McAfee DAM

Use McAfee Database Activity Monitoring (DAM) Integration to fetch Alerts (incidents) and query Alerts.

This integration was integrated and developed with version 4.6.x of McAfee DAM.

Configure McAfeeDAM on Demisto

Make sure that the XML API interface is enabled on your McAfee DAM server (Settings > Interfaces > XML API), and that the configured user has read permissions to query DAM Alerts and Sensors (XML API).

Important: The user configured in McAfee DAM must have the Use XML API permission as documented here.

Instructions on how to configure and test the XML API for McAfee DAM are available here.

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for McAfeeDAM.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlURLTrue
credentialsCredentialsTrue
batchSizeBatch size for incident fetchFalse
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
secureValidate ceritifacteFalse
ruleNameRule Name, If fetch incident is checked, this field is mandatory and will be used to get DAM alerts only triggered by this ruleFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get information for a single alert


Gets a DAM alert from McAfee Database Activity Monitoring by alert ID.

Required Permissions
  • Alerts Read
Base Command

dam-get-alert-by-id

Input
Argument NameDescriptionRequired
idThe alert ID.Required
Context Output
PathTypeDescription
AlertIdunknownDAM alert ID.
alertAccessedObjectsunknownDAM accessed objects.
dbUserunknownDAM Database User.
Account.UsernameunknownDAM OS user.
databaseunknownDAM database.
sensorunknownDAM sensor.
rulesunknownDAM rules.

Get the latest DAM alerts


Gets the latest DAM alerts by rule name.

Required Permissions
  • Alerts Read
Base Command

dam-get-latest-by-rule

Input
Argument NameDescriptionRequired
ruleNameName of the rule that triggered the alert.Required
countNumber of alerts to retrieve. The default is 10.Optional
timeBackFilter DAM alerts and import alerts that were created only in the last X minutes. The default is the last 10 minutes.Optional
Context Output
PathTypeDescription
AlertIdunknownDAM alert ID.
alertAccessedObjectsunknownDAM accessed objects.
dbUserunknownDAM database user.
Account.UsernameunknownDAM OS user.
databaseunknownDAM database.
sensorunknownDAM sensor.
rulesunknownDAM rules.