McAfee ePO
Use the McAfee EPO integration to manage security threats and responses.
This integration was integrated and tested with McAfee ePO v5.3.2.
Configure McAfee ePO on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for McAfee ePO.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Url: for example:
https://****:port - Username
- Password
- Trust any certificate (not secure) Mark to trust Certificate Authority.
- Use system proxy settings
- Click Test to validate the URLs, credentials, and connection.
Permissions
McAfee ePO has a highly flexible and powerful permissions system. The permissions required for the user that uses this integration depend on which operations they need to perform. The API user should have the same permissions a regular user would have in order to access the data via the UI. It is possible to view the exact permissions needed for a specific command by running the !epo-help command. The !epo-help command's output will include help information for the specific command including required permissions.
More info about McAfee ePO's permissions model is available here.
Example !epo-help outputs with permission information:
!epo-help command="repository.findPackages":
!epo-help command="repository.deletePackage":
Playbooks
- McAfee ePO Endpoint Connectivity Diagnostics - Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to valid state.
- McAfee ePO Endpoint Compliance - Discover endpoints that are not using the latest McAfee AV Signatures
- McAfee ePO Repository Compliance - Ensures that ePO servers are updated to the latest McAfee published AV signatures (DAT file version).
- Endpoint Enrichment - Generic v2: uses
epo-find-systemsto enrich an endpoint by hostname.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Print help for ePO commands: epo-help
- Get the latest DAT file: epo-get-latest-dat
- Check the current DAT file version: epo-get-current-dat
- Update the DAT file: epo-update-client-dat
- Update a repository: epo-update-repository
- Get system tree groups: epo-get-system-tree-group
- Find systems in the system tree: epo-find-systems
- epo-command
- epo-advanced-command
- Wake up an agent: epo-wakeup-agent
- Apply a tag: epo-apply-tag
- Clear a tag: epo-clear-tag
- Query an ePO table: epo-query-table
- Get an ePO table: epo-get-table
- Get the ePO version: epo-get-version
- Find systems in the system tree: epo-find-system
- Move a system to a different group: epo-move-system
1. Print help for ePO commands
Prints help (information) for ePO commands. If no command argument is specified, returns all ePO commands.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| search | String to search for in help. | Optional |
| command | Command for which to print help. | Optional |
Context Output
There is no context output for this command.
Command Example
!epo-help search="agent"
Human Readable Output
2. Get the latest DAT file
Checks for the latest DAT file in the McAfee repository.
Base Command
Input
There is no input for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| McAfee.ePO.latestDAT | Number | Latest McAfee DAT file version. |
Command Example
!epo-get-latest-dat
Human Readable Output
3. Check the current DAT file version
Checks the existing DAT file version in ePO.
Base Command
Input
There is no input for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| McAfee.ePO.epoDAT | number | Current McAfee DAT file in the ePO repository. |
Command Example
!epo-get-current-dat
Human Readable Output
4. Update the DAT file
Run client task to update the DAT file.
To run this command, you need to create a task on the ePO server with a specific name.
- Log on to the ePO server.
- Select System Tree.
- Select Assigned Client Tasks > Actions > New Client Task Assignment.
- Configure the Select Task section.
| Field | Value |
|---|---|
| Product | McAfee Agent |
| Task Type | Product Update |
| Task Name | DAT Update |
- Select Create New Task.
| Field | Value |
|---|---|
| Task Name | VSEContentUpdateDemisto |
| Package Selection | Selected packages |
| Signatures and Engines | DAT |
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| systems | A CSV list of IP addresses or system names. | Required |
| retryAttempts | Number of times the server will attempt to send the task to the client. Default is 1 retry. | Optional |
| retryIntervalInSeconds | Retry interval in seconds. Default is 30 seconds. | Optional |
| abortAfterMinutes | The threshold (in minutes) after which attempts to send the task to the client are aborted. Default is 5. | Optional |
| stopAfterMinutes | The threshold (in minutes) that the client task is allowed to run. Defaults to 20. | Optional |
| randomizationInterval | Duration (in minutes) over which to randomly spread task execution. Default is 0 (executes on all clients immediately). | Optional |
Context Output
There is no context output for this command.
