McAfee ESM v2

Run queries and receive alarms from Intel Security ESM. Support version 10 and above. This integration was integrated and tested with version 10.2 of McAfee ESM v2

Configure McAfee ESM v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for McAfee ESM v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlBase URL (e.g. https://example.com\)True
credentialsUsernameTrue
versionVersion: (one of 10.0, 10.1, 10.2, 10.3, 11.1, 11.3)True
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
fetchTypeFetch Types: cases, alarms, both (relevant only for fetch incident mode)False
startingFetchIDStart fetch after ID: (relevant only for fetch incident mode)False
fetchLimitCasesFetch cases limitFalse
fetchTimeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
fetchLimitAlarmsFetch alarms limitFalse
timezoneMcAfee ESM Timezone in hours (e.g if ESM timezone is +0300 => then insert 3)False
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

esm-fetch-fields


Gets all fields that can be used in query filters, including type information for each field

Base Command

esm-fetch-fields

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!esm-fetch-fields

Human Readable Output

Fields

nametypes
AppIDSTRING
CommandIDSTRING
DomainIDSTRING
HostIDSTRING
ObjectIDSTRING
UserIDDstSTRING
UserIDSrcSTRING
URLSSTRING
Database_NameSTRING
Message_TextSSTRING
Response_TimeUINT32
Application_ProtocolSTRING
Object_TypeSTRING
FilenameSSTRING
FromSSTRING
ToSSTRING
CcSSTRING
BccSSTRING
SubjectSSTRING
MethodSTRING
User_AgentSSTRING
CookieSSTRING
RefererSSTRING
File_OperationSTRING
File_Operation_SucceededSTRING
Destination_FilenameSSTRING
User_NicknameSTRING
Contact_NameSTRING
Contact_NicknameSTRING
Client_VersionSSTRING
Job_NameSSTRING
LanguageSSTRING
SWF_URLSSTRING
TC_URLSSTRING
RTMP_ApplicationSSTRING
VersionSSTRING
Local_User_NameSSTRING
NAT_DetailsUINT16,IPV4
Network_LayerSIGID
Transport_LayerSIGID
Session_LayerSIGID
Application_LayerSIGID
HTTP_LayerSIGID
HTTP_Req_URLSSTRING
HTTP_Req_CookieSSTRING
HTTP_Req_RefererSSTRING
HTTP_Req_HostSSTRING
HTTP_Req_MethodSSTRING
HTTP_User_AgentSSTRING
DNS_NameSSTRING
DNS_TypeSTRING
DNS_ClassSTRING
Query_ResponseSTRING
Authoritative_AnswerSTRING
SNMP_OperationSTRING
SNMP_Item_TypeSTRING
SNMP_VersionSTRING
SNMP_Error_CodeSTRING
NTP_Client_ModeSTRING
NTP_Server_ModeSTRING
NTP_RequestSTRING
NTP_OpcodeSTRING
SNMP_ItemSSTRING
InterfaceSTRING
DirectionSTRING
Sensor_NameSTRING
Sensor_UUIDSSTRING
Sensor_TypeSTRING
Signature_NameSSTRING
Threat_NameSSTRING
Destination_HostnameSSTRING
CategorySSTRING
Process_NameSSTRING
Grid_Master_IPIP
Response_CodeSTRING
Device_PortUINT64
Device_IPIP
PIDUINT64
Target_ContextSSTRING
Source_ContextSSTRING
Target_ClassSSTRING
Policy_NameSSTRING
Destination_ZoneSSTRING
Source_ZoneSSTRING
Queue_IDSTRLIT
Delivery_IDSSTRING
Recipient_IDSSTRING
Spam_ScoreFLOAT
Mail_IDSSTRING
