McAfee ePO
Integration version: 31.0
Configure McAfee ePO integration in Google Security Operations SOAR
Configure McAfee ePO integration with a CA certificate
You can verify your connection with a CA certificate file if needed.
Before you start, ensure you have the following:
- The CA certificate file
- The latest McAfee ePO integration version
To configure the integration with a CA certificate, complete the following steps:
- Parse your CA certificate file into a Base64 String.
- Open the integration configuration parameters page.
- Insert the string in the CA Certificate File field.
- To test that the integration is successfully configured, select the Verify SSL checkbox and click Test.
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the instance. |
| Server address | String | https://<ServerAddress>:8443/remote/ | Yes | Server Address of the Trellix ePO. Example: https://127.0.0.1:8443/remote/ |
| Username | String | N/A | Yes | The user name for server authentication. |
| Password | Password | N/A | Yes | The password for server authentication. |
| Group Name | String | N/A | No | Name of the group. |
| CA Certificate File - parsed into Base64 String | String | N/A | No | N/A |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Add Tag
Description
Add a tag to an endpoint in Trellix ePO. Note: you can only apply tags that exist in the system. Supported entities: Hostname, IP.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Tag Name | String | N/A | Yes | Specify the name of the tag that needs to be added to the endpoints. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If success for one (is_success=true): Successfully added tag "{tag name}" to the following endpoints in Trellix ePO: {entity.identifier} If tag is already a part of the endpoint: (is_success=true): Tag "{tag}" was already a part of the following endpoints in Trellix ePO: {entity.identifier} If not success for one (is_success=true) Action wasn't able to add tag "{tag name}" to the following endpoints in Trellix ePO: {entity.identifier} If not success for all (is_success=false): Tag "{tag} wasn't added to the provided endpoints." if critical error (fail): Error executing action "Add Tag". Reason: {traceback} If invalid tag (fail) Error executing action "Add Tag", Reason: tag "{tag name}" wasn't found in Trellix ePO. |
General |
Compare Server and Agent DAT
Description
Retrieve server and agent DAT information from the endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Alert.DstPort | Returns if it exists in JSON result |
| Rule.msg | Returns if it exists in JSON result |
| Alert.IPSIDAlertID | Returns if it exists in JSON result |
| Alert.SrcIP | Returns if it exists in JSON result |
| Alert.LastTime | Returns if it exists in JSON result |
| Alert.Protocol | Returns if it exists in JSON result |
| Alert.SrcPort | Returns if it exists in JSON result |
| Alert.DstIP | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
{
"server_version": {server_version}
"dat_version": {dat_version}
"equal": true → if server_version == dat_version, else false
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved server and agent DAT information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve server and agent DAT information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about server and agent DAT was found on the provided endpoints. if critical error (fail): Error executing action "Compare Server and Agent DAT". Reason: {traceback} |
General |
Get Agent Information
Description
Retrieve information about endpoint's agents from Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| EPO_LastUpdate | Returns if it exists in JSON result |
| EPO_ManagedState | Returns if it exists in JSON result |
| EPO_Tags | Returns if it exists in JSON result |
| EPO_ExcludedTags | Returns if it exists in JSON result |
| EPO_AgentVersion | Returns if it exists in JSON result |
| EPO_AgentGUID | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult":
{
"LastUpdate": "2019-01-22T13:04:49+02:00",
"ManagedState": "1",
"Tags": "Server, Workstation",
"ExcludedTags": "",
"AgentVersion": "1.1.1.1",
"AgentGUID": "F673D1DF-786C-41E5-A84D-1676A39F7AE8"
},
"Entity": "1.1.1.1"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If success for one (is_success=true): Successfully retrieved agent information about the following endpoints in Trellix ePO: {entity.identifier} If not success for one (is_success=true) Action wasn't able to retrieve agent information about the following endpoints in Trellix ePO: {entity.identifier} If not success for all (is_success=false): No agend information was found for the provided hosts. if critical error (fail): Error executing action "Get Agent Information". Reason: {traceback} |
General |
Get Dat Version
Description
Retrieve DAT information from the endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| Dat Version | N/A | N/A |
JSON Result
{
"DAT_version": {DAT version}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved DAT information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve DAT information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about DAT was found on the provided endpoints. if critical error (fail): Error executing action "Get Dat Version". Reason: {traceback} |
General |
Get Events for Hash
Description
Retrieve information about events related to hashes. Note: only MD5 hashes are supported.
