alarms.

Base Command#

esm-delete-alarms

Input#

Argument NameDescriptionRequired
alarmIdsComma-separated list of triggered alarm IDs to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!esm-delete-alarms alarmIds="42709"

Human Readable Output#

Alarms has been Deleted.

esm-get-alarm-event-details#


Gets the details for the triggered alarm.

Base Command#

esm-get-alarm-event-details

Input#

Argument NameDescriptionRequired
eventIdThe event for which to get the details. Run the esm-list-alarm-events command to get the ID.Required

Context Output#

PathTypeDescription
McAfeeESM.AlarmEvent.IDstringEvent ID.
McAfeeESM.AlarmEvent.SubTypestringEvent type.
McAfeeESM.AlarmEvent.SeveritynumberEvent severity.
McAfeeESM.AlarmEvent.MessagestringEvent message.
McAfeeESM.AlarmEvent.LastTimedateEvent time.
McAfeeESM.AlarmEvent.SrcIPstringSource IP of the event.
McAfeeESM.AlarmEvent.DstIPstringDestination IP of the event.
McAfeeESM.AlarmEvent.CasesUnknownA list of cases related to the event.
McAfeeESM.AlarmEvent.Cases.IDstringCase ID.
McAfeeESM.AlarmEvent.Cases.OpenTimedateCase creation time.
McAfeeESM.AlarmEvent.Cases.SeveritynumberCase severity.
McAfeeESM.AlarmEvent.Cases.StatusstringCase status.
McAfeeESM.AlarmEvent.Cases.SummarystringCase summary.
McAfeeESM.AlarmEvent.DstMacstringDestination MAC address of the event.
McAfeeESM.AlarmEvent.SrcMacstringSource MAC address of the event.
McAfeeESM.AlarmEvent.DstPortstringDestination port of the event.
McAfeeESM.AlarmEvent.SrcPortstringSource port of the event.
McAfeeESM.AlarmEvent.FirstTimedateThe first time for the event.
McAfeeESM.AlarmEvent.NormalizedDescriptionstringNormalized description of the event.

Command Example#

!esm-get-alarm-event-details eventId=144115188075855872|802641

Context Example#

{
"McAfeeESM": {
"AlarmEvent": {
"Case": [
{
"ID": 33260,
"OpenTime": "2020-06-22T06:16:24Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
}
],
"DstIP": "192.168.1.111",
"DstMac": "00:00:00:00:00:00",
"DstPort": "0",
"FirstTime": "2020-06-22T06:16:05Z",
"ID": 802641,
"LastTime": "2020-06-22T06:16:05Z",
"Message": "Failed User Logon",
"NormalizedDescription": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.",
"Severity": 25,
"SrcIP": "44.44.44.44",
"SrcMac": "00:00:00:00:00:00",
"SrcPort": "0",
"SubType": "failure"
}
}
}

Human Readable Output#

Alarm events#

CaseDstIPDstMacDstPortFirstTimeIDLastTimeMessageNormalizedDescriptionSeveritySrcIPSrcMacSrcPortSubType
{'ID': 33260, 'OpenTime': '2020-06-22T06:16:24Z', 'Severity': 50, 'Status': 'Open', 'Summary': "Signature ID 'Failed User Logon' (306-31) match found"}192.168.1.11100:00:00:00:00:0002020-06-22T06:16:05Z8026412020-06-22T06:16:05ZFailed User LogonThe Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.2544.44.44.4400:00:00:00:00:000failure

esm-list-alarm-events#


Gets a list of events related to the alarm.

Base Command#

esm-list-alarm-events

Input#

Argument NameDescriptionRequired
alarmIdThe alarm for which to get the details. Run the esm-fetch-alarms command to get the ID.Required

Context Output#

PathTypeDescription
McAfeeESM.AlarmEvent.IDstringEvent ID.
McAfeeESM.AlarmEvent.SubTypestringEvent type.
McAfeeESM.AlarmEvent.SeveritynumberEvent severity.
McAfeeESM.AlarmEvent.MessagestringEvent message.
McAfeeESM.AlarmEvent.LastTimedateEvent time.
McAfeeESM.AlarmEvent.SrcIPstringSource IP of the event.
McAfeeESM.AlarmEvent.DstIPstringDestination IP of the event.
McAfeeESM.AlarmEvent.CasesUnknownA list of cases related to the event.
McAfeeESM.AlarmEvent.Cases.IDstringCase ID.
McAfeeESM.AlarmEvent.Cases.OpenTimedateCase creation time.
McAfeeESM.AlarmEvent.Cases.SeveritynumberCase severity.
McAfeeESM.AlarmEvent.Cases.StatusstringCase status.
McAfeeESM.AlarmEvent.Cases.SummarystringCase summary.