To_AddressSSTRING
From_AddressSSTRING
Message_IDSSTRING
Request_TypeSSTRING
SQL_StatementSSTRING
External_EventIDUINT64
Event_ClassSSTRING
DescriptionSSTRING
File_HashGUID
Mainframe_Job_NameSSTRING
External_SubEventIDUINT64
Destination_UserIDSSTRING
Source_UserIDSSTRING
Volume_IDSSTRING
Step_NameSSTRING
Step_CountSSTRING
LPAR_DB2_SubsystemSSTRING
Logical_Unit_NameSSTRING
Job_TypeSSTRING
FTP_CommandSSTRING
File_TypeSSTRING
DB2_Plan_NameSSTRING
Catalog_NameSSTRING
Access_ResourceSSTRING
Table_NameSSTRING
External_DB2_ServerSSTRING
External_ApplicationSSTRING
Creator_NameSSTRING
Return_CodeSTRING
Database_IDSSTRING
Incoming_IDSSTRING
Handle_IDUINT64
Destination_NetworkSSTRING
Source_NetworkSSTRING
Malware_Insp_ResultSSTRING
Malware_Insp_ActionSSTRING
External_HostnameSSTRING
Privileged_UserSSTRING
FacilitySSTRING
AreaSSTRING
Instance_GUIDGUID
Logon_TypeSSTRING
Operating_SystemSSTRING
File_PathSSTRING
Agent_GUIDGUID
ReputationUINT64
URL_CategorySSTRING
Session_StatusSSTRING
Destination_Logon_IDSSTRING
Source_Logon_IDSSTRING
UUIDGUID
External_SessionIDSSTRING
Management_ServerSSTRING
Detection_MethodSSTRING
Target_Process_NameSSTRING
Analyzer_DAT_VersionFLOAT
Forwarding_StatusSSTRING
ReasonSSTRING
Threat_HandledSSTRING
Threat_CategorySSTRING
Device_ActionSSTRING
Database_GUIDGUID
SQL_CommandSSTRING
Destination_DirectorySSTRING
DirectorySSTRING
MailboxSSTRING
Handheld_IDUINT64
Policy_IDUINT64
Server_IDUINT64
Registry_ValueSSTRING
Registry_KeySSTRING
Caller_ProcessSSTRING
DAT_VersionFLOAT
Interface_DestSSTRING
Datacenter_NameSSTRING
Datacenter_IDSSTRING
Virtual_Machine_IDSSTRING
Virtual_Machine_NameSSTRING
PCAP_NameSSTRING
Search_QuerySSTRING
Service_NameSSTRING
External_Device_NameSSTRING
External_Device_IDSSTRING
External_Device_TypeSSTRING
Organizational_UnitSSTRING
PrivilegesSSTRING
Reputation_NameSSTRING
Vulnerability_ReferencesSSTRING
Web_DomainSSTRING
Sub_StatusSSTRING
StatusSSTRING
Access_PrivilegesSSTRING
Rule_NameSSTRING
App_Layer_ProtocolSSTRING
Group_NameSSTRING
Authentication_TypeSSTRING
New_ValueSSTRING
Old_ValueSSTRING
Security_IDSSTRING
SHA1SSTRING
Reputation_ScoreFLOAT
Parent_File_HashGUID
File_IDSSTRING
Engine_ListSSTRING
Device_URLSSTRING
Attacker_IPIPV4
Victim_IPIPV4
Incident_IDINT64
Attribute_TypeSSTRING
Access_MaskSSTRING
Object_GUIDGUID
VPN_Feature_NameSSTRING
Reputation_Server_IPIP
DNS_Server_IPIP
Hash_TypeSSTRING
HashSSTRING
SubcategorySSTRING
Wireless_SSIDSSTRING
Share_NameSSTRING
CnC_HostSSTRING
Device_ConfidenceUINT64
SHA256SSTRING
AppIDSTRING
CommandIDSTRING
DSIDSigIDSIGID
ActionUINT8
ASNGeoDstUINT64
DSIDUINT64
ZoneDstUINT16
SigIDSIGID
GUIDSrcGUID
NDDevIDSrcUINT16
IDUINT64
ProtocolUINT8
NormIDUINT32
ZoneSrcUINT16
FirstTimeUINT32
SrcPortUINT16
AvgSeverityFLOAT
DstPortUINT16
SrcIPIP
GUIDDstGUID
DstIPIP
NDDevIDDstUINT16
SrcMacMAC_ADDRESS
SessionIDUINT64
ASNGeoSrcUINT64
DstMacMAC_ADDRESS
LastTimeUINT32

