McAfee ESM v10 and v11 (Deprecated)

Deprecated

We recommend using McAfee ESM v2 instead

Use the McAfee ESM v10 integration to get actionable intelligence and integrations to prioritize, investigate, and respond to threats.

Configure McAfee ESM-v10 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for McAfee ESM-v10.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Port
    • ESM IP (e.g. 78.125.0.209)
    • Username
    • Fetch incidents
    • Incident type
    • Fetch Types: cases, alarms, both (relevant only for fetch incident mode)
    • Start fetch after Case ID: (relevant only for fetch incident mode)
    • Trust any certificate (not secure)
    • Version: (one of 10.0, 10.1, 10.2, 10.3)
    • ESM time format, e.g., %Y/%m/%d %H:%M:%S. Select “auto-discovery” to extract the format automatically.
    • __McAfee ESM Timezone in hours (e.g if ESM timezone is +0300 => then insert 3) __
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get list of all fields


Returns a list of all fields (and the field type) that can be used in query filters.

Base Command

esm-fetch-fields

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
esm-fetch-fields
Human Readable

This output is truncated.

Result:

name types
AppID STRING
CommandID STRING
DomainID STRING
HostID STRING
ObjectID STRING
UserIDDst STRING
UserIDSrc STRING
URL SSTRING
Database_Name STRING
Message_Text SSTRING
Response_Time UINT32,UINT32
Application_Protocol STRING
Object_Type STRING
Filename SSTRING
From SSTRING
To SSTRING
Cc SSTRING
Bcc SSTRING
Subject SSTRING
Method STRING
User_Agent SSTRING
Cookie SSTRING
Referer SSTRING
File_Operation STRING
File_Operation_Succeeded STRING

2. Perform a search in McAfee ESM


Performs a query against McAfee ESM.

Base Command

esm-search

Input
Argument Name Description Required
timeRange The time period for the search Required
filters Filter on the query results in the format EsmFilter. Should be a JSON string. Required
queryType Query type to preform, by default EVENT (other possible values are : FLOW/ASSET) Optional
maxWait Maximum time to wait (in minutes), default is 30 Optional
customStart if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) Optional
customEnd if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) Optional
fields The fields that will be selected when this query is executed. Optional

Context Output

There is no context output for this command.

Command Example
!esm-search timeRange=LAST_10_MINUTES filters=`[{"type": "EsmFieldFilter", "field": {"name": "SrcIP"}, "operator": "EQUALS", "values": [{"type": "EsmBasicValue", "value": "52.15.91.198"}]}]
Context Example
{
    "SearchResults": [
        {
            "AlertIPSIDAlertID": "144115188075855872|10201"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 14:57:38"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10202"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 14:58:37"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10203"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 14:59:35"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10204"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:00:36"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10208"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:01:37"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10209"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:02:38"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10210"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:03:36"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10211"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:04:36"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10212"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:05:37"
        }, 
        {
            "ActionName": "success"
        }, 
        {
            "AlertIPSIDAlertID": "144115188075855872|10213"
        }, 
        {
            "AlertSrcIP": "52.15.91.198"
        }, 
        {
            "AlertSrcPort": "0"
        }, 
        {
            "AlertDstIP": "192.168.1.25"
        }, 
        {
            "AlertDstPort": "0"
        }, 
        {
            "AlertProtocol": "n/a"
        }, 
        {
            "AlertLastTime": "03/11/2019 15:06:38"
        }, 
        {
            "ActionName": "success"
        }
    ]
}
Human Readable Output

results:

Alert.IPSIDAlertID Alert.SrcIP Alert.SrcPort Alert.DstIP Alert.DstPort Alert.Protocol Alert.LastTime Action.Name
144115188075855872|10201 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 14:57:38 success
144115188075855872|10202 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 14:58:37 success
144115188075855872|10203 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 14:59:35 success
144115188075855872|10204 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:00:36 success
144115188075855872|10208 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:01:37 success
144115188075855872|10209 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:02:38 success
144115188075855872|10210 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:03:36 success
144115188075855872|10211 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:04:36 success
144115188075855872|10212 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:05:37 success
144115188075855872|10213 52.15.91.198 0 192.168.1.25 0 n/a 03/11/2019 15:06:38 success

3. Get a list of triggered alarms


Retrieves a list of triggered alarms.

