McAfee NSM (Deprecated)

This Integration is part of the McAfee NSM Pack.#

Deprecated

Use McAfee NSM v2 integration instead.

Overview

Use the McAfee NSM integration in Cortex XSOAR to retrieve information about sensors, domains, policies, alerts, and attacks in McAfee NSM.

This integration was integrated and tested with McAfee v9.1.

Configure McAfee NSM on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for McAfee NSM.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- URL (for example: https://192.168.0.1:5000 )
- Username
- Use system proxy settings
- Trust any certificate (not secure)
Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get a list of sensors for a domain: nsm-get-sensors
Get all domains: nsm-get-domains
Get alerts: nsm-get-alerts
Update alert information: nsm-update-alerts
Get details for a single alert: nsm-get-alert-details
Get IPS policies in a domain: nsm-get-ips-policies
Get policy details for a single IPS policy: nsm-get-ips-policy-details
Get all attack definitions: nsm-get-attacks

1. Get a list of sensors for a domain

Returns a list of sensors for a specified domain.

Base Command

nsm-get-sensors

Input

Argument Name	Description	Required
domainID	The domain of the sensors. If blank, returns all sensors.	Optional

Context Output

Path	Type	Description
NSM.Sensors.ID	string	Sensor ID
NSM.Sensors.Description	string	Sensor description
NSM.Sensors.DomainID	string	Sensor's domain ID

Command Example

!nsm-get-sensors domainID=0

Context Example

{
    "NSM": {
        "Sensors": {
            "Description": "MCAFEE-NETWORK-SECURITY-PLATFORM",
            "DomainID": 0,
            "ID": 1001,
            "IP Address": "192.168.1.109",
            "IPSPolicyID": 0,
            "Name": "VNSP1"
        }
    }
}

Human Readable Output

2. Get all domains

Returns all domains.

Base Command

nsm-get-domains

Input

Argument Name	Description	Required
domain	Specific domain details. If blank, returns all domains.	Optional

Context Output

Path	Type	Description
NSM.Domains.ID	number	Domain ID
NSM.Domains.Name	string	Domain name

Command Example

!nsm-get-domains domain=0

Context Example

{
    "NSM": {
        "Domains": {
            "ID": 0,
            "Name": "My Company"
        }
    }
}

Human Readable Output

3. Get alerts

Returns alerts according to query parameters.

Base Command

nsm-get-alerts

Input

Argument Name	Description	Required
time_period	Time period	Optional
start_time	Start time in "mm/dd/yyyy HH:MM" format only. Used for custom time only.	Optional
end_time	End time in "mm/dd/yyyy HH:MM" format only. used for custom time only	Optional
state	Alert state	Optional
search	Search string in alert details	Optional
filter	Filter alert by fields. Example: "name:hello;direction:Inbound,Outbound;attackcount:>3,<4".	Optional

Context Output

Path	Type	Description
NSM.Alerts.ID	number	Alert ID
NSM.Alerts.Name	string	Alert name
NSM.Alerts.State	string	Alert state ( Acknowledged , Unacknowledged )
NSM.Alerts.CreatedTime	string	Alert creation time
NSM.Alerts.Assignee	string	Alert assignee
NSM.Alerts.AttackSeverity	string	Alert severity
NSM.Alerts.Application	string	The application associated with the alert
NSM.Alerts.EventResult	unknown	Event result
NSM.Alerts.Event	unknown	The event that triggered the alert
NSM.Alerts.Attack	unknown	Alert's attack
NSM.Alerts.Attacker	unknown	The attacker who committed the attack
NSM.Alerts.Target	unknown	The attack's target
NSM.Alerts.MalwareFile	unknown	Malware file used in the attack

Command Example

!nsm-get-alerts state=ANY

4. Update alert information

Update the state or the assignee of specified alerts.

Base Command

nsm-update-alerts

Input

Argument Name	Description	Required
state	Alert state	Optional
time_period	Time period	Optional
start_time	Start time in "mm/dd/yyyy HH:MM" format only. Used for custom time only	Optional
end_time	End time in "mm/dd/yyyy HH:MM" format only. Used for custom time only	Optional
new_state	The new alert state	Optional
new_assignee	The new assignee	Optional
search	Search string in alert details	Optional
filter	Filter alert by fields. Example: "name:hello;direction:Inbound,Outbound;attackcount:>3,<4"	Optional

Context Output

Path	Type	Description
NSM.Alerts.ID	number	Alert ID
NSM.Alerts.Name	string	Alert name
NSM.Alerts.State	string	Alert state ( Acknowledged , Unacknowledged )
NSM.Alerts.CreatedTime	string	Alert creation time
NSM.Alerts.Assignee	string	Alert assignee
NSM.Alerts.AttackSeverity	string	Alert severity
NSM.Alerts.Application	string	The application associated with the alert
NSM.Alerts.EventResult	unknown	Event result
NSM.Alerts.Event	unknown	The event that triggered the alert
NSM.Alerts.Attack	unknown	Alert's attack
NSM.Alerts.Attacker	unknown	The attacker who committed the attack
NSM.Alerts.Target	unknown	The attack's Target
NSM.Alerts.MalwareFile	unknown	Malware file used in the attack

Command Example

!nsm-update-alerts start_time="10/10/2018 08:00" state=Acknowledged

5. Get details for a single alert

Returns details for a single, specified alert.