Command Example
!epo-update-client-dat systems=ADMIN-PC
Human Readable Output
5. Update a repository
Triggers a server task in specific ePO servers to retrieve the latest signatures from the update server.
Base Command
Input
There is no input for this command.
Context Output
There is no context output for this command.
Command Example
!epo-update-repository
Human Readable Output
6. Get system tree groups
Returns system tree groups.
Base Command
epo-get-system-tree-group
Input
| Argument Name | Description | Required |
|---|---|---|
| search | String to search for in the system tree group. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| McAfee.ePO.SystemTreeGroups.groupId | number | System tree group ID. |
| McAfee.ePO.SystemTreeGroups.groupPath | string | System tree group path. |
Human Readable Output
7. Find systems in the system tree
Find systems in the System Tree - by group ID or by search
Base Command
epo-find-systems
Input
| Argument Name | Description | Required |
|---|---|---|
| groupId | System tree group ID. | Required |
| verbose | Whether to return all system data. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.Name | string | Endpoint name. |
| Endpoint.Domain | string | Endpoint domain. |
| Endpoint.Hostname | string | Endpoint hostname. |
| Endpoint.IPAddress | string | Endpoint IP address. |
| Endpoint.OS | string | Endpoint OS. |
| Endpoint.OSVersion | string | Endpoint OS version. |
| Endpoint.Processor | string | Processor model. |
| Endpoint.Processors | number | Number of processors. |
| Endpoint.Memory | number | Endpoint memory. |
| McAfee.ePO.Endpoint.Name | string | Endpoint name. |
| McAfee.ePO.Endpoint.Domain | string | Endpoint domain. |
| McAfee.ePO.Endpoint.Hostname | string | Endpoint hostname. |
| McAfee.ePO.Endpoint.IPAddress | string | Endpoint IP address. |
| McAfee.ePO.Endpoint.OS | string | Endpoint OS. |
| McAfee.ePO.Endpoint.OSVersion | string | Endpoint OS version. |
| McAfee.ePO.Endpoint.Processor | string | Processor model. |
| McAfee.ePO.Endpoint.Processors | number | Number of processors |
| McAfee.ePO.Endpoint.Memory | number | Endpoint memory. |
8. epo-command
Executes the ePO command. Receives the mandatory ''command'' argument, and other optional arguments.
To get a list of available commands, run the ''epo-help'' command to get a list of available commands. You can also specify the ''headers'' argument to filter table headers. Example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName
Base Command
epo-command
Command Example
!epo-command command=system.find searchText=10.0.0.1
!epo-command command=agentmgmt.listAgentHandlers
9. epo-advanced-command
Executes the ePO command.
To get a list of available commands, run the ''epo-help'' command. For example/:/ !epo-advanced-command command=clienttask.find commandArgs=searchText:On-demand. You can also specify the ''headers'' argument to filter table headers, for example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| command | The command to execute. Run either the core.help command or the !epo-help to get all available commands. | Required |
| commandArgs | CSV list of key value pairs as additional arguments to pass, for example, "argName1:argValue1,argName2:argValue2". | Required |
Context Output
There is no context output for this command.
Command Example
!epo-advanced-command command="clienttask.find" commandArgs="searchText:On-demand"
10. Wake up an agent
Wakes up an agent.
Input
| Argument Name | Description | Required |
|---|---|---|
| names | Agent hostname. | Required |
11. Apply a tag
Applies a tag to hostnames.
Input
| Argument Name | Description | Required |
|---|---|---|
| names | Hostnames on which to apply tags. | Required |
| tagName | Tag name. | Required |
Command Example
!epo-apply-tag names="ADMIN-PC" tagName="Compromised"
12. Clear a tag
Clears a tag from hostnames.