Base Command

esm-fetch-alarms

Input
Argument Name Description Required
timeRange The time period for the fetch. Required
customStart if timeRange is CUSTOM, start time for the time range (e.g. 2017-06-01T12:48:16.734Z) Optional
customEnd if timeRange is CUSTOM, end time for the time range (e.g. 2017-06-01T12:48:16.734Z) Optional
assignedUser user assigned to handle this triggered alarm (use ‘ME’ option to use instance user, or use format EsmUser (read more on that here - https://:/rs/esm/help/types/EsmUser) Optional

Context Output
Path Type Description
Alarm.ID number Alarm ID
Alarm.summary string Alarm summary
Alarm.assignee string Alarm assignee
Alarm.severity number Alarm severity
Alarm.triggeredDate date Alarm triggered date
Alarm.acknowledgedDate date Alarm acknowledged date
Alarm.acknowledgedUsername string Alarm acknowledged username
Alarm.alarmName string Alarm name
Alarm.conditionType number Alarm condition type

Command Example
!esm-fetch-alarms timeRange="LAST_3_DAYS"
Context Example
{
    "Alarm": [
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:48:10", 
            "acknowledgedDate": "03/11/2019 08:16:19", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "NGCP", 
            "ID": 25
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:44:40", 
            "acknowledgedDate": "03/11/2019 08:16:20", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "NGCP", 
            "ID": 24
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:41:10", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 23
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:27:39", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 22
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:24:39", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 21
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:21:39", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 20
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:19:09", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 19
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:14:09", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 18
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:07:09", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 17
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:06:09", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 16
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/11/2019 01:01:39", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 15
        }, 
        {
            "conditionType": 13, 
            "severity": 50, 
            "triggeredDate": "03/10/2019 17:01:30", 
            "acknowledgedDate": "", 
            "summary": "408944640 - Failed Login Attempts - 306-31", 
            "assignee": "NGCP", 
            "alarmName": "Failed Login Attempts", 
            "acknowledgedUsername": "", 
            "ID": 14
        }
    ]
}
Human Readable Output

Result:

conditionType severity triggeredDate acknowledgedDate summary assignee alarmName ID acknowledgedUsername
13 50 03/11/2019 01:48:10 03/11/2019 08:16:19 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 25 NGCP
13 50 03/11/2019 01:44:40 03/11/2019 08:16:20 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 24 NGCP
13 50 03/11/2019 01:41:10 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 23
13 50 03/11/2019 01:27:39 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 22
13 50 03/11/2019 01:24:39 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 21
13 50 03/11/2019 01:21:39 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 20
13 50 03/11/2019 01:19:09 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 19
13 50 03/11/2019 01:14:09 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 18
13 50 03/11/2019 01:07:09 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 17
13 50 03/11/2019 01:06:09 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 16
13 50 03/11/2019 01:01:39 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 15
13 50 03/10/2019 17:01:30 408944640 - Failed Login Attempts - 306-31 NGCP Failed Login Attempts 14

4. Get a list of cases


Returns a list of cases from the McAfee ESM.

Base Command

esm-get-case-list

Input
Argument Name Description Required
since Filter for a case opened before this date. Given in format " Optional

Context Output
Path Type Description
Case.ID number The ID of the case
Case.Summary string The summary of the case
Case.Status string The status of the case
Case.OpenTime date The open time of the case
Case.Severity number The severity of the case
Case.Assignee string The Assignee of the case
Case.Organization string The organization of the case
Case.EventList unknown List of case’s events
Case.Notes unknown List of case’s notes