Parameters
| Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Fetch Events From EPExtendedEvent Table | Checkbox | Unchecked | No | If enabled, action also will use "EPExtendedEvent" Table to find information about hashes. |
| Mark As Suspicious | Checkbox | Yes | False | If enabled, action will mark all of the hashes for which events were found as suspicious. |
| Create Insight | Checkbox | No | False | If enabled, action will create an insight containing information about which hashes have events associated with them. |
| Fields To Return | CSV | EPOEvents.ThreatName, |
False | Specify what fields to return. If nothing is specified action will return all available fields. |
| Sort Field | String | N/A | False | Specify what field should be used for ordering of the results. |
| Sort Order | DDL | ASC Possible Values: ASC DESC |
False | Specify what sort order should be applied to the query. |
| Time Frame | DDL | Last Hour Possible Values: Last Hour Last 6 Hours Last 24 Hours Last Week Last Month Custom |
False | Specify a time frame for the events. If "Custom" is selected, you also need to provide "Start Time". |
| Start Time | String | N/A | False | Specify the start time for the events. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601 |
| End Time | String | N/A | False | Specify the end time for the events. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter will use current time. |
| Max Events To Return | Integer | 50 | False | Specify how many events to return. Default: 50. |
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| EPOEvents.ThreatCategory | Returns if it exists in JSON result |
| EPOEvents.TargetUserName | Returns if it exists in JSON result |
| EPOEvents.TargetPort | Returns if it exists in JSON result |
| EPOEvents.TargetFileName | Returns if it exists in JSON result |
| EPOEvents.TargetIPV4 | Returns if it exists in JSON result |
| EPO_AgentGUID | Returns if it exists in JSON result |
Insights
Insight will be created for events that are found at Trellix ePO for current hash.
JSON Result
[
{
"EntityResult":
[
{
"EPOEvents.ThreatCategory": "av.detect",
"EPOEvents.TargetUserName": "VM-EPOAGENTTEST\\\\\\\\Admin",
"EPOEvents.TargetPort": "None",
"EPOEvents.TargetFileName": "C:\\\\\\\\Users\\\\\\\\Admin\\\\\\\\Desktop\\\\\\\\eicar.txt",
"EPOEvents.TargetIPV4": -1979711347,
"EPOEvents.ThreatName": "EICAR test file",
"EPOEvents.SourceUserName": "None",
"EPOEvents.TargetProcessName": "None",
"EPOEvents.SourceProcessName": "None",
"EPOEvents.ThreatType": "test",
"EPOEvents.SourceIPV4": -1979711347,
"EPOEvents.TargetProtocol": "None",
"VSECustomEvent.MD5": "44d88612fea8a8f36de82e1278abb02f",
"EPOEvents.SourceURL": "None",
"EPOEvents.ThreatActionTaken": "deleted",
"EPOEvents.TargetHostName": "VM-EPOAGENTTEST",
"EPOEvents.ThreatHandled": "True",
"EPOEvents.SourceHostName": "_"
}, {
"EPOEvents.ThreatCategory": "av.detect",
"EPOEvents.TargetUserName": "VM-EPOAGENTTEST\\\\\\\\Admin",
"EPOEvents.TargetPort": "None",
"EPOEvents.TargetFileName": "C:\\\\\\\\Users\\\\\\\\Admin\\\\\\\\Desktop\\\\\\\\eicar.txt",
"EPOEvents.TargetIPV4": -1979711347,
"EPOEvents.ThreatName": "EICAR test file",
"EPOEvents.SourceUserName": "None",
"EPOEvents.TargetProcessName": "None",
"EPOEvents.SourceProcessName": "None",
"EPOEvents.ThreatType": "test",
"EPOEvents.SourceIPV4": -1979711347,
"EPOEvents.TargetProtocol": "None",
"VSECustomEvent.MD5": "44d88612fea8a8f36de82e1278abb02f",
"EPOEvents.SourceURL": "None",
"EPOEvents.ThreatActionTaken": "deleted",
"EPOEvents.TargetHostName": "VM-EPOAGENTTEST",
"EPOEvents.ThreatHandled": "True",
"EPOEvents.SourceHostName": "_"
}],
"Entity": "44d88612fea8a8f36de82e1278abb02f"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful and results are available: (is_success=true) "Successfully returned available events for the following hashes in Trellix ePO: {entity.identifier}" If not successful for one: (is_success=true) "Action wasn't able to find events for the following hashes in Trellix ePO: {entity.identifier}" If not successful for all (is_success=false): "No events were found for the provided endpoints in Trellix ePO." if fatal error, like wrong credentials, no connection to server, other (fail): "Error executing action "Get Endpoint Threats". Reason: {0}''.format(error.Stacktrace) If Error is in the response (fail): "Error executing action "Execute Entity Query". Reason: {0}''.format( response text) if Start Time is empty, when "Time Frame" is "Custom" (fail): "Error executing action "Get Endpoint Threats". Reason: "Start Time" should be provided, when "Custom" is selected in "Time Frame" parameter." |
