Skip to main content

McAfee NSM v2

This Integration is part of the McAfee NSM Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

McAfee Network Security Manager gives you real-time visibility and control over all McAfee intrusion prevention systems deployed across your network. This integration was integrated and tested with version 9.1 of McAfeeNSMv2

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure McAfee NSM v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for McAfee NSM v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    URL (for example: https://192.168.0.1:5000)True
    User NameTrue
    PasswordTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

nsm-list-domain-firewall-policy#


Gets the list of firewall policies defined in a particular domain.

Base Command#

nsm-list-domain-firewall-policy

Input#

Argument NameDescriptionRequired
domain_idThe ID of the domain. To get the domain_id, use the !nsm-get-domains command.Required
limitThe maximum number of projects to return. Default is 50.Optional
pageThe specific result page to display.Optional
page_sizeThe number of records in a page.Optional

Context Output#

PathTypeDescription
NSM.Policy.policyIdNumberThe ID of the policy.
NSM.Policy.policyNameStringName of the firewall policy.
NSM.Policy.domainIdNumberThe ID of the domain.
NSM.Policy.visibleToChildBooleanWhether the policy is visible to child domains.
NSM.Policy.descriptionStringPolicy description.
NSM.Policy.isEditableBooleanWhether the policy is editable.
NSM.Policy.policyTypeStringPolicy type. Can be "ADVANCED" or "CLASSIC".
NSM.Policy.policyVersionNumberPolicy version.
NSM.Policy.lastModUserStringLast user who modified the policy.

Command example#

!nsm-list-domain-firewall-policy domain_id=0 limit=2

Context Example#

{
"NSM": {
"Policy": [
{
"description": "hello updatingg",
"domainId": 0,
"isEditable": true,
"lastModUser": "user",
"policyId": 292,
"policyName": "another policy",
"policyType": "ADVANCED",
"policyVersion": 1,
"visibleToChild": true
},
{
"description": "hello updatingg",
"domainId": 0,
"isEditable": true,
"lastModUser": "user",
"policyId": 161,
"policyName": "policy",
"policyType": "ADVANCED",
"policyVersion": 1,
"visibleToChild": true
}
]
}
}

Human Readable Output#

Firewall Policies List#

policyIdpolicyNamedomainIdvisibleToChilddescriptionisEditablepolicyTypepolicyVersionlastModUser
292another policy0truehello updatinggtrueADVANCED1user
161policy0truehello updatinggtrueADVANCED1user

nsm-get-firewall-policy#


Gets the firewall policy details.

Base Command#

nsm-get-firewall-policy

Input#

Argument NameDescriptionRequired
policy_idThe ID of the policy. To get the policy_id, use the !nsm-list-domain-firewall-policy command.Required
include_rule_objectsWhether to insert the rule objects that are linked to the policy in the context. True- the rule object will be inserted. False- not inserted. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
NSM.Policy.FirewallPolicyIdNumberUnique firewall policy ID.
NSM.Policy.NameStringPolicy name.
NSM.Policy.DomainIdNumberID of the domain to which this firewall policy belongs.
NSM.Policy.VisibleToChildBooleanWhether the policy is visible to a child domain.
NSM.Policy.DescriptionStringFirewall policy description.
NSM.Policy.LastModifiedTimeDateLast modified time of the firewall Policy.
NSM.Policy.IsEditableBooleanWhether the policy is editable.
NSM.Policy.PolicyTypeStringPolicy type. Can be "Advanced" / "Classic".
NSM.Policy.PolicyVersionNumberPolicy version.
NSM.Policy.LastModifiedUserStringLast user user modified the policy.
NSM.Policy.MemberDetails.MemberRuleList.DescriptionStringRule description.
NSM.Policy.MemberDetails.MemberRuleList.EnabledBooleanWhether the rule is enabled.
NSM.Policy.MemberDetails.MemberRuleList.ResponseStringAction to be performed if the traffic matches this rule. Can be "Scan" / "Drop" / "Deny" / "Ignore" / "Stateless Ignore" / "Stateless Drop" / "Require Authentication".
NSM.Policy.MemberDetails.MemberRuleList.IsLoggingBooleanWhether logging is enabled for this rule.
NSM.Policy.MemberDetails.MemberRuleList.DirectionStringRule direction. Can be "Inbound" / "Outbound" / "Either".
NSM.Policy.MemberDetails.MemberRuleList.SourceAddressObjectList.RuleObjectIdStringUnique rule object ID.
NSM.Policy.MemberDetails.MemberRuleList.SourceAddressObjectList.NameStringRule object name.
NSM.Policy.MemberDetails.MemberRuleList.SourceAddressObjectList.RuleObjectTypeUnknownSource or destination mode. Can be "Endpoint IP V.4" / "Range IP V.4" / "Network IP V.4" / "Endpoint IP V.6" / "Range IP V.6" / "Network IP V.6".
NSM.Policy.MemberDetails.MemberRuleList.DestinationAddressObjectList.RuleObjectIdStringUnique rule object ID.
NSM.Policy.MemberDetails.MemberRuleList.DestinationAddressObjectList.NameStringRule object name.
NSM.Policy.MemberDetails.MemberRuleList.DestinationAddressObjectList.RuleObjectTypeUnknownSource or destination mode. Can be "Endpoint IP V.4" / "Range IP V.4" / "Endpoint IP V.6" / "Range IP V.6" / "Network IP V.6".
NSM.Policy.MemberDetails.MemberRuleList.SourceUserObjectList.RuleObjectIdStringUnique rule object ID.
NSM.Policy.MemberDetails.MemberRuleList.SourceUserObjectList.NameStringRule object name.
NSM.Policy.MemberDetails.MemberRuleList.SourceUserObjectList.RuleObjectTypeStringSource user. Can be "USER" / "USER_GROUP".
NSM.Policy.MemberDetails.MemberRuleList.ServiceObjectList.RuleObjectIdStringUnique service rule object ID.
NSM.Policy.MemberDetails.MemberRuleList.ServiceObjectList.NameStringRule object name.
NSM.Policy.MemberDetails.MemberRuleList.ServiceObjectList.RuleObjectTypeUnknownService/ application mode. Can be "APPLICATION" / "APPLICATION_GROUP" / "APPLICATION_ON_CUSTOM_PORT" / "SERVICE" / "SERVICE_GROUP".
NSM.Policy.MemberDetails.MemberRuleList.ServiceObjectList.ApplicationTypeUnknownApplication type. Can be "DEFAULT" / "CUSTOM".
NSM.Policy.MemberDetails.MemberRuleList.ApplicationObjectList.RuleObjectIdStringUnique service rule object ID.
NSM.Policy.MemberDetails.MemberRuleList.ApplicationObjectList.NameStringRule object name.
NSM.Policy.MemberDetails.MemberRuleList.ApplicationObjectList.RuleObjectTypeUnknownService/ application mode. Can be "APPLICATION" / "APPLICATION_GROUP" / "APPLICATION_ON_CUSTOM_PORT" / "SERVICE" / "SERVICE_GROUP".
NSM.Policy.MemberDetails.MemberRuleList.ApplicationObjectList.ApplicationTypeUnknownApplication type. Can be "DEFAULT" / "CUSTOM".
NSM.Policy.MemberDetails.MemberRuleList.TimeObjectList.RuleObjectIdStringUnique service rule object ID.
NSM.Policy.MemberDetails.MemberRuleList.TimeObjectList.NameStringRule object name.
NSM.Policy.MemberDetails.MemberRuleList.TimeObjectList.RuleObjectTypeUnknownTime mode. Can be "FINITE_TIME_PERIOD" / "RECURRING_TIME_PERIOD" / "RECURRING_TIME_PERIOD_GROUP".

Command example#

!nsm-get-firewall-policy policy_id=147 include_rule_objects=true

Context Example#

{
"NSM": {
"Policy": {
"Description": "update policy",
"DomainId": 0,
"FirewallPolicyId": 147,
"IsEditable": true,
"LastModifiedTime": "2022-12-28 05:37:23",
"LastModifiedUser": "user",
"MemberDetails": {
"MemberRuleList": [
{
"ApplicationObjectList": [],
"Description": "r",
"DestinationAddressObjectList": [
{
"Name": "Any",
"RuleObjectId": "-1",
"RuleObjectType": null
}
],
"Direction": "EITHER",
"Enabled": true,
"IsLogging": false,
"Response": "SCAN",
"ServiceObjectList": [
{
"ApplicationType": null,
"Name": "Any",
"RuleObjectId": "-1",
"RuleObjectType": null
}
],
"SourceAddressObjectList": [
{
"Name": "Range V6 Test",
"RuleObjectId": "117",
"RuleObjectType": "IPV_6_ADDRESS_RANGE"
}
],
"SourceUserObjectList": [
{
"Name": "Any",
"RuleObjectId": "-1",
"RuleObjectType": "USER"
}
],
"TimeObjectList": [
{
"Name": "Always",
"RuleObjectId": "-1",
"RuleObjectType": null
}
]
}
]
},
"Name": "name147",
"PolicyType": "ADVANCED",
"PolicyVersion": 1,
"VisibleToChild": true
}
}
}

Human Readable Output#

Firewall Policy 147#

NameDescriptionVisibleToChildIsEditablePolicyTypePolicyVersionLastModifiedUserLastModifiedTime
name147update policytruetrueADVANCED1user2022-12-28 05:37:23

nsm-create-firewall-policy#


Adds a new firewall policy and access rules. You have to provide at lease one of the source/destination rule objects. If you provide the id or type of the source/destination rule object, you must provide the matching type or id the source/destination rule object as well.

