McAfee NSM

Integration version: 6.0

Overview

Configure McAfee NSM integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Type Default Value Is Mandatory Description
API Root String https://x.x.x.x/sdkapi/ True
Username String N/A True
Password Password N/A True
Domain ID String N/A True
Siemplify Policy Name String N/A True
Sensors Names List Comma Separated String sensor_name1,sensor_name2,sensor_name3 True

Actions

Block IP

Description

Block IP address.

Parameters

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Get Alert Info Data

Description

Get alert data by ID.

Parameters

Parameter Type Default Value Is Mandatory Description
Alert ID String https://x.x.x.x/sdkapi/ True N/A
Sensor Name String N/A True N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
alert_json N/A N/A
JSON Result
{
    "name": "MALWARE: Blacklisted File Detected",
    "assignTo": "---",
    "description": {
        "definition": "A McAfee-maintained blacklist that is dynamically updated with Callback Detectors updates.",
        "signatures": [{
            "conditions": "null"
        }],
        "componentAttacks": "null",
        "target": "ServerOrClient",
        "reference": {
            "cveId": "[]",
            "certId": "null",
            "bugtraqId": "[]",
            "nspId": "0x4840c300",
            "microsoftId": "[]",
            "additionInfo": "null",
            "arachNidsId": "[]"
        },
        "protocals": "[smtp, ftp, http]",
        "comments": {
            "availableToChildDomains": "true",
            "parentDomainComments": "null",
            "comments": " "
        },
        "rfSB": "No",
        "attackCategory": "Malware",
        "attackSubCategory": "---",
        "protectionCategory": "[Malware/Bot]",
        "httpResponseAttack": "No",
        "btf": "Medium"
    },
    "summary": {
        "destination": "null",
        "zoombie": "null",
        "target": {
            "ipAddrs": "1.1.1.1",
            "risk": "N/A",
            "country": "India",
            "networkObject": "---",
            "hostName": "null",
            "vmName": "null",
            "proxyIP": "1.1.1.1",
            "user": "Unknown",
            "os": "---",
            "port": 41128
        },
        "attacker": {
            "ipAddrs": "1.1.1.1",
            "risk": "N/A",
            "country": "India",
            "networkObject": "---",
            "hostName": "null",
            "vmName": "null",
            "proxyIP": "1.1.1.1",
            "user": "Unknown",
            "os": "---",
            "port": 80
        },
        "cAndcServer": "null",
        "source": "null",
        "compromisedEndpoint": "null",
        "attackedHIPEndpoint": {
            "ipAddrs": "1.1.1.1",
            "risk": "N/A",
            "country": "India",
            "networkObject": "---",
            "hostName": "null",
            "vmName": "null",
            "proxyIP": "1.1.1.1",
            "user": "Unknown",
            "os": "---",
            "port": 41128
        },
        "fastFluxAgent": "null",
        "event": {
            "domain": "My Company",
            "protocol": "http",
            "zone": "null",
            "alertId": "2246015847757997493",
            "attackCount": 1,
            "vlan": "-11",
            "direction": "Inbound",
            "detection": "Signature",
            "application": "HTTP",
            "device": "NS9100-50",
            "result": "Inconclusive",
            "time": "Jan 04, 2016 09:50:39",
            "relevance": "Unknown",
            "matchedPolicy": "CustomFP_Engine_With_AlertOnly",
            "interface": "G3/1-G3/2"
        }},
    "details": {
        "malwareFile": {
            "engine": "Manager Blacklist",
            "fileHash": "3f3f7c3b9722912ddeddf006cff9d9d0",
            "malwareConfidence": "Very High",
            "malwareName": "null",
            "fileName": "/Firewall.cpl",
            "size": "6144 bytes"
        },
        "exceededThreshold": "null",
        "callbackDetectors": "null",
        "layer7": {
            "httpReturnCode": 200,
            "httpURI": "/Firewall.cpl",
            "httpRequestMethod": "GET",
            "httpServerType": "Apache/2.2.13 (Fedora) Last - Modified: Wed, 10 Oct 2012 05: 19: 15 GMT",
            "httpHostHeader": "null",
            "httpUserAgent": "Wget/1.11.4 (Red Hat modified)"
        },
        "portScan": "null",
        "sqlInjection": "null",
        "triggeredComponentAttacks": "null",
        "hostSweep": "null",
        "matchedSignature": "null",
        "communicationRuleMatch": "null",
        "fastFlux": "null"
    },
    "alertState": "UnAcknowledged",
    "uniqueAlertId": "6245941293374080682"
}

Is IP Blocked

Description

Check if an IP address is blocked.

Parameters

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Quarantine IP

Description

Quarantine a particular IP address.

Parameters

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A

Unblock IP

Description

Unblock a particular IP address.

Parameters

N/A

Run On

This action runs on the IP Address entity.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[{
   "EntityResult":
     [{
        "EPOEvents.ThreatCategory": "av.detect",
        "EPOEvents.TargetUserName": "VM-EPOAGENTTEST\\\\\\\\Admin",
        "EPOEvents.TargetPort": "None",
        "EPOEvents.TargetFileName": "C:\\\\\\\\Users\\\\\\\\Admin\\\\\\\\Desktop\\\\\\\\eicar.txt",
        "EPOEvents.TargetIPV4": -1979711347,
        "EPOEvents.ThreatName": "EICAR test file",
        "EPOEvents.SourceUserName": "None",
        "EPOEvents.TargetProcessName": "None",
        "EPOEvents.SourceProcessName": "None",
        "EPOEvents.ThreatType": "test",
        "EPOEvents.SourceIPV4": -1979711347,
        "EPOEvents.TargetProtocol": "None",
        "VSECustomEvent.MD5": "44d88612fea8a8f36de82e1278abb02f",
        "EPOEvents.SourceURL": "None",
        "EPOEvents.ThreatActionTaken": "deleted",
        "EPOEvents.TargetHostName": "VM-EPOAGENTTEST",
        "EPOEvents.ThreatHandled": "True",
        "EPOEvents.SourceHostName": "_"
      }, {
        "EPOEvents.ThreatCategory": "av.detect",
        "EPOEvents.TargetUserName": "VM-EPOAGENTTEST\\\\\\\\Admin",
        "EPOEvents.TargetPort": "None",
        "EPOEvents.TargetFileName": "C:\\\\\\\\Users\\\\\\\\Admin\\\\\\\\Desktop\\\\\\\\eicar.txt",
        "EPOEvents.TargetIPV4": -1979711347,
        "EPOEvents.ThreatName": "EICAR test file",
        "EPOEvents.SourceUserName": "None",
        "EPOEvents.TargetProcessName": "None",
        "EPOEvents.SourceProcessName": "None",
        "EPOEvents.ThreatType": "test",
        "EPOEvents.SourceIPV4": -1979711347,
        "EPOEvents.TargetProtocol": "None",
        "VSECustomEvent.MD5": "44d88612fea8a8f36de82e1278abb02f",
        "EPOEvents.SourceURL": "None",
        "EPOEvents.ThreatActionTaken": "deleted",
        "EPOEvents.TargetHostName": "VM-EPOAGENTTEST",
        "EPOEvents.ThreatHandled": "True",
        "EPOEvents.SourceHostName": "_"
      }],
  "Entity": "44d88612fea8a8f36de82e1278abb02f"
}]