esm-search


Perform a query against Mcafee ESM SIEM

Base Command

esm-search

Input

Argument NameDescriptionRequired
timeRangeThe time period for the search. Can be LAST_3_DAYS, LAST_2_DAYS, LAST_24_HOURS, PREVIOUS_DAY, CURRENT_DAY, LAST_HOUR, LAST_30_MINUTES, LAST_10_MINUTES, LAST_MINUTE, CUSTOM, PREVIOUS_YEAR, CURRENT_YEAR, PREVIOUS_QUARTER, CURRENT_QUARTER, PREVIOUS_MONTH, CURRENT_MONTH, PREVIOUS_WEEK, or CURRENT_WEEK.Optional
filtersFilter on the query results, should be a JSON string, of the format EsmFilter (read more on that here - https://<esm-ip>:<esm-port>/rs/esm/help/types/EsmFilter)Required
queryTypeType of query to run. Can be "EVENT", "FLOW", or "ASSETS". Default is "EVENT".Optional
timeOutMaximum time to wait before timeout (in minutes). Default is 30.Optional
customStartIf the timeRange argument is set to CUSTOM, the start time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
customEndIf the timeRange argument is set to CUSTOM, the end time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
fieldsThe fields that will be selected when this query is executed.Optional
limitQuery results can be limited to a maximum row count.Optional

Context Output

There is no context output for this command.

Command Example

!esm-search timeRange="CURRENT_YEAR" filters="[{\"type\":\"EsmFieldFilter\",\"field\":{\"name\":\"SrcIP\"},\"operator\":\"IN\"}]" limit="3"

Context Example

{
"McAfeeESM": {
"results": [
{
"ActionName": "success",
"AlertDstIP": "192.168.1.111",
"AlertDstPort": "0",
"AlertIPSIDAlertID": "144115188075855872|779674",
"AlertLastTime": "2020-01-01T05:48:20Z",
"AlertProtocol": "n/a",
"AlertSrcIP": "22.22.22.22",
"AlertSrcPort": "0"
},
{
"ActionName": "success",
"AlertDstIP": "192.168.1.111",
"AlertDstPort": "0",
"AlertIPSIDAlertID": "144115188075855872|779675",
"AlertLastTime": "2020-01-01T05:48:22Z",
"AlertProtocol": "n/a",
"AlertSrcIP": "22.22.22.22",
"AlertSrcPort": "0"
},
{
"ActionName": "success",
"AlertDstIP": "192.168.1.111",
"AlertDstPort": "0",
"AlertIPSIDAlertID": "144115188075855872|779676",
"AlertLastTime": "2020-01-01T10:51:57Z",
"AlertProtocol": "n/a",
"AlertSrcIP": "33.33.33.33",
"AlertSrcPort": "0"
}
]
}
}

Human Readable Output

Search results |Alert.IPSIDAlertID|Alert.SrcIP|Alert.SrcPort|Alert.DstIP|Alert.DstPort|Alert.Protocol|Alert.LastTime|Action.Name| |--|--|--|--|--|--|--|--| | 144115188075855872|779674|22.22.22.22|0|192.168.1.111|0|n/a|2020-01-01T05:48:20Z|success | | 144115188075855872|779675|22.22.22.22|0|192.168.1.111|0|n/a|2020-01-01T05:48:22Z|success | | 144115188075855872|779676|33.33.33.33|0|192.168.1.111|0|n/a|2020-01-01T10:51:57Z|success |

esm-fetch-alarms


Retrieves a list of triggered alarms.

Base Command

esm-fetch-alarms

Input

Argument NameDescriptionRequired
timeRangeThe time period for the search. Can be LAST_3_DAYS, LAST_2_DAYS, LAST_24_HOURS, PREVIOUS_DAY, CURRENT_DAY, LAST_HOUR, LAST_30_MINUTES, LAST_10_MINUTES, LAST_MINUTE, CUSTOM, PREVIOUS_YEAR, CURRENT_YEAR, PREVIOUS_QUARTER, CURRENT_QUARTER, PREVIOUS_MONTH, CURRENT_MONTH, PREVIOUS_WEEK, or CURRENT_WEEK.Optional
customStartIf the timeRange argument is set to CUSTOM, the start time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
customEndIf the timeRange argument is set to CUSTOM, the end time for the time range. For example: 2017-06-01T12:48:16.734ZOptional
assignedUserUser assigned to handle the triggered alarm. Use the 'ME' option to use the instance user, or use format EsmUser.Optional

Context Output

PathTypeDescription
McAfeeESM.Alarm.IDnumberAlarm ID.
McAfeeESM.Alarm.summarystringAlarm summary.
McAfeeESM.Alarm.assigneestringAlarm assignee.
McAfeeESM.Alarm.severitynumberAlarm severity.
McAfeeESM.Alarm.triggeredDatedateAlarm triggered date.
McAfeeESM.Alarm.acknowledgedDatedateAlarm acknowledged date.
McAfeeESM.Alarm.acknowledgedUsernamestringAlarm acknowledged username.
McAfeeESM.Alarm.alarmNamestringAlarm name.
McAfeeESM.Alarm.conditionTypenumberAlarm condition type.