Base Command#

nsm-create-firewall-policy

Input#

Argument NameDescriptionRequired
domainThe ID of the domain. To get the domain ID, use the !nsm-get-domains command.Required
nameThe policy name.Required
visible_to_childWhether the policy is visible to the child domain. Possible values are: yes, no. Default is yes.Optional
descriptionThe description of the policy.Required
is_editableWhether the policy is editable. Possible values are: yes, no. Default is yes.Optional
policy_typeThe type of the policy. Possible values are: Advanced, Classic.Required
rule_descriptionThe rule description.Required
responseAction to be performed if the traffic matches this rule. Possible values are: Scan, Drop, Deny, Ignore, Stateless Ignore, Stateless Drop, Require Authentication.Required
rule_enabledWhether the rule is enabled. Possible values are: yes, no. Default is yes.Optional
directionThe direction of the rule. Possible values are: Inbound, Outbound, Either.Required
source_rule_object_idThe ID of the rule connected to the policy. To get the rule_object_id use the command '!nsm-list-domain-rule-object'.Optional
source_rule_object_typeThe type of the rule connected to the policy. To get the rule_object_type use the command '!nsm-list-domain-rule-object'. Possible values are: Endpoint IP V.4, Range IP V.4, Network IP V.4, Endpoint IP V.6, Range IP V.6, Network IP V.6.Optional
destination_rule_object_idThe ID of the rule connected to the policy. To get the rule_object_id use the command '!nsm-list-domain-rule-object'.Optional
destination_rule_object_typeThe type of the rule connected to the policy. To get the rule_object_type use the command '!nsm-list-domain-rule-object'. Possible values are: Endpoint IP V.4, Range IP V.4, Network IP V.4, Endpoint IP V.6, Range IP V.6, Network IP V.6.Optional

Context Output#

PathTypeDescription
NSM.Policy.FirewallPolicyIdNumberThe ID of the newly created firewall policy.

Command example#

!nsm-create-firewall-policy domain=0 name=policy visible_to_child=yes description="a new policy" is_editable=yes policy_type=Advanced response=Scan rule_description="Test Member Rule" direction=Inbound destination_rule_object_id=111 destination_rule_object_type="Range IP V.4"

Context Example#

{
"NSM": {
"Policy": {
"FirewallPolicyId":112
}
}
}

Human Readable Output#

The firewall policy no.112 was created successfully

nsm-update-firewall-policy#


Updates the firewall policy details. If the argument is_overwrite=true, the new values of the provided addresses will replace the existing values, otherwise the addresses will be added to them.

  • If you want to delete a rule, enter is_overwrite=true and the relevant rule_object_id=-1.
  • If is_overwrite=false and there is no value in one of the rules (source or destination), their value will be as before.
  • If is_overwrite=true, at least one of the rules (source or destination) must be provided.
  • If you provide the id or type of the source/destination rule object, you must provide the matching type or id the source/destination rule object as well.

Base Command#

nsm-update-firewall-policy

Input#

Argument NameDescriptionRequired
policy_idThe ID of the policy. To get the policy ID, use the !nsm-list-domain-firewall-policy.Required
domainThe ID of the domain. To get the domain ID, use the !nsm-get-domains command.Optional
nameThe policy name.Optional
visible_to_childWhether the policy is visible to the child domain. Possible values are: yes, no. Default is yes.Optional
descriptionThe description of the policy.Optional
is_editableWhether the policy is editable. Possible values are: yes, no.Optional
policy_typeThe type of the policy. Possible values are: Advanced, Classic.Optional
rule_descriptionThe rule description.Optional
responseAction to be performed if the traffic matches this rule. Possible values are: Scan, Drop, Deny, Ignore, Stateless Ignore, Stateless Drop, Require Authentication.Optional
rule_enabledWhether the rule is enabled. Possible values are: yes, no. Default is yes.Optional
directionThe direction of the rule. Possible values are: Inbound, Outbound, Either.Optional
source_rule_object_idThe ID of the rule connected to the policy. To get the rule_object_id use the command '!nsm-list-domain-rule-object'.Optional
source_rule_object_typeThe type of the rule connected to the policy. To get the rule_object_type use the command '!nsm-list-domain-rule-object'. Possible values are: Endpoint IP V.4, Range IP V.4, Network IP V.4, Endpoint IP V.6, Range IP V.6, Network IP V.6.Optional
destination_rule_object_idThe ID of the rule connected to the policy. To get the rule_object_id use the command '!nsm-list-domain-rule-object'.Optional
destination_rule_object_typeThe type of the rule connected to the policy. To get the rule_object_type use the command '!nsm-list-domain-rule-object'. Possible values are: Endpoint IP V.4, Range IP V.4, Network IP V.4, Endpoint IP V.6, Range IP V.6, Network IP V.6.Optional
is_overwriteWhether the new addresses that were provided in the update processes will override the current ones or will be added to them. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command example#

!nsm-update-firewall-policy policy_id=147 description="update policy"

Human Readable Output#

The firewall policy no.147 was updated successfully

nsm-delete-firewall-policy#


Deletes the specified firewall policy.

Base Command#

nsm-delete-firewall-policy

Input#

Argument NameDescriptionRequired
policy_idThe ID of the policy to delete. To get the policy ID, use the !nsm-list-domain-firewall-policy.Required

Context Output#

There is no context output for this command.

Command example#

!nsm-delete-firewall-policy policy_id=101

Human Readable Output#

The firewall policy no.101 was deleted successfully

nsm-list-domain-rule-object#


Updates the firewall policy details.

Base Command#

nsm-list-domain-rule-object

Input#

Argument NameDescriptionRequired
domain_idThe ID of the domain. To get the domain ID, use the !nsm-get-domains command.Required
typeThe type of the rule. Possible values are: Endpoint IP V.4, Range IP V.4, Network IP V.4, Endpoint IP V.6, Range IP V.6, Network IP V.6, All. Default is All.Optional
limitThe maximum number of projects to return. Default is 50.Optional
pageThe specific result page to display.Optional
page_sizeThe number of records in a page.Optional

Context Output#

PathTypeDescription
NSM.Rule.ruleobjIdStringThe ID of the rule object.
NSM.Rule.ruleobjTypeStringThe type of the rule object.
NSM.Rule.nameStringThe name of the rule object.
NSM.Rule.descriptionStringThe description of the rule object.
NSM.Rule.domainNumberThe name of the rule object.
NSM.Rule.visibleToChildBooleanWhether the rule is visible to child domains.
NSM.Rule.hostCriticalityStringThe critical level of the host.
NSM.Rule.ApplicationGroupUnknownApplication Group object. Should be defined if ruleobjType is "APPLICATION_GROUP".
NSM.Rule.ApplicationOnCustomPortUnknownApplication defined on Custom Port object. Should be defined if ruleobjType is "APPLICATION_ON_CUSTOM_PORT".
NSM.Rule.FiniteTimePeriodUnknownFinite Time Period object. Should be defined if ruleobjType is "FINITE_TIME_PERIOD".
NSM.Rule.HostIPv4UnknownHost IPv4 Address object. Should be defined if ruleobjType is "HOST_IPV_4".
NSM.Rule.HostIPv6UnknownHost IPv6 Address object. Should be defined if ruleobjType is "HOST_IPV_6".
NSM.Rule.HostDNSNameUnknownHost DNS Name object. Should be defined if ruleobjType is "HOST_DNS_NAME".
NSM.Rule.IPv4AddressRangeUnknownIPv4 Address Range object. Should be defined if ruleobjType is "IPV_4_ADDRESS_RANGE".
NSM.Rule.IPv6AddressRangeUnknownIPv6 Address Range object. Should be defined if ruleobjType is "IPV_6_ADDRESS_RANGE".
NSM.Rule.Network_IPV_4UnknownIPv4 Network object. Should be defined if ruleobjType is "NETWORK_IPV_4.
NSM.Rule.Network_IPV_6StringIPv6 Network object. Should be defined if ruleobjType is "NETWORK_IPV_6".
NSM.Rule.NetworkGroupUnknownNetwork Group object. Should be defined if ruleobjType is "NETWORK_GROUP".
NSM.Rule.RecurringTimePeriodUnknownRecurring Time Period object. Should be defined if ruleobjType is "RECURRING_TIME_PERIOD".
NSM.Rule.RecurringTimePeriodGroupUnknownRecurring Time Period Group object. Should be defined if ruleobjType is "RECURRING_TIME_PERIOD_GROUP".
NSM.Rule.ServiceUnknownService object. Should be defined if ruleobjType is "CUSTOM_SERVICE".
NSM.Rule.ServiceGroupUnknownService Group object. Should be defined if ruleobjType is "SERVICE_GROUP".
NSM.Rule.ServiceRangeUnknownService Range object. Should be defined if ruleobjType is "SERVICE_RANGE".
NSM.Rule.IPv6AddressRange.IPV6RangeListStringList of IPv6 Address Range.
NSM.Rule.HostIPv6.hostIPv6AddressListStringHost IPv6 address list.
NSM.Rule.Network_IPV_4.networkIPV4ListStringNetwork IPV4 list.
NSM.Rule.IPv4AddressRange.IPV4RangeListStringList of IPv4 address range.
NSM.Rule.HostIPv4.hostIPv4AddressListStringHost IPv4 address list.
NSM.Rule.Network_IPV_6.networkIPV6ListStringNetwork IPV6 list.