Command Example
!esm-get-case-list
Context Example
{
    "Case": [
        {
            "Status": "Open", 
            "Summary": "case to be deleted", 
            "OpenTime": "03/11/2019 08:15:02", 
            "ID": 1, 
            "Severity": 1
        }, 
        {
            "Status": "Open", 
            "Summary": "New Virus Detected", 
            "OpenTime": "03/11/2019 11:39:18", 
            "ID": 2, 
            "Severity": 1
        }, 
        {
            "Status": "Open", 
            "Summary": "408944640 - Failed Login Attempts - 306-31", 
            "OpenTime": "03/11/2019 11:41:02", 
            "ID": 3, 
            "Severity": 1
        }, 
        {
            "Status": "Open", 
            "Summary": "this is the first case", 
            "OpenTime": "03/11/2019 12:54:50", 
            "ID": 4, 
            "Severity": 1
        }, 
        {
            "Status": "Open", 
            "Summary": "this is the first case", 
            "OpenTime": "03/11/2019 13:27:22", 
            "ID": 5, 
            "Severity": 1
        }, 
        {
            "Status": "Open", 
            "Summary": "this is the first case", 
            "OpenTime": "03/11/2019 13:29:47", 
            "ID": 6, 
            "Severity": 1
        }, 
        {
            "Status": "Open", 
            "Summary": "this is the first case", 
            "OpenTime": "03/11/2019 13:33:13", 
            "ID": 7, 
            "Severity": 1
        }
    ]
}
Human Readable Output

All cases:

ID Summary Status Severity OpenTime
1 case to be deleted Open 1 03/11/2019 08:15:02
2 New Virus Detected Open 1 03/11/2019 11:39:18
3 408944640 - Failed Login Attempts - 306-31 Open 1 03/11/2019 11:41:02
4 this is the first case Open 1 03/11/2019 12:54:50
5 this is the first case Open 1 03/11/2019 13:27:22
6 this is the first case Open 1 03/11/2019 13:29:47
7 this is the first case Open 1 03/11/2019 13:33:13

5. Add a case


Adds a case to McAfee ESM.

Base Command

esm-add-case

Input
Argument Name Description Required
summary The name of the case Required
status The status of the case (use esm-get-case-statuses to view all statuses) Optional
assignee The user the case is assigned to Optional
severity The severity of the case (1 - 100) Optional
organization The organization assigned to the case (use esm-get-organization-list to view all organizations) Optional

Context Output
Path Type Description
Case.ID number The ID of the case
Case.Summary string The summary of the case
Case.Status string The status of the case
Case.OpenTime date The open time of the case
Case.Severity number The severity of the case
Case.Assignee string The assignee of the case
Case.Organization string The organization of the case
Case.EventList unknown List of case’s events
Case.Notes unknown List of case’s notes

Command Example
!esm-add-case summary="this is the first case"
Context Example
{
    "Case": [
        {
            "Status": "Open", 
            "OpenTime": "03/11/2019 15:07:22", 
            "Severity": 1, 
            "EventList": [], 
            "Notes": [
                {
                    "action": "Open", 
                    "content": "", 
                    "username": "NGCP", 
                    "changes": [], 
                    "timestamp": "03/11/2019 15:07:22(GMT)"
                }
            ], 
            "Summary": "this is the first case", 
            "Assignee": "NGCP", 
            "Organization": "None", 
            "ID": 8
        }
    ]
}
Human Readable Output

New Case:

ID Summary Status Severity OpenTime Assignee Organization Event List Notes
8 this is the first case Open 1 03/11/2019 15:07:22 NGCP None [] [{“action”: “Open”, “timestamp”: “03/11/2019 15:07:22(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}]

6. Edit a case


Modifies an existing case.

Base Command

esm-edit-case

Input
Argument Name Description Required
id The ID of the case Required
summary The name of the case Optional
severity The new severity of the case (1 - 100) Optional
assignee The user that the case should be assigned to Optional
status The new status of the case (use the esm-get-case-statuses command to view all statuses) Optional
organization The organization assigned to the case (use the esm-get-organization-list command to view all organizations) Optional

Context Output
Path Type Description
Case.ID number The ID of the case
Case.Summary string The summary of the case
Case.Status string The status of the case
Case.OpenTime date The open time of the case
Case.Severity number The severity of the case
Case.Assignee string The Assignee of the case
Case.Organization string The organization of the case
Case.EventList unknown List of case’s events
Case.Notes unknown List of case’s notes