General |
Get Host IPs Status
Description
Retrieve IPS information from the endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_status_received | True/False | is_status_received:False |
JSON Result
{
"IPS_status": {IPS_status}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved IPS information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve IPS information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about IPS was found on the provided endpoints. if critical error (fail): Error executing action "Get Host IPS Status". Reason: {traceback} |
General |
Get Host Network IPs Status
Description
Retrieve Network IPS information from the endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_status_received | True/False | is_status_received:False |
JSON Result
{
"Network_IPS_status": {Network_IPS_status}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved Network IPS information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve Network IPS information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about Network IPS was found on the provided endpoints. if critical error (fail): Error executing action "Get Host Network IPS Status". Reason: {traceback} |
General |
Get Last Communication Time
Description
Retrieve information about the last communication time from the endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| isSuccess | True/False | isSuccess:False |
JSON Result
{
"last_communication_time": {last_communication_time}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved last communication time information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve last communication time information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about last communication time was found on the provided endpoints. if critical error (fail): Error executing action "Get Last Communication Time". Reason: {traceback} |
General |
Get McAfee Epo Agent Version
Description
Retrieve information about agent version from the endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| McAfee Agent Version | N/A | N/A |
JSON Result
{
"ePO_agent_version": ePO_agent_version
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved agent version information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve agent version information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about agent version was found on the provided endpoints. if critical error (fail): Error executing action "Get Last Communication Time". Reason: {traceback} |
General |
Get System Information
Description
Return system information about the endpoints from Trellix ePO. Supported entities: Hostname, IP.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Checkbox Checked | If enabled, action will create an insight containing information about the endpoint. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| FreeDiskSpace | Returns if it exists in JSON result |
| UserName | Returns if it exists in JSON result |
| DomainName | Returns if it exists in JSON result |
| LastAgentHandler | Returns if it exists in JSON result |
| IPV4x | Returns if it exists in JSON result |
| OSBitMode | Returns if it exists in JSON result |
| IPV6 | Returns if it exists in JSON result |
| OSType | Returns if it exists in JSON result |
| SysvolFreeSpace | Returns if it exists in JSON result |
| IPHostName | Returns if it exists in JSON result |
| CPUSerialNum | Returns if it exists in JSON result |
| IPSubnetMask | Returns if it exists in JSON result |
| SysvolTotalSpace | Returns if it exists in JSON result |
| IPSubnet | Returns if it exists in JSON result |
| Description | Returns if it exists in JSON result |
| FreeMemory | Returns if it exists in JSON result |
| CPUSpeed | Returns if it exists in JSON result |
| SubnetMask | Returns if it exists in JSON result |
| IPAddress | Returns if it exists in JSON result |
| DefaultLangID | Returns if it exists in JSON result |