Command example#

!nsm-list-domain-rule-object domain_id=0 limit=2

Context Example#

{
"NSM": {
"Rule": [
{
"ApplicationGroup": null,
"ApplicationOnCustomPort": null,
"FiniteTimePeriod": null,
"HostDNSName": null,
"HostIPv4": {
"hostIPv4AddressList": [
"1.1.1.1"
]
},
"HostIPv6": null,
"IPv4AddressRange": null,
"IPv6AddressRange": null,
"NetworkGroup": null,
"Network_IPV_4": null,
"Network_IPV_6": null,
"RecurringTimePeriod": null,
"RecurringTimePeriodGroup": null,
"Service": null,
"ServiceGroup": null,
"ServiceRange": null,
"description": null,
"domain": 0,
"hostCriticality": "HIGH",
"name": "testing",
"ruleobjId": "134",
"ruleobjType": "Endpoint IP V.4",
"visibleToChild": true
},
{
"ApplicationGroup": null,
"ApplicationOnCustomPort": null,
"FiniteTimePeriod": null,
"HostDNSName": null,
"HostIPv4": null,
"HostIPv6": null,
"IPv4AddressRange": {
"IPV4RangeList": [
{
"FromAddress": "1.1.1.1",
"ToAddress": "2.2.2.2"
}
]
},
"IPv6AddressRange": null,
"NetworkGroup": null,
"Network_IPV_4": null,
"Network_IPV_6": null,
"RecurringTimePeriod": null,
"RecurringTimePeriodGroup": null,
"Service": null,
"ServiceGroup": null,
"ServiceRange": null,
"description": null,
"domain": 0,
"hostCriticality": null,
"name": "ruleo",
"ruleobjId": "133",
"ruleobjType": "Range IP V.4",
"visibleToChild": true
}
]
}
}

Human Readable Output#

List of Rule Objects#

RuleIdNameVisibleToChildRuleType
134testingtrueEndpoint IP V.4
133ruleotrueRange IP V.4

nsm-get-rule-object#


Gets the details of a rule object.

Base Command#

nsm-get-rule-object

Input#

Argument NameDescriptionRequired
rule_idThe ID of the rule object. To get the rule object ID, use the !nsm-list-domain-rule-object.Required

Context Output#

PathTypeDescription
NSM.Rule.ruleobjIdStringThe ID of the rule object.
NSM.Rule.ruleobjTypeStringThe type of the rule object.
NSM.Rule.nameStringThe name of the rule object.
NSM.Rule.descriptionStringThe description of the rule object.
NSM.Rule.domainNumberThe name of the rule object.
NSM.Rule.visibleToChildBooleanWhether the rule is visible to child domains.
NSM.Rule.ApplicationGroupUnknownApplication Group object. Should be defined if ruleobjType is "APPLICATION_GROUP".
NSM.Rule.ApplicationOnCustomPortUnknownApplication defined on Custom Port object. Should be defined if ruleobjType is "APPLICATION_ON_CUSTOM_PORT".
NSM.Rule.FiniteTimePeriodUnknownFinite Time Period object. Should be defined if ruleobjType is "FINITE_TIME_PERIOD".
NSM.Rule.HostIPv4UnknownHost IPv4 Address object. Should be defined if ruleobjType is "HOST_IPV_4".
NSM.Rule.HostIPv6UnknownHost IPv6 Address object. Should be defined if ruleobjType is "HOST_IPV_6".
NSM.Rule.HostDNSNameUnknownHost DNS Name object. Should be defined if ruleobjType is "HOST_DNS_NAME".
NSM.Rule.IPv4AddressRangeUnknownIPv4 Address Range object. Should be defined if ruleobjType is "IPV_4_ADDRESS_RANGE".
NSM.Rule.IPv6AddressRangeUnknownIPv6 Address Range object. Should be defined if ruleobjType is "IPV_6_ADDRESS_RANGE".
NSM.Rule.Network_IPV_4UnknownIPv4 Network object. Should be defined if ruleobjType is "NETWORK_IPV_4.
NSM.Rule.Network_IPV_6StringIPv6 Network object. Should be defined if ruleobjType is "NETWORK_IPV_6".
NSM.Rule.NetworkGroupUnknownNetwork Group object. Should be defined if ruleobjType is "NETWORK_GROUP".
NSM.Rule.RecurringTimePeriodUnknownRecurring Time Period object. Should be defined if ruleobjType is "RECURRING_TIME_PERIOD".
NSM.Rule.RecurringTimePeriodGroupUnknownRecurring Time Period Group object. Should be defined if ruleobjType is "RECURRING_TIME_PERIOD_GROUP".
NSM.Rule.ServiceUnknownService object. Should be defined if ruleobjType is "CUSTOM_SERVICE".
NSM.Rule.ServiceGroupUnknownService Group object. Should be defined if ruleobjType is "SERVICE_GROUP".
NSM.Rule.ServiceRangeUnknownService Range object. Should be defined if ruleobjType is "SERVICE_RANGE".
NSM.Rule.IPv6AddressRange.IPV6RangeListStringList of IPv6 Address Range.
NSM.Rule.HostIPv6.hostIPv6AddressListStringHost IPv6 address list.
NSM.Rule.Network_IPV_4.networkIPV4ListStringNetwork IPV4 list.
NSM.Rule.Network_IPV_6.networkIPV6ListStringNetwork IPV6 list.
NSM.Rule.IPv4AddressRange.IPV4RangeListStringList of IPv4 Address Range.
NSM.Rule.HostIPv4.hostIPv4AddressListStringHost IPv4 address list.

nsm-create-rule-object#


Adds a new rule object.

  • If the type is “Endpoint IP V.X” or “Network IP V.X”, only the argument “address_ip_v.X” must contain a value.
  • If the type is “Range IP V.X”, only the arguments “from_address_ip_v.X”, “to_address_ip_v.X” must contain a value. Where X is 4 or 6 respectively.

Base Command#

nsm-create-rule-object

Input#

Argument NameDescriptionRequired
domainThe ID of the domain. To get the domain ID, use the !nsm-get-domains command.Required
rule_object_typeThe type of the rule.
If the type is “Endpoint IP V.X” or “Network IP V.X”, only the argument “address_ip_v.X” must contain a value.
If the type is “Range IP V.X”, only the arguments “from_address_ip_v.X”, “to_address_ip_v.X” must contain a value, where X is 4 or 6 respectively.
* Possible values are: Endpoint IP V.4, Range IP V.4, Network IP V.4, Endpoint IP V.6, Range IP V.6, Network IP V.6.
Required
nameThe rule object name.Required
visible_to_childWhether the rule object is visible to the child domain. Possible values are: yes, no. Default is yes.Optional
descriptionThe description of the rule object.Optional
address_ip_v.4List of IPv4 Host Address, separated by a comma.Optional
from_address_ip_v.4Start of the IPv4 range.Optional
to_address_ip_v.4End of the IPv4 range.Optional
address_ip_v.6List of IPv6 host addresses, separated by a comma.Optional
from_address_ip_v.6Start of the IPv6 range.Optional
to_address_ip_v.6End of the IPv6 range.Optional

Context Output#

PathTypeDescription
NSM.Rule.ruleobjIdNumberThe ID of the newly created rule object.

Command example#

!nsm-create-rule-object domain=0 rule_object_type="Range IP V.4" name="ruleo" visible_to_child=yes from_address_ip_v.4=1.1.1.1 to_address_ip_v.4=2.2.2.2

Context Example#

{
"NSM": {
"Rule": {
"ruleobjId": 154
}
}
}

Human Readable Output#

The rule object no.154 was created successfully

nsm-update-rule-object#


Updates a Rule object. In case of address rule update:

  • if the rule type is “Endpoint IP V.X” or “Network IP V.X”, only the argument “address_ip_v.X” should contain a value.
  • If the type is “Range IP V.X”, only the arguments “from_address_ip_v.X”, “to_address_ip_v.X” should contain a value, Where X is 4 or 6 respectively.

Base Command#

nsm-update-rule-object

Input#

Argument NameDescriptionRequired
domainThe ID of the domain. To get the domain ID, use the !nsm-get-domains command.Required
rule_idThe ID of the rule. To get the rule object ID, use the !nsm-list-domain-rule-object.Required
nameThe rule object name.Optional
visible_to_childWhether the rule object is visible to the child domain. Possible values are: yes, no. Default is yes.Optional
descriptionThe description of the rule object.Optional
address_ip_v.4List of IPv4 host addresses, separated by a comma.Optional
from_address_ip_v.4Start of the IPv4 range.Optional
to_address_ip_v.4End of the IPv4 range.Optional
address_ip_v.6List of IPv6 host addresses, separated by a comma.Optional
from_address_ip_v.6Start of the IPv6 range.Optional
to_address_ip_v.6End of the IPv6 range.Optional
is_overwriteWhether the new addresses that were provided in the update processes will override the current ones or will be added to them. The default is false, and the addresses will be added. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command example#

!nsm-update-rule-object domain=0 rule_id=125 description="new desc"

Human Readable Output#

The rule object no.125 was updated successfully.

nsm-delete-rule-object#


Deletes a rule object.

Base Command#

nsm-delete-rule-object

Input#

Argument NameDescriptionRequired
rule_idThe ID of the rule object. To get the rule object ID, use the !nsm-list-domain-rule-object.Required

Context Output#

There is no context output for this command.

