McAfee MVISION ePO
Integration version: 6.0
Product Use Cases
Malware Attack on an endpoint
- Malware attacks a computer in your McAfee ePO managed network.
- McAfee product software, for example, McAfee Endpoint Security cleans or deletes the malware file.
- McAfee Agent notifies McAfee ePO of the attack.
- McAfee ePO stores the attack information.
Configure McAfee MVISION ePO integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
Integration Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://api.mvision.mcafee.com | Yes | McAfee MVISION ePO API Root. |
| Client ID | String | N/A | Yes | Client ID of the McAfee MVISION ePO account. |
| Client Secret | Password | N/A | Yes | Client Secret of the McAfee MVISION ePO account. |
| Scopes | Comma-separated values | epo.device.r, epo.device.w,epo.grps.r, epo.grps.w, epo.sftw.r, epo.tags.r, epo.tags.w | Yes | Scopes of the McAfee MVISION ePO account. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the McAfee MVISION ePO public cloud server is valid. |
| Group Name | String | N/A | No | Group name that will be used to search for endpoints. If nothing is specified. All of the groups will be used. |
Actions
Ping
Description
Test connectivity to McAfee MVISION ePO with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Playbook Use Cases Examples
The action is used to test connectivity at the integration configuration page in the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Enrich Endpoint
Description
Fetch endpoint's system information by its hostname or IP address.
Parameters
N/A
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| MMV_EPO_id | id | When available in JSON |
| MMV_EPO_uuid | uuid | When available in JSON |
| MMV_EPO_lastcommunicated | lastcommunicated | When available in JSON |
| MMV_EPO_managedState | managedState | When available in JSON |
| MMV_EPO_ipaddress | properties/ipaddress | When available in JSON |
| MMV_EPO_osplatform | properties/osplatform | When available in JSON |
| MMV_EPO_operatingsystem | properties/operatingsystem | When available in JSON |
| MMV_EPO_hostname | properties/hostname | When available in JSON |
| MMV_EPO_windowsdomain | properties/windowsdomain | When available in JSON |
| MMV_EPO_dnsname | properties/dnsname | When available in JSON |
| MMV_EPO_datversion | properties/datversion | When available in JSON |
| MMV_EPO_username | properties/username | When available in JSON |
| MMV_EPO_groups | space separated list of group/name | When available in JSON |
| MMV_EPO_tags | space separated list of tags/tagName | When available in JSON |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"totalItems": 8,
"startIndex": 1,
"currentItemCount": 1,
"items": [
{
"id": 227568,
"uuid": "fef3d9aa-e58e-ea11-87c6-005056a2196c",
"lastcommunicated": "2020-05-31T12:34:13.500+0000",
"managedState": "managed",
"properties": {
"cpuspeed": 2299,
"ipaddress": "172.30.202.30",
"osplatform": "Workstation",
"operatingsystem": "Linux",
"cputype": "Intel(R) Xeon(R) CPU E5-2698 v3 @ 2.30GHz",
"type": "non-portable",
"numofcpu": 2,
"hostname": "Centos7-001",
"windowsdomain": "(none)",
"dnsname": "Centos7-001",
"totalphysicalmemory": 2096254976,
"macaddress": "005056A2196C",
"datversion": "4253.0",
"amcorecontentdate": "2020-05-30 00:00:00.0",
"username": "root"
},
"group": {
"groupId": 372690,
"name": "Linux",
"path": "My Organization\\Linux",
"link": {
"rel": "group",
"href": "../groups/372690"
}
},
"tags": [
{
"tagId": 24751,
"tagName": "Workstation",
"link": {
"rel": "tag",
"href": "../tags/24751"
}
}
],
"productsInstalled": [
{
"product": "Agent",
"version": "5.6.5.165"
},
{
"product": "MVISION EDR",
"version": "3.1.0.482"
},
{
"product": "Endpoint Security Platform",
"version": "10.7.0.130"
},
{
"product": "McAfee DXL Client",
"version": "6.0.0.218"
},
{
"product": "Endpoint Security Threat Prevention",
"version": "10.7.0.351"
}
]
}
]
}
}