| OSPlatform | Returns if it exists in JSON result |
| NetAddress | Returns if it exists in JSON result |
| TotalDiskSpace | Returns if it exists in JSON result |
| SubnetAddress | Returns if it exists in JSON result |
| NumOfCPU | Returns if it exists in JSON result |
| TimeZone | Returns if it exists in JSON result |
| SystemDescription | Returns if it exists in JSON result |
| Vdi | Returns if it exists in JSON result |
| OSBuildNum | Returns if it exists in JSON result |
| OSVersion | Returns if it exists in JSON result |
| IsPortable | Returns if it exists in JSON result |
| TotalPhysicalMemory | Returns if it exists in JSON result |
| IPXAddress | Returns if it exists in JSON result |
| UserProperty7 | Returns if it exists in JSON result |
| ParentID | Returns if it exists in JSON result |
| CPUType | Returns if it exists in JSON result |
Insights
.png)
JSON Result
[
{
"EntityResult":
{
"FreeDiskSpace": "444316",
"UserName": "Admin",
"OSServicePackVer": " ",
"DomainName": "WORKGROUP",
"LastAgentHandler": "1",
"IPV4x": "-1979711239",
"OSBitMode": "1",
"IPV6": "0:0:0:0:0:FFFF:A00:F9",
"OSType": "Windows Server 2012 R2",
"SysvolFreeSpace": "94782",
"IPHostName": "McAfee-ePO",
"CPUSerialNum": "N/A",
"IPSubnetMask": "0:0:0:0:0:FFFF:FFFF:FE00",
"SysvolTotalSpace": "161647",
"IPSubnet": "0:0:0:0:0:FFFF:A00:0",
"Description": "None",
"FreeMemory": "1626767360",
"CPUSpeed": "2400",
"SubnetMask": " ",
"IPAddress": "1.1.1.1",
"DefaultLangID": "0409",
"OSPlatform": "Server",
"ComputerName": "MCAFEE-EPO",
"OSOEMID": "00252-00112-26656-AA653",
"NetAddress": "005056A56847",
"TotalDiskSpace": "511646",
"SubnetAddress": " ",
"NumOfCPU": "4",
"TimeZone": "Jerusalem Standard Time",
"SystemDescription": "N/A",
"Vdi": "0",
"OSBuildNum": "9600",
"OSVersion": "6.3",
"IsPortable": "0",
"TotalPhysicalMemory": "6441984000",
"IPXAddress": "N/A",
"UserProperty7": " ",
"UserProperty6": " ",
"UserProperty5": " ",
"UserProperty4": " ",
"UserProperty3": " ",
"UserProperty2": " ",
"UserProperty1": " ",
"ParentID": "8",
"CPUType": "Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz",
"UserProperty8": " "
},
"Entity": "1.1.1.1"
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If successful for one (is_success=true): Successfully retrieved system information about the following endpoints from Trellix ePO: {entity.identifier} If not successful for one (is_success=true): Action wasn't able to retrieve system information about the following endpoints from Trellix ePO: {entity.identifier} If not successful for all (is_success=false) No system information was found about the provided endpoints. If critical error: Error executing action "Get System Information". Reason: {error.traceback} |
General |
Get Virus Engine Agent Version
Description
Retrieve Virus Engine agent version information from the endpoints in McAfee ePO. Supported entities: Hostname, IP.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| Virus Engine Agent Version | N/A | N/A |
JSON Result
{
"Virus_Engine_Agent_version": {Virus_engine_agent_version}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | if success for one Successfully retrieved Virus Engine agent version information from the following endpoints in Trellix ePO: {entity.identifier} if not success for one Action wasn't able to retrieve Virus Engine agent version information from the following endpoints in Trellix ePO: {entity.identifier} if not success for all No information about Virus Engine agent version was found on the provided endpoints. if critical error (fail): Error executing action "Get Virus Engine Agent Version". Reason: {traceback} |
General |
Ping
Description
Test connectivity to Trellix ePO with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
JSON Result
N/A
Remove Tag
Description