Command example#

!nsm-delete-rule-object rule_id=125

Human Readable Output#

The rule object no.125 was deleted successfully.

nsm-get-alerts#


Retrieves the alerts.

Base Command#

nsm-get-alerts

Input#

Argument NameDescriptionRequired
limitThe maximum number of projects to return. Default is 50.Optional
pageThe specific result page to display.Optional
page_sizeThe number of records in a page.Optional
time_periodTime period. Possible values are: LAST_5_MINUTES, LAST_1_HOUR, LAST_6_HOURS, LAST_12_HOURS, LAST_24_HOURS, LAST_7_DAYS, LAST_14_DAYS, CUSTOM. Default is LAST_7_DAYS.Optional
start_timeStart time in "mm/dd/yyyy HH:MM" format. Used for custom time only.Optional
end_timeEnd time in "mm/dd/yyyy HH:MM" format. Used for custom time only.Optional
stateAlert state. Possible values are: ANY, Acknowledged, Unacknowledged. Default is ANY.Optional
searchSearch string in alert details.Optional
filterFilter alert by fields. For example: "name:hello;direction:Inbound,Outbound;attackcount:>3,<4". To use the "name" field in the filter, enter only one name in each command run. Filter on the following columns is allowed- name, assignTo, application, layer7Data, result, attackCount, relevance, alertId, direction, device, domain, interface, attackSeverity, nspId, btp, attackCategory, malwarefileName, malwarefileHash, malwareName, malwareConfidence, malwareEngine ,executableName, executableHash, executableConfidenceName, attackerIPAddress, attackerPort, attackerRisk, attackerProxyIP, attackerHostname, targetIPAddress, targetPort, targetRisk, targetProxyIP, targetHostname, botnetFamily.Optional
domain_idThe ID of the domain. To get the domain_id, use the !nsm-get-domains command.Optional

Context Output#

PathTypeDescription
NSM.Alerts.IDnumberAlert ID.
NSM.Alerts.NameStringAlert name.
NSM.Alerts.uniqueAlertIdStringUnique alert ID.
NSM.Alerts.StateStringAlert state (Acknowledged,Unacknowledged).
NSM.Alerts.AssigneeStringAlert assignee.
NSM.Alerts.CreatedTimeStringAlert creation time.
NSM.Alerts.AttackSeverityStringAlert severity.
NSM.Alerts.Event.timeDateThe creation time of the event that triggered the alert.
NSM.Alerts.Event.directionStringThe direction of the event (Outbound, Inbound).
NSM.Alerts.Event.resultStringThe result of the event.
NSM.Alerts.Event.attackCountNumberAttack count.
NSM.Alerts.Event.relevanceStringThe event relevance.
NSM.Alerts.Event.alertIdStringAlert ID.
NSM.Alerts.Event.domainStringThe event's domain.
NSM.Alerts.Event.interfaceStringThe event's interface.
NSM.Alerts.Event.deviceStringThe relevant device.
NSM.Alerts.Attack.nspIdStringNetwork Security Platform (NSP) ID.
NSM.Alerts.Attack.btpStringBenign Trigger Probability (BTP).
NSM.Alerts.Attack.attackCategoryStringThe attack category.
NSM.Alerts.Attacker.ipAddrsStringThe attacker IP address.
NSM.Alerts.Attacker.portNumberThe attacker port.
NSM.Alerts.Attacker.hostNameStringThe attacker host name.
NSM.Alerts.Attacker.countryStringThe attacker country.
NSM.Alerts.Attacker.osUnknownThe attacker operating system.
NSM.Alerts.Attacker.vmNameUnknownThe attacker VM name.
NSM.Alerts.Attacker.proxyIPStringThe attacker proxy IP.
NSM.Alerts.Attacker.userUnknownThe user.
NSM.Alerts.Attacker.riskStringAttacker risk.
NSM.Alerts.Attacker.networkObjectUnknownThe attacker network object.
NSM.Alerts.Target.ipAddrsStringThe target IP address.
NSM.Alerts.Target.portNumberThe target port.
NSM.Alerts.Target.hostNameStringThe target host name.
NSM.Alerts.Target.countryStringThe target country.
NSM.Alerts.Target.osUnknownThe target operating system.
NSM.Alerts.Target.vmNameUnknownThe target VM name.
NSM.Alerts.Target.proxyIPStringThe target proxy IP.
NSM.Alerts.Target.userUnknownThe target user.
NSM.Alerts.Target.riskStringThe target risk.
NSM.Alerts.Target.networkObjectUnknownThe target network object.
NSM.Alerts.MalwareFile.fileNameStringThe name of the malware file.
NSM.Alerts.MalwareFile.fileHashStringThe file hash of the malware file.
NSM.Alerts.MalwareFile.fileSHA1HashStringThe malware file SHA1 hash.
NSM.Alerts.MalwareFile.fileSHA256HashUnknownThe file SHA256 hash of the malware file.
NSM.Alerts.MalwareFile.malwareNameStringThe name of the malware.
NSM.Alerts.MalwareFile.malwareConfidenceStringMalware confidence
NSM.Alerts.MalwareFile.engineStringMalware file engine.
NSM.Alerts.MalwareFile.engineIdNumberMalware file engine ID.
NSM.Alerts.MalwareFile.sizeUnknownThe malware file size.
NSM.Alerts.MalwareFile.descriptionUnknownMalware file description.
NSM.Alerts.MalwareFile.additionalReferenceUnknownMalware file additional reference.
NSM.Alerts.MalwareFile.cveIdUnknownMalware file CVE ID.
NSM.Alerts.endpointExcutable.nameStringEndpoint executable name.
NSM.Alerts.endpointExcutable.hashStringEndpoint executable hash.
NSM.Alerts.endpointExcutable.malwareConfidenceStringEndpoint executable malware confidence.
NSM.Alerts.detection.managerIdNumbermanager ID.
NSM.Alerts.detection.managerUnknownThe detection manager.
NSM.Alerts.detection.domainStringDetection domain.
NSM.Alerts.detection.deviceStringDetection device.
NSM.Alerts.detection.deviceIdStringDetection device ID.
NSM.Alerts.detection.interfaceStringDetection interface.
NSM.Alerts.ApplicationStringThe application associated to the alert.
NSM.Alerts.layer7DataStringLayer 7 information.
NSM.Alerts.EventResultStringEvent result.
NSM.Alerts.SensorIDStringSensor ID.

Command example#

!nsm-get-alerts domain_id=0 time_period=CUSTOM start_time="12/17/2000 14:14:22" end_time="12/18/2022 00:26:45" limit=2

Context Example#

{
"NSM": {
"Alerts": [
{
"Application": "HTTP",
"Assignee": "",
"Attack": {
"attackCategory": "Exploit",
"btp": "Medium",
"nspId": "0x00000000"
},
"Attacker": {
"country": null,
"hostName": "",
"ipAddrs": "1.1.1.1",
"networkObject": null,
"os": null,
"port": 22222,
"proxyIP": "",
"risk": "Disabled",
"user": null,
"vmName": null
},
"CreatedTime": "Dec 17, 2018 21:06:21",
"Event": {
"alertId": "3333333333333333333",
"attackCount": 1,
"device": "VVVV1",
"direction": "Outbound",
"domain": "/My Domain",
"interface": "1-2",
"relevance": "Unknown",
"result": "Inconclusive",
"time": "Dec 17, 2018 21:06:21"
},
"EventResult": "Inconclusive",
"ID": "3333333333333333333",
"MalwareFile": {
"additionalReference": null,
"cveId": null,
"description": null,
"engine": "",
"engineId": 0,
"fileHash": "",
"fileName": "",
"malwareConfidence": "",
"malwareName": "",
"size": null
},
"Name": "HTTP: vulnerability",
"SensorID": "4444",
"Target": {
"country": null,
"hostName": "",
"ipAddrs": "2.2.2.2",
"networkObject": null,
"os": null,
"port": 80,
"proxyIP": "",
"risk": "Disabled",
"user": null,
"vmName": null
},
"State": "Acknowledged",
"attackSeverity": "High",
"detection": {
"device": "VVVV1",
"deviceId": "4444",
"domain": "/My Domain",
"interface": "1-2",
"manager": null,
"managerId": 0
},
"endpointExcutable": {
"hash": "",
"malwareConfidence": "",
"name": ""
},
"layer7Data": "HTTP Request Method: GET ",
"uniqueAlertId": "1212121212121212121"
},
{
"Application": "Web",
"Assignee": "",
"Attack": {
"attackCategory": "Exploit",
"btp": "Low",
"nspId": "0x00000000"
},
"Attacker": {
"country": null,
"hostName": "",
"ipAddrs": "1.1.1.1",
"networkObject": null,
"os": null,
"port": 12345,
"proxyIP": "",
"risk": "---",
"user": null,
"vmName": null
},
"CreatedTime": "Dec 17, 2018 21:04:21",
"Event": {
"alertId": "5555555555555555555",
"attackCount": 1,
"device": "VVVV1",
"direction": "Inbound",
"domain": "/My Dmain",
"interface": "1-2",
"relevance": "Unknown",
"result": "Inconclusive",
"time": "Dec 17, 2018 21:04:21"
},
"EventResult": "Inconclusive",
"ID": "5555555555555555555",
"MalwareFile": {
"additionalReference": null,
"cveId": null,
"description": null,
"engine": "",
"engineId": 0,
"fileHash": "",
"fileName": "",
"malwareConfidence": "",
"malwareName": "",
"size": null
},
"Name": "HTTP: IIS 6.0 (CVE-2017-7269)",
"SensorID": "4444",
"Target": {
"country": null,
"hostName": "",
"ipAddrs": "2.2.2.2",
"networkObject": null,
"os": null,
"port": 80,
"proxyIP": "",
"risk": "---",
"user": null,
"vmName": null
},
"alertState": "Acknowledged",
"attackSeverity": "High",
"detection": {
"device": "VVVV1",
"deviceId": "4444",
"domain": "/My Domain",
"interface": "1-2",
"manager": null,
"managerId": 0
},
"endpointExcutable": {
"hash": "",
"malwareConfidence": "",
"name": ""
},
"layer7Data": "HTTP Request Method: PROPFIND",
"uniqueAlertId": "2323232323232323232"
}
]
}
}

Human Readable Output#

Alerts list. Showing 2 of 20#

IDNameSeverityState
3333333333333333333HTTP: vulnerabilityHighAcknowledged
5555555555555555555HTTP: IIS 6.0 (CVE-2017-7269)HighAcknowledged

nsm-get-alert-details#


Retrieves the relevant alert details.

