McAfee NSM

Overview


Use the McAfee NSM integration in Demisto to retrieve information about sensors, domains, policies, alerts, and attacks in McAfee NSM.

This integration was integrated and tested with McAfee v9.1.

Configure McAfee NSM on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for McAfee NSM.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • URL (for example: https://192.168.0.1:5000 )
    • Username
    • Use system proxy settings
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get a list of sensors for a domain: nsm-get-sensors
  2. Get all domains: nsm-get-domains
  3. Get alerts: nsm-get-alerts
  4. Update alert information: nsm-update-alerts
  5. Get details for a single alert: nsm-get-alert-details
  6. Get IPS policies in a domain: nsm-get-ips-policies
  7. Get policy details for a single IPS policy: nsm-get-ips-policy-details
  8. Get all attack definitions: nsm-get-attacks

1. Get a list of sensors for a domain


Returns a list of sensors for a specified domain.

Base Command
nsm-get-sensors
Input
Argument Name Description Required
domainID The domain of the sensors. If blank, returns all sensors. Optional
Context Output
Path Type Description
NSM.Sensors.ID string Sensor ID
NSM.Sensors.Description string Sensor description
NSM.Sensors.DomainID string Sensor's domain ID
Command Example
!nsm-get-sensors domainID=0
Context Example
{
    "NSM": {
        "Sensors": {
            "Description": "MCAFEE-NETWORK-SECURITY-PLATFORM",
            "DomainID": 0,
            "ID": 1001,
            "IP Address": "192.168.1.109",
            "IPSPolicyID": 0,
            "Name": "VNSP1"
        }
    }
}
Human Readable Output

image

2. Get all domains


Returns all domains.

Base Command
nsm-get-domains
Input
Argument Name Description Required
domain Specific domain details. If blank, returns all domains. Optional
Context Output
Path Type Description
NSM.Domains.ID number Domain ID
NSM.Domains.Name string Domain name
Command Example
!nsm-get-domains domain=0
Context Example
{
    "NSM": {
        "Domains": {
            "ID": 0,
            "Name": "My Company"
        }
    }
}
Human Readable Output

image

3. Get alerts


Returns alerts according to query parameters.

Base Command
nsm-get-alerts
Input
Argument Name Description Required
time_period Time period Optional
start_time Start time in "mm/dd/yyyy HH:MM" format only. Used for custom time only. Optional
end_time End time in "mm/dd/yyyy HH:MM" format only. used for custom time only Optional
state Alert state Optional
search Search string in alert details Optional
filter Filter alert by fields. Example: "name:hello;direction:Inbound,Outbound;attackcount:>3,<4". Optional
Context Output
Path Type Description
NSM.Alerts.ID number Alert ID
NSM.Alerts.Name string Alert name
NSM.Alerts.State string Alert state ( Acknowledged , Unacknowledged )
NSM.Alerts.CreatedTime string Alert creation time
NSM.Alerts.Assignee string Alert assignee
NSM.Alerts.AttackSeverity string Alert severity
NSM.Alerts.Application string The application associated with the alert
NSM.Alerts.EventResult unknown Event result
NSM.Alerts.Event unknown The event that triggered the alert
NSM.Alerts.Attack unknown Alert's attack
NSM.Alerts.Attacker unknown The attacker who committed the attack
NSM.Alerts.Target unknown The attack's target
NSM.Alerts.MalwareFile unknown Malware file used in the attack
Command Example
!nsm-get-alerts state=ANY

4. Update alert information


Update the state or the assignee of specified alerts.

Base Command
nsm-update-alerts
Input
Argument Name Description Required
state Alert state Optional
time_period Time period Optional
start_time Start time in "mm/dd/yyyy HH:MM" format only. Used for custom time only Optional
end_time End time in "mm/dd/yyyy HH:MM" format only. Used for custom time only Optional
new_state The new alert state Optional
new_assignee The new assignee Optional
search Search string in alert details Optional
filter Filter alert by fields. Example: "name:hello;direction:Inbound,Outbound;attackcount:>3,<4" Optional
Context Output
Path Type Description
NSM.Alerts.ID number Alert ID
NSM.Alerts.Name string Alert name
NSM.Alerts.State string Alert state ( Acknowledged , Unacknowledged )
NSM.Alerts.CreatedTime string Alert creation time
NSM.Alerts.Assignee string Alert assignee
NSM.Alerts.AttackSeverity string Alert severity
NSM.Alerts.Application string The application associated with the alert
NSM.Alerts.EventResult unknown Event result
NSM.Alerts.Event unknown The event that triggered the alert
NSM.Alerts.Attack unknown Alert's attack
NSM.Alerts.Attacker unknown The attacker who committed the attack
NSM.Alerts.Target unknown The attack's Target
NSM.Alerts.MalwareFile unknown Malware file used in the attack
Command Example
!nsm-update-alerts start_time="10/10/2018 08:00" state=Acknowledged

5. Get details for a single alert


Returns details for a single, specified alert.