Add Tag
Description
Add tag to the endpoint in McAfee MVISION ePO.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Tag Name | String | N/A | True | Specify what tag you want to add to endpoint. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Remove Tag
Description
Remove tag from the endpoint in McAfee MVISION ePO.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Tag Name | String | N/A | True | Specify what tag you want to remove from endpoint. |
Run On
This action runs on the following entities:
- IP Address
- Hostname
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
List Tags
Description
List tags that are available in McAfee MVISION ePO.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Max Tags to Return | Integer | 100 | False | Specify how many tags to return. |
Run On
This action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"totalItems": 4,
"startIndex": 0,
"currentItemCount": 4,
"items": [
{
"id": 24752,
"name": "Escalated",
"description": "Protection Workspace tag for escalated systems",
"links": [
{
"rel": "self",
"href": "24752"
}
]
},
{
"id": 24753,
"name": "Excluded from Compliance Check",
"description": "Protection Workspace tag for systems to be excluded from the compliance check",
"links": [
{
"rel": "self",
"href": "24753"
}
]
},
{
"id": 24750,
"name": "Server",
"description": "Default tag for systems identified as a Server",
"links": [
{
"rel": "self",
"href": "24750"
}
]
},
{
"id": 24751,
"name": "Workstation",
"description": "Default tag for systems identified as a Workstation",
"links": [
{
"rel": "self",
"href": "24751"
}
]
}
]
}
}
List Groups
Description
List groups that are available in McAfee MVISION ePO.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Max Groups to Return | Integer | 100 | False | Specify how many groups to return. |
Run On
This action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"totalItems": 12,
"startIndex": 0,
"currentItemCount": 1,
"items": [
{
"id": 1,
"name": "GlobalRoot",
"userFriendlyName": "Global Root",
"type": 7,
"parentId": 0,
"description": "",
"textPath": "GlobalRoot",
"links": [
{
"rel": "self",
"href": "1"
},
{
"rel": "parent",
"href": "0"
}
]
}
]
}
}
List Endpoints In Group
Description
List endpoints that are in the same group in McAfee MVISION ePO.
Parameters
| Parameter Display Name | Type | Default Value | Is mandatory | Description |
|---|---|---|---|---|
| Group Name | String | N/A | True | Specify in which groups to search for endpoints |
| Max Endpoints to Return | Integer | 100 | False | Specify how many endpoints to return. |
Run On
The action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"totalItems": 1,
"startIndex": 0,
"currentItemCount": 1,
"items": [
{
"id": 227568,
"uuid": "fef3d9aa-e58e-ea11-87c6-005056a2196c",
"lastcommunicated": "2020-05-31T13:34:13.327+0000",
"managedState": "managed",
"properties": {
"cpuspeed": 2299,
"ipaddress": "172.30.202.30",
"osplatform": "Workstation",
"operatingsystem": "Linux",
"cputype": "Intel(R) Xeon(R) CPU E5-2698 v3 @ 2.30GHz",
"type": "non-portable",
"numofcpu": 2,
"hostname": "Centos7-001",
"windows domain": "(none)",
"dnsname": "Centos7-001",
"totalphysicalmemory": 2096254976,
"macaddress": "005056A2196C",
"datversion": "4253.0",
"amcorecontentdate": "2020-05-30 00:00:00.0",
"username": "root"
},
"group": {
"groupId": 372690,
"name": "Linux",
"path": "My Organization\\Linux",
"link": {
"rel": "group",
"href": "../groups/372690"
}
},
"tags": [
{
"tagId": 24751,
"tagName": "Workstation",
"link": {
"rel": "tag",
"href": "../tags/24751"
}
}
],
"productsInstalled": [
{
"product": "Agent",
"version": "5.6.5.165"
},
{
"product": "MVISION EDR",
"version": "3.1.0.482"
},
{
"product": "Endpoint Security Platform",
"version": "10.7.0.130"
},
{
"product": "McAfee DXL Client",
"version": "6.0.0.218"
},
{
"product": "Endpoint Security Threat Prevention",
"version": "10.7.0.351"
}
]
}
]
}
}