Command Example

!esm-fetch-alarms timeRange=CURRENT_MONTH

Context Example

{
"McAfeeESM": {
"Alarm": [
{
"ID": 42710,
"acknowledgedDate": "",
"acknowledgedUsername": "",
"alarmName": "Alarm Test",
"assignee": "ANALYST",
"conditionType": 22,
"severity": 50,
"summary": "Event rate exceeded 10 by 17",
"triggeredDate": "2020-06-24T13:05:43Z"
},
{
"ID": 42709,
"acknowledgedDate": "",
"acknowledgedUsername": "",
"alarmName": "Alarm Test",
"assignee": "ANALYST",
"conditionType": 22,
"severity": 50,
"summary": "Event rate exceeded 10 by 1",
"triggeredDate": "2020-06-24T12:53:12Z"
},
{
"ID": 42708,
"acknowledgedDate": "",
"acknowledgedUsername": "",
"alarmName": "Alarm Test",
"assignee": "ANALYST",
"conditionType": 22,
"severity": 50,
"summary": "Event rate exceeded 10 by 2",
"triggeredDate": "2020-06-24T11:32:08Z"
}
]
}
}

Human Readable Output

Alarms

idacknowledgedDateacknowledgedUsernamealarmNameassigneeconditionTypeseveritysummarytriggeredDate
42710Alarm TestANALYST2250Event rate exceeded 10 by 172020-06-24T13:05:43Z
42709Alarm TestANALYST2250Event rate exceeded 10 by 12020-06-24T12:53:12Z
42708Alarm TestANALYST2250Event rate exceeded 10 by 22020-06-24T11:32:08Z

esm-get-case-list


Gets a list of cases from McAfee ESM.

Base Command

esm-get-case-list

Input

Argument NameDescriptionRequired
sinceFilters for cases that were opened before this date. In the format "<number><timeunit>", for example: 1 day,30 minutes,2 weeks,6 months,1 yearOptional

Context Output

PathTypeDescription
McAfeeESM.Case.IDnumberCase ID.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe date and time when the case was opened.
McAfeeESM.Case.SeveritynumberThe severity of the case.

Command Example

!esm-get-case-list since="1 month"

Context Example

{
"McAfeeESM": {
"Case": [
{
"ID": 33262,
"OpenTime": "2020-06-23T06:38:03Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
},
{
"ID": 33261,
"OpenTime": "2020-06-22T12:04:09Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
},
{
"ID": 33264,
"OpenTime": "2020-06-23T12:13:08Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
}
]
}
}

Human Readable Output

cases since 1 month

IDOpenTimeSeverityStatusSummary
332622020-06-23T06:38:03Z50OpenSignature ID 'Failed User Logon' (306-31) match found
332612020-06-22T12:04:09Z50OpenSignature ID 'Failed User Logon' (306-31) match found
332642020-06-23T12:13:08Z50OpenSignature ID 'Failed User Logon' (306-31) match found

esm-add-case


Adds a case to the system.

Base Command

esm-add-case

Input

Argument NameDescriptionRequired
summaryThe name of the case.Required
statusThe status of the case. Run the esm-get-case-statuses command to view all statuses.Optional
assigneeUser assigned to the case.Optional
severityThe severity of the case (1 - 100).Optional
organizationThe organization assigned to the case. Run the esm-get-organization-list command to view all organizations.Optional

Context Output

PathTypeDescription
McAfeeESM.Case.IDnumberThe ID of the case.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe open time of the case.
McAfeeESM.Case.SeveritynumberThe severity of the case.
McAfeeESM.Case.AssigneestringThe assignee of the case.
McAfeeESM.Case.OrganizationstringThe organization of the case.
McAfeeESM.Case.EventListUnknownList of the case's events.
McAfeeESM.Case.NotesUnknownList of the case's notes.