Base Command#

nsm-get-alert-details

Input#

Argument NameDescriptionRequired
alert_idAlert ID. In order to get the alert ID, use the command '!nsm-get-alerts' and use the output field “ID”.Required
sensor_idSensor ID. In order to get the sensor ID, use the command '!nsm-get-alerts' and use the output field “SensorID”.Required

Context Output#

PathTypeDescription
NSM.Alerts.IDnumberAlert ID.
NSM.Alerts.NameStringAlert name.
NSM.Alerts.CreatedTimeStringAlert creation time.
NSM.Alerts.uniqueAlertIdStringUnique alert ID.
NSM.Alerts.StateStringThe state of the alert.
NSM.Alerts.AssigneeStringAlert assignee.
NSM.Alerts.Event.applicationStringThe event application.
NSM.Alerts.Event.protocolUnknownThe event protocol.
NSM.Alerts.Event.domainStringThe domain of the event.
NSM.Alerts.Event.managerUnknownThe event manager.
NSM.Alerts.Event.deviceStringThe event device.
NSM.Alerts.Event.deviceIdStringThe ID of the device related to the event.
NSM.Alerts.Event.matchedPolicyStringThe policy that matched the event.
NSM.Alerts.Event.zoneUnknownThe event zone.
NSM.Alerts.Event.vlanStringThe event VLAN.
NSM.Alerts.Event.detectionStringThe event detection.
NSM.Alerts.CreatedTimeDateThe creation time of the event.
NSM.Alerts.EventResultStringThe event result.
NSM.Alerts.Event.attackCountNumberEvent attack count.
NSM.Alerts.Event.relevanceStringThe relevance of the event.
NSM.Alerts.Event.alertIdStringAlert ID.
NSM.Alerts.Attacker.ipAddrsUnknownAttacker IP addresses.
NSM.Alerts.Attacker.portNumberAttacker port.
NSM.Alerts.Attacker.hostNameUnknownAttacker host name.
NSM.Alerts.Attacker.countryUnknownAttacker country.
NSM.Alerts.Attacker.osStringAttacker operating system.
NSM.Alerts.Attacker.vmNameUnknownAttacker VM name.
NSM.Alerts.Attacker.proxyIPUnknownAttacker proxy IP.
NSM.Alerts.Attacker.userStringAttacker user.
NSM.Alerts.Attacker.riskStringAttacker risk.
NSM.Alerts.Attacker.networkObjectStringAttacker network object.
NSM.Alerts.Target.ipAddrsUnknownTarget IP address.
NSM.Alerts.Target.portNumberTarget port.
NSM.Alerts.Target.hostNameUnknownTarget host name.
NSM.Alerts.Target.countryUnknownTarget country.
NSM.Alerts.Target.osStringTarget operating system.
NSM.Alerts.Target.vmNameUnknownTarget VM name.
NSM.Alerts.Target.proxyIPUnknownTarget proxy IP.
NSM.Alerts.Target.userStringTarget user.
NSM.Alerts.Target.riskStringTarget risk.
NSM.Alerts.Target.networkObjectStringTarget network object.
NSM.Alerts.summary.sourceUnknownThe source of the alert.
NSM.Alerts.summary.destinationUnknownThe destination of the alert.
NSM.Alerts.summary.zoombieUnknownAlert zoombie.
NSM.Alerts.summary.cAndcServerUnknownThe command and control server.
NSM.Alerts.summary.fastFluxAgentUnknownFast flux agent.
NSM.Alerts.summary.attackedHIPEndpointUnknownAttacked host intrusion prevention (HIP) endpoint.
NSM.Alerts.summary.compromisedEndpointUnknownCompromised endpoint.
NSM.Alerts.Details.matchedSignatureUnknownMatched signature.
NSM.Alerts.MalwareFileUnknownMalware file.
NSM.Alerts.Details.hostSweepUnknownHost sweep.
NSM.Alerts.Details.portScanUnknownPort scan.
NSM.Alerts.Details.fastFluxUnknownFast flux.
NSM.Alerts.Details.triggeredComponentAttacksUnknownTriggered component attack.
NSM.Alerts.Details.sqlInjectionUnknownSQL injection.
NSM.Alerts.Details.callbackDetectorsUnknownCallback detectors.
NSM.Alerts.Details.exceededThresholdUnknownExceeded threshold.
NSM.Alerts.Details.communicationRuleMatchUnknownCommunication rule match.
NSM.Alerts.DescriptionStringDescription.
NSM.Alerts.Description.btpStringBenign Trigger Probability (BTP).
NSM.Alerts.Description.rfSBStringRecommended For Smart Blocking (RFSB).
NSM.Alerts.Description.protectionCategoryStringProtection category.
NSM.Alerts.Description.targetStringThe target.
NSM.Alerts.Description.httpResponseAttackStringHTTP response attack.
NSM.Alerts.Description.priorityStringPriority.
NSM.Alerts.ProtocolsStringProtocols.
NSM.Alerts.Attack.attackCategoryStringAttack category.
NSM.Alerts.Attack.attackSubCategoryStringAttack sub-category.
NSM.Alerts.Description.snortEngineStringSnort engine.
NSM.Alerts.Description.versionAddedStringThe date the version was added.
NSM.Alerts.Description.versionUpdatedUnknownThe date the version was updated.
NSM.Alerts.Attack.nspIdStringNetwork Security Platform (NSP) ID.
NSM.Alerts.Description.reference.cveIdStringCommon Vulnerabilities and Exposures (CVE) ID.
NSM.Alerts.Description.reference.microsoftIdStringMicrosoft ID.
NSM.Alerts.Description.reference.bugtraqIdStringBugtraq ID.
NSM.Alerts.Description.reference.certIdUnknownCert ID.
NSM.Alerts.Description.reference.arachNidsIdStringArachnics ID.
NSM.Alerts.Description.reference.additionInfoStringAdditional information.
NSM.Alerts.Description.comments.commentsStringComments.
NSM.Alerts.Description.comments.availabeToChildDomainsBooleanWhether the alert is available to child domains.
NSM.Alerts.Description.comments.parentDomainCommentsUnknownParent domain comments.
NSM.Alerts.Event.directionStringThe event direction.
NSM.Alerts.Event.interfaceStringThe event interface.

Command example#

!nsm-get-alert-details alert_id=6666666666666666666 sensor_id=1001

Context Example#

{
"NSM": {
"Alerts": {
"ID": "6666666666666666666",
"Name": "Buffer Overflow",
"uniqueAlertId": "3333333333333333333",
"State": "UnAcknowledged",
"CreatedTime": "Apr 23, 2020 22:26:13",
"Assignee": "---",
"Description": "some description",
"EventResult": "Inconclusive",
"Attack": {
"attackCategory": "Exploit",
"attackSubCategory": "Buffer Overflow",
"nspId": "0x00000000"
},
"Protocols": "dns",
"SensorID": "1001",
"Event": {
"application": "Not Available",
"protocol": "telnet",
"domain": "/My Domain",
"manager": null,
"device": "vm600-nsmapi-cc",
"interface": "1-2",
"matchedPolicy": "Default Prevention",
"zone": null,
"vlan": "-10",
"detection": "Application anomaly",
"direction": "Inbound",
"attackCount": 1,
"relevance": "Unknown",
"alertId": "6666666666666666666"
},
"Attacker": {
"ipAddrs": "9.9.9.9",
"port": 11111,
"hostName": null,
"country": null,
"os": "Microsoft Windows Server 2008",
"vmName": null,
"proxyIP": null,
"user": "Unknown",
"risk": "N/A",
"networkObject": "---"
},
"Target": {
"ipAddrs": "1.1.1.1",
"port": 88888,
"hostName": null,
"country": null,
"os": "Microsoft Windows Server 2003 Service Pack 1",
"vmName": null,
"proxyIP": null,
"user": "Unknown",
"risk": "N/A",
"networkObject": "---"
},
"MalwareFile": null,
"summary": {
"source": null,
"destination": null,
"zoombie": null,
"cAndcServer": null,
"fastFluxAgent": null,
"attackedHIPEndpoint": null,
"compromisedEndpoint": null
},
"Details": {
"matchedSignature": {
"signatureName": "overflow-iquery.c",
"signature": {
"name": "Signature#1",
"conditions": [
"condition 1",
"condition 2",
"condition 3",
"condition 4"
]
}
},
"layer7": null,
"hostSweep": null,
"portScan": null,
"fastFlux": null,
"triggeredComponentAttacks": null,
"sqlInjection": null,
"callbackDetectors": null,
"exceededThreshold": null,
"communicationRuleMatch": null
},
"description": {
"btp": "Low",
"rfSB": "Yes",
"protectionCategory": "[Server Protection/Name Servers]",
"target": "Server",
"httpResponseAttack": "No",
"priority": "High",
"reference": {
"cveId": "CVE-1999-0009",
"microsoftId": "",
"bugtraqId": "123",
"certId": null,
"arachNidsId": "",
"additionInfo": "http://www.website.com/"
},
"signatures": [
{
"name": "Signature#1",
"conditions": [
"condition 1",
"condition 2",
"condition 3",
"condition 4"
]
},
{
"name": "Signature#2",
"conditions": [
"condition 1",
"condition 2",
"condition 3",
"condition 4"
]
},
{
"name": "Signature#3",
"conditions": [
"condition 1",
"condition 2",
"condition 3",
"condition 4",
"condition 5"
]
}
],
"componentAttacks": [],
"comments": {
"comments": "",
"availabeToChildDomains": true,
"parentDomainComments": null
}
}
}
}
}