Remove a tag from an endpoint in Trellix ePO. Supported entities: Hostname, IP.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Tag Name | String | N/A | Yes | Specify the name of the tag that needs to be removed from the endpoints. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If success for one (is_success=true): Successfully removed tag "{tag name}" from the following endpoints in Trellix ePO: {entity.identifier} If tag is not a part of the endpoint: (is_success=true): Tag "{tag}" wasn't a part of the following endpoints in Trellix ePO: {entity.identifier} If not success for one (is_success=true) Action wasn't able to remove tag "{tag name}" from the following endpoints in Trellix ePO: {entity.identifier} If not success for all (is_success=false): Tag "{tag} wasn't removed from the provided endpoints." if critical error (fail): Error executing action "Remove Tag". Reason: {traceback} If invalid tag (fail) Error executing action "Remove Tag", Reason: tag "{tag name}" wasn't found in Trellix ePO. |
General |
Run Full Scan
Description
Run full scan on the provided endpoints in Trellix ePO. Supported entities: Hostname, IP.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Task Name | String | On-Demand Scan - Full Scan | Yes | Specify what task should be executed in order to get a full scan. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| RunTask_Status | N/A | N/A |
JSON Result
{
"status": "success" or "failure"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If success for one: Successfully ran full scan based on the task "{task name}" on the following endpoints in Trellix ePO: {entity.identifier} If not success for one: Action wasn't able to run full scan based on the task "{task name}" on the following endpoints in Trellix ePO: {entity.identifier} If not success for all: Full scan wasn't executed on the provided endpoints. if critical error (fail): Error executing action "Run Full Scan". Reason: {error traceback} if task is not found (fail): Error executing action "Run Full Scan". Reason: Task "{task name}" wasn't found in Trellix ePO. Please check the spelling. |
General |
Update McAfee Agent
Description
Update McAfee Agent on the provided endpoints in Trellix ePO. Task for Windows: DAT_Update_Windows_CWS. Task for Linux: DAT_Update_Linux_CWS. Supported entities: Hostname, IP.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Task Name | String | DAT_Update_Windows_CWS | Yes | Specify what task should be executed in order to update the McAfee Agent. Default for Windows is DAT_Update_Windows_CWS. For Linux it's DAT_Update_Linux_CWS |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| Update_Status | N/A | N/A |
JSON Result
{
"status": "success" or "failure"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | If success for one: Successfully updated agents based on the task "{task name}" on the following endpoints in Trellix ePO: {entity.identifier} If not success for one: Action wasn't able to update agent based on the task "{task name}" on the following endpoints in Trellix ePO: {entity.identifier} If not success for all: None of the agents were updated. if critical error (fail): Error executing action "Update McAfee Agent". Reason: {error traceback} if task is not found (fail): Error executing action "Update McAfee Agent". Reason: Task "{task name}" wasn't found in Trellix ePO. Please check the spelling. |
General |
Connector
McAfee EPO - Threats Connector
Description
Pull events from the EPOEvents table into Google Security Operations SOAR. Whitelist works with Analyzer names.
Configure McAfee EPO - Threats Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | EPOEvents_ThreatType | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | http://x.x.x.x:8443/remote/ | Yes | API root of the Trellix ePO instance. |
| Username | String | N/A | Yes | Username of the Trellix ePO instance. |
| Password | Password | Yes | Password of the Trellix ePO instance. | |
| Group Name | String | No | If provided, the connector will only fetch threats from endpoints that are a part of that group. | |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch events. |
| Max Events To Fetch | Integer | 10 | No | How many events to process per one connector iteration. Default: 10. |
| Lowest Severity To Fetch | String | Medium | No | Lowest severity of the events to fetch. By default, the connector will ingest all of the events. Possible Values: Info, Low, Medium, High, Critical. |
| Use whitelist as a blacklist | Checkbox | Checked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the Trellix ePO server is valid. |
| CA Certificate File | String | N/A | False | Base 64 encoded CA certificate file. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports proxy.