Command Example

!esm-add-case summary="McAfee ESM v2 add case"

Context Example

{
"McAfeeESM": {
"Case": {
"Assignee": "ANALYST",
"ID": 33272,
"OpenTime": "2020-06-24T13:10:01Z",
"Organization": "None",
"Severity": 1,
"Status": "Open",
"Summary": "McAfee ESM v2 add case"
}
}
}

Human Readable Output

Case

AssigneeIDOpenTimeOrganizationSeverityStatusSummary
ANALYST332722020-06-24T13:10:01ZNone1OpenMcAfee ESM v2 add case

esm-edit-case


Edit the details of an existing case.

Base Command

esm-edit-case

Input

Argument NameDescriptionRequired
idThe ID of the case.Required
summaryThe name of the case.Optional
severityThe new severity of the case (1 - 100).Optional
assigneeUser assigned to the case.Optional
statusThe new status of the case. Run the esm-get-case-statuses command to view all statuses.Optional
organizationThe organization assigned to the case. Run the esm-get-organization-list command to view all organizations.Optional

Context Output

PathTypeDescription
McAfeeESM.Case.IDnumberThe ID of the case.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe open time of the case.
McAfeeESM.Case.SeveritynumberThe severity of the case.
McAfeeESM.Case.AssigneestringThe assignee of the case.
McAfeeESM.Case.OrganizationstringThe organization of the case.
McAfeeESM.Case.EventListUnknownList of the case's events.
McAfeeESM.Case.NotesUnknownList of the case's notes.

Command Example

!esm-edit-case id="33266" summary="McAfee ESM v2 edit case"

Context Example

{
"McAfeeESM": {
"Case": {
"Assignee": "ANALYST",
"ID": 33266,
"OpenTime": "2020-06-24T10:54:21Z",
"Organization": "None",
"Severity": 1,
"Status": "Open",
"Summary": "McAfee ESM v2 edit case"
}
}
}

Human Readable Output

Case

AssigneeIDOpenTimeOrganizationSeverityStatusSummary
ANALYST332662020-06-24T10:54:21ZNone1OpenMcAfee ESM v2 edit case

esm-get-case-statuses


Gets a list of valid case statuses from the system.

Base Command

esm-get-case-statuses

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!esm-get-case-statuses

Human Readable Output

case statuses

idnamedefaultshowInCasePane
2Closedfalsefalse
11830McAfee_ESM_v2_add_casefalsefalse
1Opentruetrue
11725Research_1563355610148falsetrue
11825TestMcAfee_ESM_v2falsefalse
11758bbbbfalsefalse
11776testfalsetrue
11777test1falsefalse
11268test2falsetrue
11267test3falsetrue
11890test_delete_casefalsefalse
11889test_edit_casefalsefalse

esm-edit-case-status


Edits the status of a case.

Base Command

esm-edit-case-status

Input

Argument NameDescriptionRequired
original_nameThe name of the case status to edit.Required
new_nameThe new name for the case status.Required
show_in_case_paneWhether the status will display in the case pane. Can be "True" or "False". Default is "True".Optional

Context Output

There is no context output for this command.

Command Example

!esm-edit-case-status original_name=test_edit_case new_name=edited_case

Human Readable Output

Edited case status with ID: 11889

esm-get-case-detail


Gets the details of an existing case.

Base Command

esm-get-case-detail

Input

Argument NameDescriptionRequired
idThe ID of the case.Required

Context Output

PathTypeDescription
McAfeeESM.Case.IDnumberThe ID of the case.
McAfeeESM.Case.SummarystringThe summary of the case.
McAfeeESM.Case.StatusstringThe status of the case.
McAfeeESM.Case.OpenTimedateThe open time of the case.
McAfeeESM.Case.SeveritynumberThe severity of the case.
McAfeeESM.Case.AssigneestringThe assignee of the case.
McAfeeESM.Case.OrganizationstringThe organization of the case.
McAfeeESM.Case.EventListUnknownList of the case's events.
McAfeeESM.Case.NotesUnknownList of the case's notes.

Command Example

!esm-get-case-detail id="33264"

Context Example

{
"McAfeeESM": {
"Case": {
"Assignee": "ANALYST",
"ID": 33264,
"OpenTime": "2020-06-23T12:13:08Z",
"Organization": "None",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
}
}
}

Human Readable Output

Case

AssigneeIDOpenTimeOrganizationSeverityStatusSummary
ANALYST332642020-06-23T12:13:08ZNone50OpenSignature ID 'Failed User Logon' (306-31) match found

esm-get-case-event-list


Gets case event details.