Human Readable Output#

Alerts list. Showing 2 of 20#

IDNameEvent TimeStateDirectionResultAttack CountAttacker IPTarget IP
6666666666666666666Buffer OverflowApr 23, 2020 22:26:13UnAcknowledgedInboundInconclusive19.9.9.91.1.1.1

nsm-get-attacks#


If an attack is given, the command returns the details for the specific attack. Otherwise, gets all available attack definitions in the Manager UI. This command can take a few minutes. If you get a timeout error, increase the timeout by using the parameter "execution-timeout".

Base Command#

nsm-get-attacks

Input#

Argument NameDescriptionRequired
attack_idThe ID of the attack. To get the attack_id, use the !nsm-get-attacks command, without an attack ID.Optional

Context Output#

PathTypeDescription
InfoFile.NamestringFile name.
InfoFile.EntryIDstringThe entry ID of the report.
InfoFile.SizenumberFile size.
InfoFile.TypestringFile type, e.g., "PE".
InfoFile.InfostringBasic information about the file.
NSM.Attacks.DirectionUnknownAttack direction.
NSM.Attacks.SeverityNumberAttack severity.
NSM.Attacks.IDStringAttack ID.
NSM.Attacks.NameStringAttack name.
NSM.Attacks.CategoryStringAttack category.
NSM.Attacks.description.definitionStringAttack Definition
NSM.Attacks.description.btpStringBenign Trigger Probability (BTP).
NSM.Attacks.description.rfSBStringRecommended For Smart Blocking (RFSB).
NSM.Attacks.description.protectionCategoryStringProtection category.
NSM.Attacks.description.targetStringAttack target.
NSM.Attacks.description.httpResponseAttackStringHTTP Response Attack.
NSM.Attacks.description.priorityStringAttack priority.
NSM.Attacks.description.protocolsStringAttack protocols.
NSM.Attacks.description.attackCategoryStringAttack category.
NSM.Attacks.description.attackSubCategoryStringAttack sub-category.
NSM.Attacks.description.snortEngineStringAttack snort engine.
NSM.Attacks.description.versionAddedStringThe date the attack version was added.
NSM.Attacks.description.versionUpdatedStringThe date the attack version was updated.
NSM.Attacks.description.reference.nspIdStringAttack Network Security Platform (NSP) ID.
NSM.Attacks.description.reference.cveIdStringAttack Common Vulnerabilities and Exposures (CVE) ID.
NSM.Attacks.description.reference.microsoftIdStringAttack Microsoft ID.
NSM.Attacks.description.reference.bugtraqIdStringAttack bugtraq ID.
NSM.Attacks.description.reference.certIdStringAttack cert ID.
NSM.Attacks.description.reference.arachNidsIdStringArachnids ID.
NSM.Attacks.description.reference.additionInfoUnknownAdditional information.
NSM.Attacks.description.comments.commentsStringComments.
NSM.Attacks.description.comments.availabeToChildDomainsBooleanWhether the attack is available to child domains.
NSM.Attacks.description.comments.parentDomainCommentsUnknownParent domain comments.

Command example#

!nsm-get-attacks attack_id=0x00000100

Context Example#

{
"NSM": {
"Attacks": {
"Category": null,
"Direction": null,
"ID": "0x00000100",
"Name": "IP: too Large",
"Severity": 5,
"UiCategory": "EXPLOIT"
}
}
}

Human Readable Output#

Attack no.0x00000100#

IDNameSeverity
0x00000100IP: too Large5

nsm-get-domains#


If a domain ID is given, the command returns the details of the specific domain. Otherwise, gets all available domains.

Base Command#

nsm-get-domains

Input#

Argument NameDescriptionRequired
domain_idSpecific domain ID. Leave blank for all domains. To get the domain_id use !nsm-get-domains command and leave the parameter blank.Optional
limitThe maximum number of projects to return. Default is 50.0.Optional
pageThe specific result page to display.Optional
page_sizeThe number of records in a page.Optional

Context Output#

PathTypeDescription
NSM.Domains.IDNumberDomain ID.
NSM.Domains.NameStringDomain name.
NSM.Domains.childdomainsUnknownThe children of the domain.

Command example#

!nsm-get-domains

Context Example#

{
"NSM": {
"Domains": {
"ID": 0,
"Name": "My Company",
"childdomains": []
}
}
}

Human Readable Output#

List of Domains#

IDName
0My Company

nsm-get-sensors#


Gets the list of sensors available in the specified domain. If the domain is not specified, details of all the sensors in all ADs will be provided.

Base Command#

nsm-get-sensors

Input#

Argument NameDescriptionRequired
domain_idSpecific domain ID. Leave blank for all domains. To get the domain_id use !nsm-get-domains command and leave the parameter blank.Optional
limitThe maximum number of projects to return. Default is 50.Optional
pageThe specific result page to display.Optional
page_sizeThe number of records in a page.Optional

Context Output#

PathTypeDescription
NSM.Sensors.IDNumberSensor ID.
NSM.Sensors.NameStringName of the sensor.
NSM.Sensors.modelStringSensor model.
NSM.Sensors.DescriptionStringSensor description.
NSM.Sensors.DomainIDNumberID of the domain to which this sensor belongs.
NSM.Sensors.isFailOverBooleanWhether the sensor is failover.
NSM.Sensors.isNTBABooleanWhether there is Network Threat Behavior Analysis (NTBA).
NSM.Sensors.isLoadBalancerBooleanWhether the sensor is a load balancer.
NSM.Sensors.SerialNumberUnknownThe sensor serial number.
NSM.Sensors.SigsetVersionStringSignature set version number applied to the sensor.
NSM.Sensors.DATVersionStringDAT version of the sensor.
NSM.Sensors.SoftwareVersionStringSensor software version.
NSM.Sensors.LastSignatureUpdateTsDateLast configuration download timestamp.
NSM.Sensors.IPSPolicyIDNumberIntrusion prevent system (IPS) policy ID applied to the sensor.
NSM.Sensors.ReconPolicyIDNumberRecon policy ID applied to the sensor.
NSM.Sensors.LastModTsUnknownLast modified timestamp.
NSM.Sensors.IP AddressStringSensor IP address.
NSM.Sensors.nsmVersionStringNetwork Security Manager (NSM) version.
NSM.Sensors.MemberSensorsUnknownSensors members.

Command example#

!nsm-get-sensors

Context Example#

{
"NSM": {
"Sensors": {
"DATVersion": null,
"Description": "MCAFEE-NETWORK-SECURITY-PLATFORM",
"DomainID": 0,
"ID": 1111,
"IP Address": "1.1.1.1",
"IPSPolicyID": 0,
"LastModTs": null,
"LastSignatureUpdateTs": "2022-12-04 02:07:45",
"MemberSensors": [],
"Name": "VVVV1",
"ReconPolicyID": 0,
"SigsetVersion": null,
"SoftwareVersion": "9.9.9.9",
"isFailOver": false,
"isLoadBalancer": false,
"model": "IPS-VM100",
"nsmVersion": "9.1"
}
}
}

Human Readable Output#

Sensors List#

IDNameDescriptionDomainIDIPSPolicyIDIP Address
1111VVVV1MCAFEE-NETWORK-SECURITY-PLATFORM001.1.1.1

nsm-get-ips-policies#


Gets all the IPS policies defined in the specific domain.

Base Command#

nsm-get-ips-policies

Input#

Argument NameDescriptionRequired
domain_idSpecific domain ID. To get the domain_id use !nsm-get-domains command and leave the parameter blank.Required
limitThe maximum number of projects to return. Default is 50.Optional
pageThe specific result page to display.Optional
page_sizeThe number of records in a page.Optional

Context Output#

PathTypeDescription
NSM.IPSPolicies.IsEditableBooleanWhether the IPS policy is editable.
NSM.IPSPolicies.DomainIDNumberID of the domain to which this policy belongs.
NSM.IPSPolicies.VisibleToChildrenBooleanPolicy visible to child domain.
NSM.IPSPolicies.IDNumberIPS policy ID.
NSM.IPSPolicies.NameStringIPS policy name.