Base Command
nsm-get-alert-details
Input
Argument Name Description Required
alert_id Alert ID Required
sensor_id Sensor ID Required
Context Output
Path Type Description
NSM.Alerts.ID string Alert ID
NSM.Alerts.Name string Alert name
NSM.Alerts.State string Alert state ( Acknowledged , Unacknowledged )
NSM.Alerts.CreatedTime date Alert creation time
NSM.Alerts.Assignee string Alert assignee
NSM.Alerts.Description string Alert description
NSM.Alerts.EventResult string Event result
NSM.Alerts.Event unknown Alert event
NSM.Alerts.Attack unknown Alert's attack
NSM.Alerts.Attacker unknown The attacker who committed the attack
NSM.Alerts.Target unknown The attack's target
NSM.Alerts.MalwareFile string Malware file used in the attack
NSM.Alerts.Details unknown Extra details
Command Example
!nsm-get-alert-details alert_id=0

6. Get IPS policies in a domain


Returns the IPS policies in a domain.

Base Command
nsm-get-ips-policies
Input
Argument Name Description Required
domain_id Domain ID Required
Context Output
Path Type Description
NSM.IPSPolicies.ID number IPS policy ID
NSM.IPSPolicies.Name string IPS policy name
NSM.IPSPolicies.DomainID number IPS policy domain ID
NSM.IPSPolicies.IsEditable boolean Whether you can edit the IPS policy
NSM.IPSPolicies.VisibleToChildren boolean Whether the IPS Policy is visible to domain's children
Command Example
!nsm-get-ips-policies domain_id=0
Context Example
{
    "NSM": {
        "IPSPolicies": [
            {
                "DomainID": 0,
                "ID": -1,
                "IsEditable": true,
                "Name": "Master Attack Repository",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 0,
                "IsEditable": true,
                "Name": "Default Detection",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 16,
                "IsEditable": true,
                "Name": "Default Exclude Informational",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 17,
                "IsEditable": true,
                "Name": "Default Testing",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 18,
                "IsEditable": true,
                "Name": "Default DoS and Reconnaissance Only",
                "VisibleToChildren": true
            },
            {
                "DomainID": 0,
                "ID": 19,
                "IsEditable": true,
                "Name": "Default Prevention",
                "VisibleToChildren": true
            }
        ]
    }
}
Human Readable Output

image

7. Get policy details for a single IPS policy


Returns policy details for the specified IPS policy.

Base Command
nsm-get-ips-policy-details
Input
Argument Name Description Required
policy_id IPS Policy ID Required
Context Output
Path Type Description
NSM.IPSPolicies.ID number IPS policy ID
NSM.IPSPolicies.Name string IPS policy Name
NSM.IPSPolicies.Description string IPS policy information
NSM.IPSPolicies.CreatedTime string Policy creation time
NSM.IPSPolicies.IsEditable boolean Whether you can edit the IPS policy
NSM.IPSPolicies.VisibleToChildren boolean Whether the IPS Policy is visible to domain's children
NSM.IPSPolicies.Version number IPS policy version
NSM.IPSPolicies.InboundRuleSet unknown Inbound rule set
NSM.IPSPolicies.OutboundRuleSet unknown Outbound rule set
NSM.IPSPolicies.ExploitAttacks unknown A list of exploit attacks related to the IPS Policy
Command Example
!nsm-get-ips-policy-details policy_id=0
Human Readable Output

image

8. Get all attack definitions


Returns all available attack definitions in McAfee NSM.

Base Command
nsm-get-attacks
Input
Argument Name Description Required
attack_id Particular attack ID Optional
Context Output
Path Type Description
NSM.Attacks.ID string Attack ID
NSM.Attacks.Name string Attack name
NSM.Attacks.Severity number Attack severity
NSM.Attacks.Direction string Attack direction
NSM.Attacks.Category string Attack category
Command Example
!nsm-get-attacks attack_id="0x00000100"
Context Example
{
    "NSM": {
        "Attacks": {
            "Category": "EXPLOIT",
            "Direction": null,
            "ID": "0x00000100",
            "Name": "IP: IP Fragment too Large",
            "Severity": 5
        }
    }
}
Human Readable Output

image

Troubleshooting


If you receive an 401 Unauthorized error, the user credentials may be incorrect.