Input
| Argument Name | Description | Required |
|---|---|---|
| names | Hostnames from which to clear tags. | Required |
| tagName | Tag name. | Required |
Command Example
!epo-clear-tag names="ADMIN-PC" tagName="Compromised"
13. Query an ePO table
Queries an ePO table.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| target | Table name. | Required |
| select | The columns to select, in SQUID syntax. Example: "(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)". | Optional |
| where | Filter results, in SQUID syntax. Example: "(where ( eq ( OrionTaskLogTask .UserName "ga" )))". | Optional |
| order | Order in which to return the results, in SQUID syntax. Example: "(order (asc OrionTaskLogTask.StartDate) )"). | Optional |
| group | Group the results, in SQUID Syntax. Example: "(group EPOBranchNode.NodeName)". | Optional |
| joinTables | Perform join, in SQUID syntax. | Optional |
| query_name | Name for the query to appear in the context. | Optional |
Context Output
| Path | Description |
|---|---|
| McAfee.ePO.Query | Query result. |
Human Readable Output
!epo-query-table target=EPOLeafNode select="(select EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)" where="(hasTag EPOLeafNode.AppliedTags 4)"
!epo-query-table target=EPOLeafNode select="(select (top 3) EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)"
!epo-query-table target="EPOEvents" select="(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)" order="(order(desc EPOEvents.DetectedUTC))"
!epo-query-table target="EPExtendedEvent" select="(select (top 250) EPOEvents.ThreatName EPOEvents.AutoID EPExtendedEvent.EventAutoID EPExtendedEvent.TargetHash EPExtendedEvent.TargetPath EPOEvents.SourceHostName)" order="(order(desc EPExtendedEvent.TargetHash))" joinTables="EPOEvents"where="(where(eq EPOEvents.ThreatName "real Protect-LS!d5435f1fea5e"))"
14. Get an ePO table
Returns an ePO table.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| table | Name of the table to return. | Optional |
Context Output
There is no context output for this command.
Command Example
!epo-get-tables
Human Readable Output
15. Get the ePO version
Gets the ePO version. This command requires global admin permissions.
Base Command
Context Output
| Path | Type | Description |
|---|---|---|
| McAfee.ePO.Version | string | ePO version. |
Human Readable Output
!epo-get-version
16. Find systems in the system tree
Finds systems in the system tree.
Base Command
Input
| Argument Name | Description | Required |
|---|---|---|
| searchText | Hostname to search. | Optional |
| verbose | Print all system data | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Endpoint.Name | string | Endpoint name. |
| Endpoint.Domain | string | Endpoint domain. |
| Endpoint.Hostname | string | Endpoint hostname. |
| Endpoint.IPAddress | string | Endpoint IP address. |
| Endpoint.OS | string | Endpoint OS. |
| Endpoint.OSVersion | string | Endpoint OS version. |
| Endpoint.Processor | string | Processor model. |
| Endpoint.Processors | number | Number of processors. |
| Endpoint.Memory | number | Endpoint memory. |
| McAfee.ePO.Endpoint.Name | string | Endpoint name. |
| McAfee.ePO.Endpoint.Domain | string | Endpoint domain. |
| McAfee.ePO.Endpoint.Hostname | string | Endpoint hostname. |
| McAfee.ePO.Endpoint.IPAddress | string | Endpoint IP address. |
| McAfee.ePO.Endpoint.OS | string | Endpoint OS. |
| McAfee.ePO.Endpoint.OSVersion | string | Endpoint OS version. |
| McAfee.ePO.Endpoint.Processor | string | Processor model. |
| McAfee.ePO.Endpoint.Processors | number | Number of processors. |
| McAfee.ePO.Endpoint.Memory | number | Endpoint memory. |
Human Readable Output
!epo-find-system searchText=mar
17. Move a system to a different group
Moves a system to a different group.
Base Command
epo-move-system
Input
| Argument Name | Description | Required |
|---|---|---|
| names | Asset name. | Required |
| parentGroupId | Group ID. | Required |
Context Output
There is no context output for this command.
Command Example
!epo-move-system names=tie parentGroupId=3
Human Readable Output