Command Example
!esm-edit-case id="2" summary="editing first case" severity="50" organization="LuthorCorp"
Context Example
{
    "Case": [
        {
            "Status": "Open", 
            "OpenTime": "03/11/2019 11:39:18", 
            "Severity": 50, 
            "EventList": [], 
            "Notes": [
                {
                    "action": "Changes", 
                    "content": "Summary\n    old: New Virus Detected\n    new: editing first case\n\n  Severity\n    old: 1\n    new: 50", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Summary", 
                            "changes": [
                                "old: New Virus Detected", 
                                "new: editing first case"
                            ]
                        }, 
                        {
                            "changeType": "Severity", 
                            "changes": [
                                "old: 1", 
                                "new: 50"
                            ]
                        }
                    ], 
                    "timestamp": "03/11/2019 15:07:26(GMT)"
                }, 
                {
                    "action": "Changes", 
                    "content": "Summary\n    old: editing first case\n    new: New Virus Detected\n\n  Severity\n    old: 50\n    new: 1", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Summary", 
                            "changes": [
                                "old: editing first case", 
                                "new: New Virus Detected"
                            ]
                        }, 
                        {
                            "changeType": "Severity", 
                            "changes": [
                                "old: 50", 
                                "new: 1"
                            ]
                        }
                    ], 
                    "timestamp": "03/11/2019 15:01:28(GMT)"
                }, 
                {
                    "action": "Changes", 
                    "content": "Summary\n    old: New Virus Detection\n    new: editing first case\n\n  Severity\n    old: 1\n    new: 50", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Summary", 
                            "changes": [
                                "old: New Virus Detection", 
                                "new: editing first case"
                            ]
                        }, 
                        {
                            "changeType": "Severity", 
                            "changes": [
                                "old: 1", 
                                "new: 50"
                            ]
                        }
                    ], 
                    "timestamp": "03/11/2019 13:33:16(GMT)"
                }, 
                {
                    "action": "Changes", 
                    "content": "Summary\n    old: editing first New Virus Detection\n    new: New Virus Detection", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Summary", 
                            "changes": [
                                "old: editing first New Virus Detection", 
                                "new: New Virus Detection"
                            ]
                        }
                    ], 
                    "timestamp": "03/11/2019 13:31:59(GMT)"
                }, 
                {
                    "action": "Changes", 
                    "content": "Summary\n    old: editing first case\n    new: editing first New Virus Detection\n\n  Severity\n    old: 50\n    new: 1", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Summary", 
                            "changes": [
                                "old: editing first case", 
                                "new: editing first New Virus Detection"
                            ]
                        }, 
                        {
                            "changeType": "Severity", 
                            "changes": [
                                "old: 50", 
                                "new: 1"
                            ]
                        }
                    ], 
                    "timestamp": "03/11/2019 13:31:45(GMT)"
                }, 
                {
                    "action": "Changes", 
                    "content": "Summary\n    old: New Virus Detection\n    new: editing first case\n\n  Severity\n    old: 1\n    new: 50", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Summary", 
                            "changes": [
                                "old: New Virus Detection", 
                                "new: editing first case"
                            ]
                        }, 
                        {
                            "changeType": "Severity", 
                            "changes": [
                                "old: 1", 
                                "new: 50"
                            ]
                        }
                    ], 
                    "timestamp": "03/11/2019 13:27:25(GMT)"
                }, 
                {
                    "action": "Open", 
                    "content": "", 
                    "username": "NGCP", 
                    "changes": [], 
                    "timestamp": "03/11/2019 11:39:18(GMT)"
                }
            ], 
            "Summary": "editing first case", 
            "Assignee": "NGCP", 
            "Organization": "None", 
            "ID": 2
        }
    ]
}
Human Readable Output

Edited Case:

