McAfee ePO

Overview

---

Use the McAfee EPO integration to manage security threats and responses.

This integration was integrated and tested with McAfee ePO v5.3.2.

Configure McAfee ePO on Demisto

---

1. Navigate to Settings > Integrations > Servers & Services .
2. Search for McAfee ePO.
3. Click Add instance to create and configure a new integration instance.
   • Name : a textual name for the integration instance.
   • https:// :port
   • Username
   • Trust any certificate (not secure) Mark to trust Certificate Authority.
   • Use system proxy settings
4. Click Test to validate the URLs, token, and connection.

Commands

---

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Print help for ePO commands: epo-help
2. Get the latest DAT file: epo-get-latest-dat
3. Check the current DAT file version: epo-get-current-dat
4. Update the DAT file: epo-update-client-dat
5. Update a repository: epo-update-repository
6. Get system tree groups: epo-get-system-tree-group
7. Find systems in the system tree: epo-find-systems
8. epo-command
9. epo-advanced-command
10. Wake up an agent: epo-wakeup-agent
11. Apply a tag: epo-apply-tag
12. Clear a tag: epo-clear-tag
13. Query an ePO table: epo-query-table
14. Get an ePO table: epo-get-table
15. Get the ePO version: epo-get-version
16. Find systems in the system tree: epo-find-system
17. Move a system to a different group: epo-move-system

1. Print help for ePO commands

---

Prints help (information) for ePO commands. If no command argument is specified, returns all ePO commands.

Base Command

epo-help

Input

Argument Name	Description	Required
search	String to search for in help.	Optional
command	Command for which to print help.	Optional

Context Output

There is no context output for this command.

Command Example

!epo-help search="agent"

Human Readable Output

2. Get the latest DAT file

---

Checks for the latest DAT file in the McAfee repository.

Base Command

epo-get-latest-dat

Input

There is no input for this command.

Context Output

Path	Type	Description
McAfee.ePO.latestDAT	Number	Latest McAfee DAT file version.

Command Example

!epo-get-latest-dat

Human Readable Output

3. Check the current DAT file version

---

Checks the existing DAT file version in ePO.

Base Command

epo-get-current-dat

Input

There is no input for this command.

Context Output

Path	Type	Description
McAfee.ePO.epoDAT	number	Current McAfee DAT file in the ePO repository.

Command Example

!epo-get-current-dat

Human Readable Output

4. Update the DAT file

---

Run client task to update the DAT file.

To run this command, you need to create a task on the ePO server with a specific name.

1. Log on to the ePO server.
2. Select System Tree .
3. Select Assigned Client Tasks > Actions > New Client Task Assignment .
4. Configure the Select Task section.
   

   Field	Value
   Product	McAfee Agent
   Task Type	Product Update
   Task Name	DAT Update

5. Select Create New Task .
   

   Field	Value
   Task Name	VSEContentUpdateDemisto
   Package Selection	Selected packages
   Signatures and Engines	DAT

Base Command

epo-update-client-dat

Input

Argument Name	Description	Required
systems	A CSV list of IP addresses or system names.	Required
retryAttempts	Number of times the server will attempt to send the task to the client. Default is 1 retry.	Optional
retryIntervalInSeconds	Retry interval in seconds. Default is 30 seconds.	Optional
abortAfterMinutes	The threshold (in minutes) after which attempts to send the task to the client are aborted. Default is 5.	Optional
stopAfterMinutes	The threshold (in minutes) that the client task is allowed to run. Defaults to 20.	Optional
randomizationInterval	Duration (in minutes) over which to randomly spread task execution. Default is 0 (executes on all clients immediately).	Optional

Context Output

There is no context output for this command.

Command Example

!epo-update-client-dat systems=ADMIN-PC

Human Readable Output

5. Update a repository

---

Triggers a server task in specific ePO servers to retrieve the latest signatures from the update server.

Base Command

epo-update-repository

Input

There is no input for this command.