Base Command

esm-get-case-event-list

Input

Argument NameDescriptionRequired
idsComma-separated list of event IDs.Required

Context Output

PathTypeDescription
McAfeeESM.CaseEvent.IDstringThe ID of the event.
McAfeeESM.CaseEvent.LastTimedateThe time the event was last updated.
McAfeeESM.CaseEvent.MessagestringThe message of the event.

Command Example

!esm-get-case-event-list ids="42687"

esm-add-case-status


Adds a status to the specified case.

Base Command

esm-add-case-status

Input

Argument NameDescriptionRequired
nameThe name of the case status.Required
show_in_case_paneWhether the status will display in the case pane. Can be "True" or "False". Default is "True".Optional

Context Output

There is no context output for this command.

Command Example

!esm-add-case-status name=test_add_case

Human Readable Output

Added case status : test_add_case

esm-delete-case-status


Deletes the status of a case.

Base Command

esm-delete-case-status

Input

Argument NameDescriptionRequired
nameThe name of the case status to delete.Required

Context Output

There is no context output for this command.

Command Example

!esm-delete-case-status name=test_delete_case

Human Readable Output

Deleted case status with ID: 11890

esm-get-organization-list


Gets a case organization.

Base Command

esm-get-organization-list

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
McAfeeESM.Organization.IDnumberOrganization ID.
McAfeeESM.Organization.NamestringOrganization name.

Command Example

!esm-get-organization-list

Context Example

{
"McAfeeESM": {
"Organization": [
{
"ID": 2,
"Name": "ABC"
},
{
"ID": 1,
"Name": "Org"
}
]
}
}

Human Readable Output

Organizations

idname
2ABC
1Org

esm-get-user-list


Gets a list of all users.

Base Command

esm-get-user-list

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
McAfeeESM.User.IDnumberThe ID of the user.
McAfeeESM.User.NamestringThe ESM user name.
McAfeeESM.User.EmailstringThe email address of the user.
McAfeeESM.User.SMSstringThe SMS details of the user.
McAfeeESM.User.IsMasterbooleanWhether the user is a master user.
McAfeeESM.User.IsAdminbooleanWhether the user is an admin.

Command Example

!esm-get-user-list

Context Example

{
"McAfeeESM": {
"User": [
{
"Email": "",
"Groups": "[]",
"ID": 6,
"IsAdmin": false,
"IsMaster": false,
"Name": "abcd",
"SMS": ""
},
{
"Email": "",
"Groups": "[1, 2]",
"ID": 7,
"IsAdmin": true,
"IsMaster": true,
"Name": "gavrieltest",
"SMS": ""
},
{
"Email": "",
"Groups": "[2]",
"ID": 1,
"IsAdmin": false,
"IsMaster": true,
"Name": "ANALYST",
"SMS": ""
}
]
}
}

Human Readable Output

User list

IDNameEmailGroupsIsMasterIsAdminSMS
6abcd[]falsefalse
7gavrieltest[1, 2]truetrue
1ANALYST[2]truefalse

esm-acknowledge-alarms


Marks triggered alarms as acknowledged.

Base Command

esm-acknowledge-alarms

Input

Argument NameDescriptionRequired
alarmIdsComma-separated list of triggered alarm IDs to be marked as acknowledged.Required

Context Output

There is no context output for this command.

Command Example

!esm-acknowledge-alarms alarmIds="42710"

Human Readable Output

Alarms has been Acknowledged.

esm-unacknowledge-alarms


Marks triggered alarms as unacknowledged.

Base Command

esm-unacknowledge-alarms

Input

Argument NameDescriptionRequired
alarmIdsComma-separated list of triggered alarm IDs to be marked as unacknowledged.Required

Context Output

There is no context output for this command.

Command Example

!esm-unacknowledge-alarms alarmIds="42687"

Human Readable Output

Alarms has been Unacknowledged.

esm-delete-alarms


Deletes triggered alarms.

Base Command

esm-delete-alarms

Input

Argument NameDescriptionRequired
alarmIdsComma-separated list of triggered alarm IDs to delete.Required

Context Output

There is no context output for this command.