ID Summary Status Severity OpenTime Assignee Organization Event List Notes
2 editing first case Open 50 03/11/2019 11:39:18 NGCP None [] [{“action”: “Changes”, “timestamp”: “03/11/2019 15:07:26(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detected\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detected”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 15:01:28(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: New Virus Detected\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: New Virus Detected”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:33:16(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:59(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first New Virus Detection\n new: New Virus Detection”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first New Virus Detection”, “new: New Virus Detection”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:31:45(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: editing first case\n new: editing first New Virus Detection\n\n Severity\n old: 50\n new: 1”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: editing first case”, “new: editing first New Virus Detection”]}, {“changeType”: “Severity”, “changes”: [“old: 50”, “new: 1”]}]}, {“action”: “Changes”, “timestamp”: “03/11/2019 13:27:25(GMT)”, “username”: “NGCP”, “content”: “Summary\n old: New Virus Detection\n new: editing first case\n\n Severity\n old: 1\n new: 50”, “changes”: [{“changeType”: “Summary”, “changes”: [“old: New Virus Detection”, “new: editing first case”]}, {“changeType”: “Severity”, “changes”: [“old: 1”, “new: 50”]}]}, {“action”: “Open”, “timestamp”: “03/11/2019 11:39:18(GMT)”, “username”: “NGCP”, “content”: “”, “changes”: []}]

7. Get a list of case statuses


Returns a list of valid case statuses from McAfee ESM.

Base Command

esm-get-case-statuses

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example
!esm-get-case-statuses
Human Readable Output

Result:

ID Name Is Default Show In Case Pane
2 Closed false false
1 Open true true
8 Pending false true
4 Research false false

8. Edit the status of a case


Modifies a case status.

Base Command

esm-edit-case-status

Input
Argument Name Description Required
original_name The name of the case status to edit Required
new_name The new name for the case status Required
show_in_case_pane Whether the status will be shown in the case pane Optional

Context Output

There is no context output for this command.

Command Example
!esm-edit-case-status original_name=Research new_name=RnD
Human Readable Output

Edit case status with ID: 4

9. Get details of a case


Returns details about an existing case.

Base Command

esm-get-case-detail

Input
Argument Name Description Required
id The ID of the case Required

Context Output
Path Type Description
Case.ID number The ID of the case
Case.Summary string The summary of the case
Case.Status string The status of the case
Case.OpenTime date The open time of the case
Case.Severity number The severity of the case
Case.Assignee string The assignee of the case
Case.Organization string The organization of the case
Case.EventList unknown List of case’s events
Case.Notes unknown List of case’s notes

Command Example
!esm-get-case-detail id=3
Context Example
{
    "Case": [
        {
            "Status": "Open", 
            "OpenTime": "03/11/2019 11:41:02", 
            "Severity": 1, 
            "EventList": [
                {
                    "message": "Failed User Logon", 
                    "lastTime": "03/11/2019 01:01:13", 
                    "id": {
                        "value": "144115188075855872|8850"
                    }
                }
            ], 
            "Notes": [
                {
                    "action": "Open", 
                    "content": "Events Added: 144115188075855872|8850\n    Events Removed:", 
                    "username": "NGCP", 
                    "changes": [
                        {
                            "changeType": "Events Added", 
                            "changes": [
                                "144115188075855872|8850"
                            ]
                        }, 
                        {
                            "changeType": "Events Removed", 
                            "changes": []
                        }
                    ], 
                    "timestamp": "03/11/2019 11:41:02(GMT)"
                }
            ], 
            "Summary": "408944640 - Failed Login Attempts - 306-31", 
            "Assignee": "NGCP", 
            "Organization": "None", 
            "ID": 3
        }
    ]
}
Human Readable Output

Case 3:

ID Summary Status Severity OpenTime Assignee Organization Event List Notes
3 408944640 - Failed Login Attempts - 306-31 Open 1 03/11/2019 11:41:02 NGCP None [{“message”: “Failed User Logon”, “lastTime”: “03/11/2019 01:01:13”, “id”: {“value”: “144115188075855872|8850”}}] [{“action”: “Open”, “timestamp”: “03/11/2019 11:41:02(GMT)”, “username”: “NGCP”, “content”: “Events Added: 144115188075855872|8850\n Events Removed:”, “changes”: [{“changeType”: “Events Added”, “changes”: [“144115188075855872|8850”]}, {“changeType”: “Events Removed”, “changes”: []}]}]

10. Get details of a case event


Returns case event details.