Context Output

There is no context output for this command.

Command Example

!epo-update-repository

Human Readable Output

6. Get system tree groups

---

Returns system tree groups.

Base Command

epo-get-system-tree-group

Input

Argument Name	Description	Required
search	String to search for in the system tree group.	Optional

Context Output

Path	Type	Description
McAfee.ePO.SystemTreeGroups.groupId	number	System tree group ID.
McAfee.ePO.SystemTreeGroups.groupPath	string	System tree group path.

Human Readable Output

7. Find systems in the system tree

---

Find systems in the System Tree - by group ID or by search

Base Command

epo-find-systems

Input

Argument Name	Description	Required
groupId	System tree group ID.	Required
verbose	Whether to return all system data.	Optional

Context Output

Path	Type	Description
Endpoint.Name	string	Endpoint name.
Endpoint.Domain	string	Endpoint domain.
Endpoint.Hostname	string	Endpoint hostname.
Endpoint.IPAddress	string	Endpoint IP address.
Endpoint.OS	string	Endpoint OS.
Endpoint.OSVersion	string	Endpoint OS version.
Endpoint.Processor	string	Processor model.
Endpoint.Processors	number	Number of processors.
Endpoint.Memory	number	Endpoint memory.
McAfee.ePO.Endpoint.Name	string	Endpoint name.
McAfee.ePO.Endpoint.Domain	string	Endpoint domain.
McAfee.ePO.Endpoint.Hostname	string	Endpoint hostname.
McAfee.ePO.Endpoint.IPAddress	string	Endpoint IP address.
McAfee.ePO.Endpoint.OS	string	Endpoint OS.
McAfee.ePO.Endpoint.OSVersion	string	Endpoint OS version.
McAfee.ePO.Endpoint.Processor	string	Processor model.
McAfee.ePO.Endpoint.Processors	number	Number of processors
McAfee.ePO.Endpoint.Memory	number	Endpoint memory.

8. epo-command

---

Executes the ePO command. Receives the mandatory ''command'' argument, and other optional arguments.

To get a list of available commands, run the ''epo-help'' command to get a list of available commands. You can also specify the ''headers'' argument to filter table headers. Example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName

Base Command

epo-command

Command Example

!epo-command command=system.find searchText=10.0.0.1

!epo-command command=agentmgmt.listAgentHandlers

9. epo-advanced-command

---

Executes the ePO command.

To get a list of available commands, run the ''epo-help'' command. For example/:/ !epo-advanced-command command=clienttask.find commandArgs=searchText:On-demand. You can also specify the ''headers'' argument to filter table headers, for example/:/ !epo-command command=system.find searchText=10.0.0.1 headers=EPOBranchNode.AutoID,EPOComputerProperties.ComputerName.

Base Command

epo-advanced-command

Input

Argument Name	Description	Required
command	The command to execute. Run either the core.help command or the !epo-help to get all available commands.	Required
commandArgs	CSV list of key value pairs as additional arguments to pass, for example, "argName1:argValue1,argName2:argValue2".	Required

Context Output

There is no context output for this command.

Command Example

!epo-advanced-command command="clienttask.find" commandArgs="searchText:On-demand"

10. Wake up an agent

---

Wakes up an agent.

Input

Argument Name	Description	Required
names	Agent hostname.	Required

11. Apply a tag

---

Applies a tag to hostnames.

Input

Argument Name	Description	Required
names	Hostnames on which to apply tags.	Required
tagName	Tag name.	Required

Command Example

!epo-apply-tag names="ADMIN-PC" tagName="Compromised"

12. Clear a tag

---

Clears a tag from hostnames.

Input

Argument Name	Description	Required
names	Hostnames from which to clear tags.	Required
tagName	Tag name.	Required

Command Example

!epo-clear-tag names="ADMIN-PC" tagName="Compromised"

13. Query an ePO table

---

Queries an ePO table.