Command Example

!esm-delete-alarms alarmIds="42709"

Human Readable Output

Alarms has been Deleted.

esm-get-alarm-event-details


Gets the details for the triggered alarm.

Base Command

esm-get-alarm-event-details

Input

Argument NameDescriptionRequired
eventIdThe event for which to get the details. Run the esm-list-alarm-events command to get the ID.Required

Context Output

PathTypeDescription
McAfeeESM.AlarmEvent.IDstringEvent ID.
McAfeeESM.AlarmEvent.SubTypestringEvent type.
McAfeeESM.AlarmEvent.SeveritynumberEvent severity.
McAfeeESM.AlarmEvent.MessagestringEvent message.
McAfeeESM.AlarmEvent.LastTimedateEvent time.
McAfeeESM.AlarmEvent.SrcIPstringSource IP of the event.
McAfeeESM.AlarmEvent.DstIPstringDestination IP of the event.
McAfeeESM.AlarmEvent.CasesUnknownA list of cases related to the event.
McAfeeESM.AlarmEvent.Cases.IDstringCase ID.
McAfeeESM.AlarmEvent.Cases.OpenTimedateCase creation time.
McAfeeESM.AlarmEvent.Cases.SeveritynumberCase severity.
McAfeeESM.AlarmEvent.Cases.StatusstringCase status.
McAfeeESM.AlarmEvent.Cases.SummarystringCase summary.
McAfeeESM.AlarmEvent.DstMacstringDestination MAC address of the event.
McAfeeESM.AlarmEvent.SrcMacstringSource MAC address of the event.
McAfeeESM.AlarmEvent.DstPortstringDestination port of the event.
McAfeeESM.AlarmEvent.SrcPortstringSource port of the event.
McAfeeESM.AlarmEvent.FirstTimedateThe first time for the event.
McAfeeESM.AlarmEvent.NormalizedDescriptionstringNormalized description of the event.

Command Example

!esm-get-alarm-event-details eventId=144115188075855872|802641

Context Example

{
"McAfeeESM": {
"AlarmEvent": {
"Case": [
{
"ID": 33260,
"OpenTime": "2020-06-22T06:16:24Z",
"Severity": 50,
"Status": "Open",
"Summary": "Signature ID 'Failed User Logon' (306-31) match found"
}
],
"DstIP": "192.168.1.111",
"DstMac": "00:00:00:00:00:00",
"DstPort": "0",
"FirstTime": "2020-06-22T06:16:05Z",
"ID": 802641,
"LastTime": "2020-06-22T06:16:05Z",
"Message": "Failed User Logon",
"NormalizedDescription": "The Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.",
"Severity": 25,
"SrcIP": "44.44.44.44",
"SrcMac": "00:00:00:00:00:00",
"SrcPort": "0",
"SubType": "failure"
}
}
}

Human Readable Output

Alarm events

CaseDstIPDstMacDstPortFirstTimeIDLastTimeMessageNormalizedDescriptionSeveritySrcIPSrcMacSrcPortSubType
{'ID': 33260, 'OpenTime': '2020-06-22T06:16:24Z', 'Severity': 50, 'Status': 'Open', 'Summary': "Signature ID 'Failed User Logon' (306-31) match found"}192.168.1.11100:00:00:00:00:0002020-06-22T06:16:05Z8026412020-06-22T06:16:05ZFailed User LogonThe Login category indicates events related to logging in to hosts or services. Belongs to Authentication: The authentication category indicates events relating to system access.2544.44.44.4400:00:00:00:00:000failure

esm-list-alarm-events


Gets a list of events related to the alarm.

Base Command

esm-list-alarm-events

Input

Argument NameDescriptionRequired
alarmIdThe alarm for which to get the details. Run the esm-fetch-alarms command to get the ID.Required

Context Output

PathTypeDescription
McAfeeESM.AlarmEvent.IDstringEvent ID.
McAfeeESM.AlarmEvent.SubTypestringEvent type.
McAfeeESM.AlarmEvent.SeveritynumberEvent severity.
McAfeeESM.AlarmEvent.MessagestringEvent message.
McAfeeESM.AlarmEvent.LastTimedateEvent time.
McAfeeESM.AlarmEvent.SrcIPstringSource IP of the event.
McAfeeESM.AlarmEvent.DstIPstringDestination IP of the event.
McAfeeESM.AlarmEvent.CasesUnknownA list of cases related to the event.
McAfeeESM.AlarmEvent.Cases.IDstringCase ID.
McAfeeESM.AlarmEvent.Cases.OpenTimedateCase creation time.
McAfeeESM.AlarmEvent.Cases.SeveritynumberCase severity.
McAfeeESM.AlarmEvent.Cases.StatusstringCase status.
McAfeeESM.AlarmEvent.Cases.SummarystringCase summary.