Base Command

esm-get-case-event-list

Input
Argument Name Description Required
ids CSV list of event IDs Required

Context Output
Path Type Description
CaseEvents.ID string The ID of the event
CaseEvents.LastTime date The last updated time of the event
CaseEvents.Message string The message of the event

Command Example
!esm-get-case-event-list ids=144115188075855872|8850,144115188075855872|9718
Context Example
{
    "CaseEvents": [
        {
            "Message": "Failed User Logon", 
            "LastTime": "03/11/2019 01:01:13", 
            "ID": "144115188075855872|8850"
        }, 
        {
            "Message": "User Logon", 
            "LastTime": "03/11/2019 11:09:37", 
            "ID": "144115188075855872|9718"
        }
    ]
}
Human Readable Output

Case Events:

ID LastTime Message
144115188075855872|8850 03/11/2019 01:01:13 Failed User Logon
144115188075855872|9718 03/11/2019 11:09:37 User Logon

11. Add a status to a case


Adds a case status to a case.

Base Command

esm-add-case-status

Input
Argument Name Description Required
name The name of the case status Required
show_in_case_pane Whether the status will be shown in case pane Optional

Context Output

There is no context output for this command.

Command Example
!esm-add-case-status name=Deprecated
Human Readable Output

Added case status : Deprecated

12. Remove a status from a case


Deletes a case status from a case.

Base Command

esm-delete-case-status

Input
Argument Name Description Required
name The name of the case status to delete Required

Context Output

There is no context output for this command.

Command Example
esm-delete-case-status name=Pending
Human Readable Output

Deleted case status with ID: 8

13. Get a list of case organizations


Returns a list case organizations.

Base Command

esm-get-organization-list

Input

There are no input arguments for this command.

Context Output
Path Type Description
Organizations.ID number Organization ID
Organizations.Name string Organization Name

Command Example
!esm-get-organization-list
Context Example
{
    "Organizations": [
        {
            "ID": 1, 
            "Name": "None"
        }
    ]
}
Human Readable Output

Organizations:

ID Name
1 None

14. Get a list of all users


Returns a list of all users.

Base Command

esm-get-user-list

Input

There are no input arguments for this command.

Context Output
Path Type Description
EsmUser.ID number The ID of the user
EsmUser.Name string The ESM user name
EsmUser.Email string The email address of the user
EsmUser.SMS string The SMS details of the user
EsmUser.IsMaster boolean Whether the user is a master user
EsmUser.IsAdmin boolean Whether the user is an admin

Command Example
!esm-get-user-list
Context Example
{
    "EsmUser": [
        {
            "IsMaster": true, 
            "Name": "NGCP", 
            "SMS": "", 
            "ID": 1, 
            "IsAdmin": false, 
            "Email": ""
        }, 
        {
            "IsMaster": false, 
            "Name": "POLICY", 
            "SMS": "", 
            "ID": 3, 
            "IsAdmin": false, 
            "Email": ""
        }, 
        {
            "IsMaster": false, 
            "Name": "REPORT", 
            "SMS": "", 
            "ID": 2, 
            "IsAdmin": false, 
            "Email": ""
        }
    ]
}
Human Readable Output

Users:

ID Name Email SMS IsMaster IsAdmin
1 NGCP true false
3 POLICY false false
2 REPORT false false

15. Mark triggered alarms as acknowledged


Marks triggered alarms as acknowledged.

Base Command

esm-acknowledge-alarms

Input
Argument Name Description Required
alarmIds A CSV list of triggered alarm IDs to be marked acknowledged Required

Context Output

There is no context output for this command.

Command Example
!esm-acknowledge-alarms alarmIds=2,5,6
Human Readable Output

Alarms has been Acknowledged.

16. Mark triggered alarms as unacknowledged


Marks triggered alarms as unacknowledged.

Base Command

esm-unacknowledge-alarms

Input
Argument Name Description Required
alarmIds A CSV list of triggered alarm IDs to be marked unacknowledged Required

Context Output

There is no context output for this command.

Command Example
!esm-unacknowledge-alarms alarmIds="1,8,7"
Human Readable Output

Alarms has been Unacknowledged.

17. Delete triggered alarms


Deletes triggered alarms.

Base Command

esm-delete-alarms

Input
Argument Name Description Required
alarmIds A CSV list of triggered alarm IDs to be deleted Required

Context Output

There is no context output for this command.

Command Example
!esm-delete-alarms alarmIds=26
Human Readable Output

Alarms has been Deleted.