Base Command

epo-query-table

Input

Argument Name	Description	Required
target	Table name.	Required
select	The columns to select, in SQUID syntax. Example: "(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)".	Optional
where	Filter results, in SQUID syntax. Example: "(where ( eq ( OrionTaskLogTask .UserName "ga" )))".	Optional
order	Order in which to return the results, in SQUID syntax. Example: "(order (asc OrionTaskLogTask.StartDate) )").	Optional
group	Group the results, in SQUID Syntax. Example: "(group EPOBranchNode.NodeName)".	Optional
joinTables	Perform join, in SQUID syntax.	Optional
query_name	Name for the query to appear in the context.	Optional

Context Output

Path	Description
McAfee.ePO.Query	Query result.

Human Readable Output

!epo-query-table target=EPOLeafNode select="(select EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)" where="(hasTag EPOLeafNode.AppliedTags 4)"

!epo-query-table target=EPOLeafNode select="(select (top 3) EPOLeafNode.NodeName EPOLeafNode.Tags EPOBranchNode.NodeName)"

!epo-query-table target="EPOEvents" select="(select EPOEvents.AutoID EPOEvents.DetectedUTC EPOEvents.ReceivedUTC)" order="(order(desc EPOEvents.DetectedUTC))"

!epo-query-table target="EPExtendedEvent" select="(select (top 250) EPOEvents.ThreatName EPOEvents.AutoID EPExtendedEvent.EventAutoID EPExtendedEvent.TargetHash EPExtendedEvent.TargetPath EPOEvents.SourceHostName)" order="(order(desc EPExtendedEvent.TargetHash))" joinTables="EPOEvents"where="(where(eq EPOEvents.ThreatName "real Protect-LS!d5435f1fea5e"))"

14. Get an ePO table

---

Returns an ePO table.

Base Command

epo-get-tables

Input

Argument Name	Description	Required
table	Name of the table to return.	Optional

Context Output

There is no context output for this command.

Command Example

!epo-get-tables

Human Readable Output

15. Get the ePO version

---

Gets the ePO version. This command requires global admin permissions.

Base Command

epo-get-version

Context Output

Path	Type	Description
McAfee.ePO.Version	string	ePO version.

Human Readable Output

!epo-get-version

16. Find systems in the system tree

---

Finds systems in the system tree.

Base Command

epo-find-system

Input

Argument Name	Description	Required
searchText	Hostname to search.	Optional
verbose	Print all system data	Optional

Context Output

Path	Type	Description
Endpoint.Name	string	Endpoint name.
Endpoint.Domain	string	Endpoint domain.
Endpoint.Hostname	string	Endpoint hostname.
Endpoint.IPAddress	string	Endpoint IP address.
Endpoint.OS	string	Endpoint OS.
Endpoint.OSVersion	string	Endpoint OS version.
Endpoint.Processor	string	Processor model.
Endpoint.Processors	number	Number of processors.
Endpoint.Memory	number	Endpoint memory.
McAfee.ePO.Endpoint.Name	string	Endpoint name.
McAfee.ePO.Endpoint.Domain	string	Endpoint domain.
McAfee.ePO.Endpoint.Hostname	string	Endpoint hostname.
McAfee.ePO.Endpoint.IPAddress	string	Endpoint IP address.
McAfee.ePO.Endpoint.OS	string	Endpoint OS.
McAfee.ePO.Endpoint.OSVersion	string	Endpoint OS version.
McAfee.ePO.Endpoint.Processor	string	Processor model.
McAfee.ePO.Endpoint.Processors	number	Number of processors.
McAfee.ePO.Endpoint.Memory	number	Endpoint memory.

Human Readable Output

!epo-find-system searchText=mar

17. Move a system to a different group

---

Moves a system to a different group.

Base Command

epo-move-system

Input

Argument Name	Description	Required
names	Asset name.	Required
parentGroupId	Group ID.	Required

Context Output

There is no context output for this command.

Command Example

!epo-move-system names=tie parentGroupId=3

Human Readable Output