Base Command

nsm-get-alert-details

Input

Argument Name	Description	Required
alert_id	Alert ID	Required
sensor_id	Sensor ID	Required

Context Output

Path	Type	Description
NSM.Alerts.ID	string	Alert ID
NSM.Alerts.Name	string	Alert name
NSM.Alerts.State	string	Alert state ( Acknowledged , Unacknowledged )
NSM.Alerts.CreatedTime	date	Alert creation time
NSM.Alerts.Assignee	string	Alert assignee
NSM.Alerts.Description	string	Alert description
NSM.Alerts.EventResult	string	Event result
NSM.Alerts.Event	unknown	Alert event
NSM.Alerts.Attack	unknown	Alert's attack
NSM.Alerts.Attacker	unknown	The attacker who committed the attack
NSM.Alerts.Target	unknown	The attack's target
NSM.Alerts.MalwareFile	string	Malware file used in the attack
NSM.Alerts.Details	unknown	Extra details

Command Example

!nsm-get-alert-details alert_id=0

6. Get IPS policies in a domain

Returns the IPS policies in a domain.

Base Command

nsm-get-ips-policies

Input

Argument Name	Description	Required
domain_id	Domain ID	Required

Context Output

Path	Type	Description
NSM.IPSPolicies.ID	number	IPS policy ID
NSM.IPSPolicies.Name	string	IPS policy name
NSM.IPSPolicies.DomainID	number	IPS policy domain ID
NSM.IPSPolicies.IsEditable	boolean	Whether you can edit the IPS policy
NSM.IPSPolicies.VisibleToChildren	boolean	Whether the IPS Policy is visible to domain's children

Command Example

!nsm-get-ips-policies domain_id=0

Context Example

{
    "NSM": {
        "IPSPolicies": [
            {
                "DomainID": 0,
                "ID": -1,
                "IsEditable": true,
                "Name": "Master Attack Repository",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 0,
                "IsEditable": true,
                "Name": "Default Detection",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 16,
                "IsEditable": true,
                "Name": "Default Exclude Informational",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 17,
                "IsEditable": true,
                "Name": "Default Testing",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 18,
                "IsEditable": true,
                "Name": "Default DoS and Reconnaissance Only",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 19,
                "IsEditable": true,
                "Name": "Default Prevention",
                "VisibleToChildren": true
            }
        ]
    }
}

Human Readable Output

7. Get policy details for a single IPS policy

Returns policy details for the specified IPS policy.

Base Command

nsm-get-ips-policy-details

Input

Argument Name	Description	Required
policy_id	IPS Policy ID	Required

Context Output

Path	Type	Description
NSM.IPSPolicies.ID	number	IPS policy ID
NSM.IPSPolicies.Name	string	IPS policy Name
NSM.IPSPolicies.Description	string	IPS policy information
NSM.IPSPolicies.CreatedTime	string	Policy creation time
NSM.IPSPolicies.IsEditable	boolean	Whether you can edit the IPS policy
NSM.IPSPolicies.VisibleToChildren	boolean	Whether the IPS Policy is visible to domain's children
NSM.IPSPolicies.Version	number	IPS policy version
NSM.IPSPolicies.InboundRuleSet	unknown	Inbound rule set
NSM.IPSPolicies.OutboundRuleSet	unknown	Outbound rule set
NSM.IPSPolicies.ExploitAttacks	unknown	A list of exploit attacks related to the IPS Policy

Command Example

!nsm-get-ips-policy-details policy_id=0

Human Readable Output

8. Get all attack definitions

Returns all available attack definitions in McAfee NSM.

Base Command

nsm-get-attacks

Input

Argument Name	Description	Required
attack_id	Particular attack ID	Optional

Context Output

Path	Type	Description
NSM.Attacks.ID	string	Attack ID
NSM.Attacks.Name	string	Attack name
NSM.Attacks.Severity	number	Attack severity
NSM.Attacks.Direction	string	Attack direction
NSM.Attacks.Category	string	Attack category

Command Example

!nsm-get-attacks attack_id="0x00000100"

Context Example

{
    "NSM": {
        "Attacks": {
            "Category": "EXPLOIT",
            "Direction": null,
            "ID": "0x00000100",
            "Name": "IP: IP Fragment too Large",
            "Severity": 5
        }
    }
}

Human Readable Output

Troubleshooting

If you receive an 401 Unauthorized error, the user credentials may be incorrect.