18. Get details for a triggered alarm


Returns details for a triggered alarm.

Base Command

esm-get-alarm-event-details

Input
Argument Name Description Required
eventId The event to get the details for. The ID can be retrieved from the esm-list-alarm-events command. Required

Context Output
Path Type Description
EsmAlarmEvent.ID string Event ID
EsmAlarmEvent.SubType string Event type
EsmAlarmEvent.Severity number Event severity
EsmAlarmEvent.Message string Event message
EsmAlarmEvent.LastTime date Event time
EsmAlarmEvent.SrcIP string Source IP of the event
EsmAlarmEvent.DstIP string Destination IP of the event
EsmAlarmEvent.Cases unknown A list of related cases to the event
EsmAlarmEvent.Cases.ID string Case ID
EsmAlarmEvent.Cases.OpenTime date Case creation time
EsmAlarmEvent.Cases.Severity number Case severity
EsmAlarmEvent.Cases.Status string Case status
EsmAlarmEvent.Cases.Summary string Case summary
EsmAlarmEvent.DstMac string Destination MAC of the event
EsmAlarmEvent.SrcMac string Source MAC of the event
EsmAlarmEvent.DstPort string Destination port of the event
EsmAlarmEvent.SrcPort string Source port of the event
EsmAlarmEvent.FirstTime date The first time for the event
EsmAlarmEvent.NormalizedDescription string Normalized description of the event

Command Example
!esm-get-alarm-event-details eventId="144115188075855872|9718"
Context Example
{
    "EsmAlarmEvent": [
        {
            "DstIP": "192.168.1.25", 
            "FirstTime": "03/11/2019 11:09:37", 
            "Severity": 19, 
            "DstPort": "0", 
            "SrcPort": "0", 
            "DstMac": "00:00:00:00:00:00", 
            "SubType": "success", 
            "SrcIP": "52.15.91.198", 
            "Message": "User Logon", 
            "LastTime": "03/11/2019 11:09:37", 
            "ID": "144115188075855872|9718", 
            "NormalizedDescription": "The Login category indicates events related to logging in to hosts or services.  Belongs to Authentication: The authentication category indicates events relating to system access.", 
            "SrcMac": "00:00:00:00:00:00"
        }
    ]
}
Human Readable Output

Alarm Events:

ID SubType Severity Message LastTime SrcIP SrcPort DstIP DstPort
144115188075855872|9718 success 19 User Logon 03/11/2019 11:09:37 52.15.91.198 0 192.168.1.25 0


Returns an event list related to an alarm.

Base Command

esm-list-alarm-events

Input
Argument Name Description Required
alarmId The alarm to get the details for. The ID can be retrieved from the esm-fetch-alarms command. Required

Context Output
Path Type Description
EsmAlarmEvent.ID string Event ID
EsmAlarmEvent.SubType string Event type
EsmAlarmEvent.Severity number Event severity
EsmAlarmEvent.Message string Event message
EsmAlarmEvent.LastTime date Event time
EsmAlarmEvent.SrcIP string Source IP of the event
EsmAlarmEvent.DstIP string Destination IP of the event
EsmAlarmEvent.Cases unknown A list of related cases to the event
EsmAlarmEvent.Cases.ID string Case ID
EsmAlarmEvent.Cases.OpenTime date Case creation time
EsmAlarmEvent.Cases.Severity number Case severity
EsmAlarmEvent.Cases.Status string Case status
EsmAlarmEvent.Cases.Summary string Case summary

Command Example
!esm-list-alarm-events alarmId="24"
Context Example
{
    "EsmAlarmEvent": [
        {
            "DstIP": "192.168.1.25", 
            "Severity": 25, 
            "SubType": "failure", 
            "SrcIP": "186.29.149.40", 
            "Message": "Failed User Logon", 
            "LastTime": "03/11/2019 01:44:27", 
            "ID": "144115188075855872|8919"
        }
    ]
}
Human Readable Output

Alarm Events:

ID SubType Severity Message LastTime SrcIP SrcPort DstIP DstPort
144115188075855872|8919 failure 25 Failed User Logon 03/11/2019 01:44:27 186.29.149.40 192.168.1.25