Command Example

!esm-list-alarm-events alarmId=42687

Context Example

{
"McAfeeESM": {
"AlarmEvent": {
"DstIP": "192.168.1.111",
"DstMac": null,
"DstPort": null,
"FirstTime": null,
"ID": "144115188075855872|802641",
"LastTime": "2020-06-22T06:16:05Z",
"Message": "Failed User Logon",
"NormalizedDescription": null,
"Severity": 25,
"SrcIP": "11.11.11.11",
"SrcMac": null,
"SrcPort": null,
"SubType": "failure"
}
}
}

Human Readable Output

Alarm events

DstIPDstMacDstPortFirstTimeIDLastTimeMessageNormalizedDescriptionSeveritySrcIPSrcMacSrcPortSubType
192.168.1.111144115188075855872|8026412020-06-22T06:16:05ZFailed User Logon2511.11.11.11failure

esm-create-watchlist


Create a new watchlist.

Base Command

esm-create-watchlist

Input

Argument NameDescriptionRequired
nameThe new watchlist name.Required
typeThe type of the new watchlist.Required

Context Output

PathTypeDescription
McAfeeESM.Watchlist.namestringThe watchlist name
McAfeeESM.Watchlist.idnumberThe watchlist id
McAfeeESM.Watchlist.typestringThe watchlist type

Command Example

!esm-create-watchlist name=test_watchlist type=IPAddress

Context Example

{
"McAfeeESM": {
"Watchlist": {
"id": 54,
"name": "test_watchlist",
"type": "IPAddress"
}
}
}

Human Readable Output

Watchlist test_watchlist created.

esm-delete-watchlist


Delete a watchlist.

Base Command

esm-delete-watchlist

Input

Argument NameDescriptionRequired
idsthe watch list ids to delete.Optional
namesthe watch list names to delete.Optional

Context Output

There is no context output for this command.

Command Example

!esm-delete-watchlist names=test_watchlist

Human Readable Output

Watchlists removed

esm-watchlist-add-entry


Create a new watchlist entry.

Base Command

esm-watchlist-add-entry

Input

Argument NameDescriptionRequired
watchlist_nameThe watchlist name.Optional
watchlist_idThe watchlist id.Optional
valuesThe values you want to add to watchlist. (CSV format)Required

Context Output

There is no context output for this command.

Command Example

!esm-watchlist-add-entry watchlist_name=test_watchlist values=1.1.1.1,2.2.2.2

Human Readable Output

Watchlist successfully updated.

esm-watchlist-delete-entry


Delete watchlist entry.

Base Command

esm-watchlist-delete-entry

Input

Argument NameDescriptionRequired
watchlist_nameThe watchlist name.Optional
watchlist_idThe watchlist id.Optional
valuesThe values you want to remove from watchlist. (CSV format)Required

Context Output

There is no context output for this command.

Command Example

!esm-watchlist-delete-entry watchlist_name=test_watchlist values=1.1.1.1,2.2.2.2

Human Readable Output

Watchlist successfully updated.

esm-watchlist-list-entries


Get watchlist entries.

Base Command

esm-watchlist-list-entries

Input

Argument NameDescriptionRequired
watchlist_nameThe watchlist name.Optional
watchlist_idThe watchlist id.Optional
limitmax count of values.Required
offsetvalues offset.Required

Context Output

PathTypeDescription
McAfeeESM.Watchlist.dataUnknownThe watchlist data
McAfeeESM.Watchlist.namestringThe watchlist name

Command Example

!esm-watchlist-list-entries watchlist_name=test_watchlist

Context Example

{
"McAfeeESM": {
"Watchlist": {
"data": [
"1.1.1.1",
"2.2.2.2"
],
"name": "test_watchlist"
}
}
}

Human Readable Output

results from test_watchlist watchlist

data
1.1.1.1,
2.2.2.2,