Command Example#

!esm-list-alarm-events alarmId=42687

Context Example#

{
"McAfeeESM": {
"AlarmEvent": {
"DstIP": "192.168.1.111",
"DstMac": null,
"DstPort": null,
"FirstTime": null,
"ID": "144115188075855872|802641",
"LastTime": "2020-06-22T06:16:05Z",
"Message": "Failed User Logon",
"NormalizedDescription": null,
"Severity": 25,
"SrcIP": "11.11.11.11",
"SrcMac": null,
"SrcPort": null,
"SubType": "failure"
}
}
}

Human Readable Output#

Alarm events#

DstIPDstMacDstPortFirstTimeIDLastTimeMessageNormalizedDescriptionSeveritySrcIPSrcMacSrcPortSubType
192.168.1.111144115188075855872|8026412020-06-22T06:16:05ZFailed User Logon2511.11.11.11failure

esm-create-watchlist#


Create a new watchlist.

Base Command#

esm-create-watchlist

Input#

Argument NameDescriptionRequired
nameThe new watchlist name.Required
typeThe type of the new watchlist.Required

Context Output#

PathTypeDescription
McAfeeESM.Watchlist.namestringThe watchlist name
McAfeeESM.Watchlist.idnumberThe watchlist id
McAfeeESM.Watchlist.typestringThe watchlist type

Command Example#

!esm-create-watchlist name=test_watchlist type=IPAddress

Context Example#

{
"McAfeeESM": {
"Watchlist": {
"id": 54,
"name": "test_watchlist",
"type": "IPAddress"
}
}
}

Human Readable Output#

Watchlist test_watchlist created.

esm-delete-watchlist#


Delete a watchlist.

Base Command#

esm-delete-watchlist

Input#

Argument NameDescriptionRequired
idsthe watch list ids to delete.Optional
namesthe watch list names to delete.Optional

Context Output#

There is no context output for this command.

Command Example#

!esm-delete-watchlist names=test_watchlist

Human Readable Output#

Watchlists removed

esm-watchlist-add-entry#


Create a new watchlist entry.

Base Command#

esm-watchlist-add-entry

Input#

Argument NameDescriptionRequired
watchlist_nameThe watchlist name.Optional
watchlist_idThe watchlist id.Optional
valuesThe values you want to add to watchlist. (CSV format)Required

Context Output#

There is no context output for this command.

Command Example#

!esm-watchlist-add-entry watchlist_name=test_watchlist values=1.1.1.1,2.2.2.2

Human Readable Output#

Watchlist successfully updated.

esm-watchlist-delete-entry#


Delete watchlist entry.

Base Command#

esm-watchlist-delete-entry

Input#

Argument NameDescriptionRequired
watchlist_nameThe watchlist name.Optional
watchlist_idThe watchlist id.Optional
valuesThe values you want to remove from watchlist. (CSV format)Required

Context Output#

There is no context output for this command.

Command Example#

!esm-watchlist-delete-entry watchlist_name=test_watchlist values=1.1.1.1,2.2.2.2

Human Readable Output#

Watchlist successfully updated.

esm-watchlist-list-entries#


Get watchlist entries.

Base Command#

esm-watchlist-list-entries

Input#

Argument NameDescriptionRequired
watchlist_nameThe watchlist name.Optional
watchlist_idThe watchlist id.Optional
limitmax count of values.Required
offsetvalues offset.Required

Context Output#

PathTypeDescription
McAfeeESM.Watchlist.dataUnknownThe watchlist data
McAfeeESM.Watchlist.namestringThe watchlist name

Command Example#

!esm-watchlist-list-entries watchlist_name=test_watchlist

Context Example#

{
"McAfeeESM": {
"Watchlist": {
"data": [
"1.1.1.1",
"2.2.2.2"
],
"name": "test_watchlist"
}
}
}

Human Readable Output#

results from test_watchlist watchlist#

data
1.1.1.1,
2.2.2.2,

esm-get-watchlists#


Returns a list of watchlists' names and IDs.

Base Command#

esm-get-watchlists

Input#

Argument NameDescriptionRequired
hiddenWhether to include hidden watchlists. Can be true or false. Possible values are: true, false. Default is true.Required
dynamicWhether to include dynamic watchlists. Can be true or false. Possible values are: true, false. Default is true.Required
write_onlyWhether to include write only watchlists. Can be true or false. Possible values are: true, false. Default is false.Required
indexed_onlyWhether to include indexed only watchlists. Can be true or false. Possible values are: true, false. Default is false.Required

Context Output#

PathTypeDescription
McAfeeESM.Watchlist.namestringThe name of the watchlist.
McAfeeESM.Watchlist.idnumberThe ID of the watchlist.
McAfeeESM.Watchlist.typestringThe type of the watchlist.