Command example#

!nsm-get-ips-policies domain_id=0 limit=2

Context Example#

{
"NSM": {
"IPSPolicies": [
{
"DomainID": 0,
"ID": -1,
"IsEditable": true,
"Name": "Master",
"VisibleToChildren": true
},
{
"DomainID": 0,
"ID": 0,
"IsEditable": true,
"Name": "Default",
"VisibleToChildren": true
}
]
}
}

Human Readable Output#

IPS Policies List of Domain no.0#

IDNameDomainIDIsEditableVisibleToChildren
-1Master0truetrue
0Default0truetrue

nsm-get-ips-policy-details#


Gets all the IPS policies defined in the specific domain.

Base Command#

nsm-get-ips-policy-details

Input#

Argument NameDescriptionRequired
policy_idSpecific IPS policy ID. To get the policy_id use !nsm-get-ips-policies command.Required

Context Output#

PathTypeDescription
NSM.IPSPolicies.IDnumberIPS policy ID.
NSM.IPSPolicies.NamestringIPS policy name.
NSM.IPSPolicies.DescriptionstringIPS policy information.
NSM.IPSPolicies.CreatedTimestringPolicy creation time.
NSM.IPSPolicies.IsEditablebooleanWhether the IPS policy is editable.
NSM.IPSPolicies.VisibleToChildrenbooleanWhether the IPS Policy is visible to the domain's children.
NSM.IPSPolicies.VersionnumberIPS policy version.
NSM.IPSPolicies.InboundRuleSetstringInbound rule set.
NSM.IPSPolicies.OutboundRuleSetstringOutbound rule set.
NSM.IPSPolicies.ExploitAttacksUnknownA list of exploit attacks related to the IPS policy.

Command example#

!nsm-get-ips-policy-details policy_id=17

Context Example#

{
"NSM": {
"IPSPolicies": {
"ID": 17,
"Name": "IpsPolicy",
"Description": "To test the IPS policy",
"VisibleToChildren": true,
"InboundRuleSet": "TestIPS",
"OutboundRuleSet": "Null",
"ExpolitAttack":
[
{
"attackName": "FTP: VMware",
"nspId": "0x00000000",
"severity": 7,
"isSeverityCustomized": false,
"isEnabled": true,
"isAlertCustomized": false,
"isRecommendedForSmartBlocking": false,
"AttackResponse":
{
"TCPReset": "DISABLED",
"isTcpResetCustomized": false,
"isICMPSend": false,
"isICMPSendCustomized": false,
"mcAfeeNACNotification": "DISABLED",
"isMcAfeeNACNotificationEnabled": false,
"isQuarantineCustomized": false,
"isRemediateEnabled": false,
"blockingOption": "DISABLE",
"isBlockingOptionCustomized": false,
"isCapturedPrior": true,
"isCapturedPriorCustomized": false,
"action": "SEND_ALERT_ONLY",
"isLogCustomized": false,
"isFlowCustomized": false,
"isNbytesCustomized": false,
"numberOfBytesInEachPacket":
{
"LogEntirePacket":
{
}
}
},
"notification":
{
"isEmail": false,
"isPager": false,
"isScript": false,
"isAutoAck": false,
"isSnmp": false,
"isSyslog": false,
"isEmailCustomized": false,
"isPagerCustomized": false,
"isScriptCustomized": false,
"isAutoAckCustomized": false,
"isSnmpCustomized": false,
"isSyslogCustomized": false
},
"protocolList":
[
"ftp"
],
"benignTriggerProbability": "1 (Low)",
"blockingType": "attack-packet",
"subCategory": "code-execution",
"direction": "INBOUND",
"isAttackCustomized": false
}
],
"AttackCategory":
{
},
"OutboundAttackCategory":
{
},
"DosPolicy":
{
"LearningAttack":
[
{
"attackName": "TCP Control Segment Anomaly",
"nspId": "0x00000000",
"isSeverityCustomized": false,
"severity": 7,
"isBlockingSettingCustomized": false,
"isDropPacket": false,
"IsAlertCustomized": false,
"isSendAlertToManager": true,
"direction": "BOTH",
"notification":
{
"isEmail": false,
"isPager": false,
"isScript": false,
"isAutoAck": false,
"isSnmp": false,
"isSyslog": false,
"isEmailCustomized": false,
"isPagerCustomized": false,
"isScriptCustomized": false,
"isAutoAckCustomized": false,
"isSnmpCustomized": false,
"isSyslogCustomized": false
},
"isAttackCustomized": false
}
],
"ThresholdAttack":
[
{
"attackName": "Too Many Inbound TCP SYNs",
"nspId": "0x00000000",
"isSeverityCustomized": false,
"severity": 6,
"isThresholdValueCustomized": false,
"isThresholdDurationCustomized": false,
"ThresholdValue": 2000,
"ThresholdDuration": 5,
"isAlertCustomized": false,
"isSendAlertToManager": false,
"Notification":
{
"isEmail": false,
"isPager": false,
"isScript": false,
"isAutoAck": false,
"isSnmp": false,
"isSyslog": false,
"isEmailCustomized": false,
"isPagerCustomized": false,
"isScriptCustomized": false,
"isAutoAckCustomized": false,
"isSnmpCustomized": false,
"isSyslogCustomized": false
},
"direction": "INBOUND",
"isAttackCustomized": false
}
],
"TimeStamp": "2012-06-20 18:44:55.000"
},
"DosResponseSensitivityLevel": 0,
"IsEditable": false,
"CreatedTime": "2012-06-20 18:44:55.000",
"Version": 1,
"IsLightWeightPolicy": false
}
}
}

Human Readable Output#

IPS Policy no.17 Details#

IDNameDescriptionCreatedTimeIsEditableVisibleToChildrenVersionInboundRuleSetOutboundRuleSet
17IpsPolicyTo test the IPS policyTo test the IPS policyfalsetrue1To test the IPS policyNull

nsm-update-alerts#


Update state or assignee of alerts. It is required to provide at least one of them. If none of the alerts match the time_period they won't be updated.

Base Command#

nsm-update-alerts

Input#

Argument NameDescriptionRequired
stateAlert state. Possible values are: ANY, Acknowledged, Unacknowledged. Default is ANY.Optional
time_periodTime period. Possible values are: LAST_5_MINUTES, LAST_1_HOUR, LAST_6_HOURS, LAST_12_HOURS, LAST_24_HOURS, LAST_7_DAYS, LAST_14_DAYS, CUSTOM. Default is LAST_7_DAYS.Optional
start_timeStart time in "mm/dd/yyyy HH:MM" format. Used for custom time only.Optional
end_timeEnd time in "mm/dd/yyyy HH:MM" format. Used for custom time only.Optional
new_stateThe new alert state. Possible values are: Acknowledged, Unacknowledged.Optional
new_assigneeThe new assignee.Optional
searchSearch string in alert details.Optional
filterFilter alert by fields. example: "name:hello;direction:Inbound,Outbound;attackcount:>3,<4". To use the "name" field in the filter, enter only one name in each command run. Filter on the following columns is allowed - name, assignTo, application, layer7Data, result, attackCount, relevance, alertId, direction, device, domain, interface, attackSeverity, nspId, btp, attackCategory, malwarefileName, malwarefileHash, malwareName, malwareConfidence, malwareEngine ,executableName, executableHash, executableConfidenceName, attackerIPAddress, attackerPort, attackerRisk, attackerProxyIP, attackerHostname, targetIPAddress, targetPort, targetRisk, targetProxyIP, targetHostname, botnetFamily.Optional

Context Output#

PathTypeDescription
NSM.Alerts.IDnumberAlert ID.
NSM.Alerts.NameStringAlert name.
NSM.Alerts.uniqueAlertIdStringUnique alert ID.
NSM.Alerts.StateStringAlert state (Acknowledged,Unacknowledged).
NSM.Alerts.AssigneeStringAlert assignee.
NSM.Alerts.CreatedTimeStringAlert creation time.
NSM.Alerts.AttackSeverityStringAlert severity.
NSM.Alerts.Event.timeDateThe creation time of the event that triggered the alert.
NSM.Alerts.Event.directionStringThe direction of the event (Outbound, Inbound).
NSM.Alerts.Event.resultStringThe result of the event.
NSM.Alerts.Event.attackCountNumberAttack count.
NSM.Alerts.Event.relevanceStringThe event relevance.
NSM.Alerts.Event.alertIdStringAlert ID.
NSM.Alerts.Event.domainStringThe domain.
NSM.Alerts.Event.interfaceStringThe event's interface.
NSM.Alerts.Event.deviceStringThe relevant device.
NSM.Alerts.Attack.nspIdStringNetwork Security Platform (NSP) ID.
NSM.Alerts.Attack.btpStringBenign Trigger Probability (BTP).
NSM.Alerts.Attack.attackCategoryStringThe attack category.
NSM.Alerts.Attacker.ipAddrsStringThe attacker IP address.
NSM.Alerts.Attacker.portNumberThe port.
NSM.Alerts.Attacker.hostNameStringThe attacker host name.
NSM.Alerts.Attacker.countryStringThe attacker country.
NSM.Alerts.Attacker.osUnknownThe attacker operating system.
NSM.Alerts.Attacker.vmNameUnknownThe attacker VM name.
NSM.Alerts.Attacker.proxyIPStringThe attacker proxy IP.
NSM.Alerts.Attacker.userUnknownThe user.
NSM.Alerts.Attacker.riskStringAttacker risk.
NSM.Alerts.Attacker.networkObjectUnknownThe attacker network object.
NSM.Alerts.Target.ipAddrsStringThe target IP address.
NSM.Alerts.Target.portNumberThe target port.
NSM.Alerts.Target.hostNameStringThe target host name.
NSM.Alerts.Target.countryStringThe target country.
NSM.Alerts.Target.osUnknownThe target operating system.
NSM.Alerts.Target.vmNameUnknownThe target VM name.
NSM.Alerts.Target.proxyIPStringThe target proxy IP.
NSM.Alerts.Target.userUnknownThe target user.
NSM.Alerts.Target.riskStringThe target risk.
NSM.Alerts.Target.networkObjectUnknownThe target network object.
NSM.Alerts.MalwareFile.fileNameStringThe name of the malware file.
NSM.Alerts.MalwareFile.fileHashStringThe file hash of the malware file.
NSM.Alerts.MalwareFile.fileSHA1HashStringThe malware file SHA1 hash.
NSM.Alerts.MalwareFile.fileSHA256HashUnknownThe file SHA256 hash of the malware file.
NSM.Alerts.MalwareFile.malwareNameStringThe name of the malware.
NSM.Alerts.MalwareFile.malwareConfidenceStringMalware confidence.
NSM.Alerts.MalwareFile.engineStringMalware file engine.
NSM.Alerts.MalwareFile.engineIdNumberMalware file engine ID.
NSM.Alerts.MalwareFile.sizeUnknownThe Malware file size.
NSM.Alerts.MalwareFile.descriptionUnknownMalware file description.
NSM.Alerts.MalwareFile.additionalReferenceUnknownMalware file additional reference.
NSM.Alerts.MalwareFile.cveIdUnknownMalware File CVE ID.
NSM.Alerts.endpointExcutable.nameStringEndpoint executable name.
NSM.Alerts.endpointExcutable.hashStringEndpoint executable hash.
NSM.Alerts.endpointExcutable.malwareConfidenceStringEndpoint executable malware confidence.
NSM.Alerts.detection.managerIdNumberManager ID.
NSM.Alerts.detection.managerUnknownThe detection manager.
NSM.Alerts.detection.domainStringDetection domain.
NSM.Alerts.detection.deviceStringDetection device.
NSM.Alerts.detection.deviceIdStringDetection device ID.
NSM.Alerts.detection.interfaceStringDetection interface.
NSM.Alerts.ApplicationStringThe application associated with the alert.
NSM.Alerts.layer7DataStringLayer 7 information.
NSM.Alerts.EventResultStringEvent result.
NSM.Alerts.SensorIDStringSensor ID.

Command example#

!nsm-update-alerts state=Unacknowledged new_state=Acknowledged 'time_period': 'CUSTOM', 'start_time': '12/17/2000 14:14:22', 'end_time': '12/28/2022 00:26:45'

Context Example#

{
"NSM": {
"Alerts": [
{
"Application": "HTTP",
"Assignee": "",
"Attack": {
"attackCategory": "Exploit",
"btp": "Medium",
"nspId": "0x00000000"
},
"Attacker": {
"country": null,
"hostName": "",
"ipAddrs": "1.1.1.1",
"networkObject": null,
"os": null,
"port": 22222,
"proxyIP": "",
"risk": "Disabled",
"user": null,
"vmName": null
},
"CreatedTime": "Dec 17, 2018 21:06:21",
"Event": {
"alertId": "3333333333333333333",
"attackCount": 1,
"device": "VVVV1",
"direction": "Outbound",
"domain": "/My Domain",
"interface": "1-2",
"relevance": "Unknown",
"result": "Inconclusive",
"time": "Dec 17, 2018 21:06:21"
},
"EventResult": "Inconclusive",
"ID": "3333333333333333333",
"MalwareFile": {
"additionalReference": null,
"cveId": null,
"description": null,
"engine": "",
"engineId": 0,
"fileHash": "",
"fileName": "",
"malwareConfidence": "",
"malwareName": "",
"size": null
},
"Name": "HTTP: vulnerability",
"SensorID": "4444",
"Target": {
"country": null,
"hostName": "",
"ipAddrs": "2.2.2.2",
"networkObject": null,
"os": null,
"port": 80,
"proxyIP": "",
"risk": "Disabled",
"user": null,
"vmName": null
},
"State": "Acknowledged",
"attackSeverity": "High",
"detection": {
"device": "VVVV1",
"deviceId": "4444",
"domain": "/My Domain",
"interface": "1-2",
"manager": null,
"managerId": 0
},
"endpointExcutable": {
"hash": "",
"malwareConfidence": "",
"name": ""
},
"layer7Data": "HTTP Request Method: GET",
"uniqueAlertId": "1212121212121212121"
},
{
"Application": "WebDAV",
"Assignee": "",
"Attack": {
"attackCategory": "Exploit",
"btp": "Low",
"nspId": "0x00000000"
},
"Attacker": {
"country": null,
"hostName": "",
"ipAddrs": "1.1.1.1",
"networkObject": null,
"os": null,
"port": 11111,
"proxyIP": "",
"risk": "---",
"user": null,
"vmName": null
},
"CreatedTime": "Dec 17, 2018 21:04:21",
"Event": {
"alertId": "5555555555555555555",
"attackCount": 1,
"device": "VVVV1",
"direction": "Inbound",
"domain": "/My Dmain",
"interface": "1-2",
"relevance": "Unknown",
"result": "Inconclusive",
"time": "Dec 17, 2018 21:04:21"
},
"EventResult": "Inconclusive",
"ID": "5555555555555555555",
"MalwareFile": {
"additionalReference": null,
"cveId": null,
"description": null,
"engine": "",
"engineId": 0,
"fileHash": "",
"fileName": "",
"malwareConfidence": "",
"malwareName": "",
"size": null
},
"Name": "HTTP: IIS 6.0 (CVE-2017-7269)",
"SensorID": "4444",
"Target": {
"country": null,
"hostName": "",
"ipAddrs": "2.2.2.2",
"networkObject": null,
"os": null,
"port": 80,
"proxyIP": "",
"risk": "---",
"user": null,
"vmName": null
},
"alertState": "Acknowledged",
"attackSeverity": "High",
"detection": {
"device": "VVVV1",
"deviceId": "4444",
"domain": "/My Domain",
"interface": "1-2",
"manager": null,
"managerId": 0
},
"endpointExcutable": {
"hash": "",
"malwareConfidence": "",
"name": ""
},
"layer7Data": "HTTP Request Method: PROPFIND",
"uniqueAlertId": "2323232323232323232"
}
]
}
}

Human Readable Output#

Updated Alerts list. Showing 2 of 20#

IDNameSeverityState
3333333333333333333HTTP: vulnerabilityHighAcknowledged
5555555555555555555HTTP: IIS 6.0 (CVE-2017-7269)HighAcknowledged

nsm-list-pcap-file#


Retrieves the list of captured PCAP files.

Base Command#

nsm-list-pcap-file

Input#

Argument NameDescriptionRequired
sensor_idThe ID of the sensor. To get the sensor_id, use the !nsm-get-sensors command.Required
limitThe maximum number of projects to return. Default is 50.Optional
pageThe specific result page to display. The default is 1.Optional
page_sizeThe number of records in a page.Optional

Context Output#

PathTypeDescription
NSM.PcapFilestringPCAP file name.

Command example#

!nsm-update-alerts state=Unacknowledged new_state=Acknowledged 'time_period': 'CUSTOM', 'start_time': '12/17/2000 14:14:22', 'end_time': '12/28/2022 00:26:45'

Context Example#

{
"NSM": {
"PcapFile": [
{
"files":["capture_Mon_Aug_18_16_12_49_IST_2014.pcap", "capture_Mon_Aug_18_16_12_55_IST_2014.pcap"]
}
]
}
}

Human Readable Output#

PCAP files List#

FileName
capture_Mon_Aug_18_16_12_49_IST_2014.pcap
capture_Mon_Aug_18_16_12_55_IST_2014.pcap

nsm-export-pcap-file#


Exports the captured PCAP file.

Base Command#

nsm-export-pcap-file

Input#

Argument NameDescriptionRequired
sensor_idThe ID of the sensor. To get the sensor_id, use the command !nsm-get-sensors.Required
file_nameThe name of the wanted file. To get the file_name, use the command !nsm-list-pcap-file.Required

Context Output#

PathTypeDescription
InfoFile.NamestringFile name.
InfoFile.EntryIDstringThe entry ID of the report.
InfoFile.SizenumberFile size.
InfoFile.TypestringFile type, e.g., "PE".
InfoFile.InfostringBasic information about the file.

Command example#

!nsm-export-pcap-file sensor_id=1003 file_name=Virtual_NSP_01-PacketCapture-2022-12-21_16-25-52.pcap

Human Readable Output#

There isn't a human readable.

Breaking changes from the previous version of this integration - McAfee NSM v2#

The following sections list the changes in this version.

Arguments#

The following arguments were removed in this version:#

In the nsm-get-sensors command:

  • domainID - this argument was replaced by domain_id.

In the nsm-get-domains command:

  • domain - this argument was replaced by domain_id.

The behavior of the following arguments was changed:#

In the nsm-get-alerts command:

  • time_period - The default value changed to 'LAST_7_DAYS'.
  • domain_id - The default value changed to 0.

In the nsm-get-alert-details command:

  • sensor_id - Is now required.