McAfee NSM
Integration version: 5.0
Overview
Configure McAfee NSM integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://x.x.x.x/sdkapi/ | True | |
| Username | String | N/A | True | |
| Password | Password | N/A | True | |
| Domain ID | String | N/A | True | |
| Siemplify Policy Name | String | N/A | True | |
| Sensors Names List Comma Separated | String | sensor_name1,sensor_name2,sensor_name3 | True |
Actions
Block IP
Description
Block IP address.
Parameters
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Get Alert Info Data
Description
Get alert data by ID.
Parameters
| Parameter | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | https://x.x.x.x/sdkapi/ | True | N/A |
| Sensor Name | String | N/A | True | N/A |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| alert_json | N/A | N/A |
JSON Result
{
"name": "MALWARE: Blacklisted File Detected",
"assignTo": "---",
"description": {
"definition": "A McAfee-maintained blacklist that is dynamically updated with Callback Detectors updates.",
"signatures": [{
"conditions": "null"
}],
"componentAttacks": "null",
"target": "ServerOrClient",
"reference": {
"cveId": "[]",
"certId": "null",
"bugtraqId": "[]",
"nspId": "0x4840c300",
"microsoftId": "[]",
"additionInfo": "null",
"arachNidsId": "[]"
},
"protocals": "[smtp, ftp, http]",
"comments": {
"availableToChildDomains": "true",
"parentDomainComments": "null",
"comments": " "
},
"rfSB": "No",
"attackCategory": "Malware",
"attackSubCategory": "---",
"protectionCategory": "[Malware/Bot]",
"httpResponseAttack": "No",
"btf": "Medium"
},
"summary": {
"destination": "null",
"zoombie": "null",
"target": {
"ipAddrs": "1.1.1.1",
"risk": "N/A",
"country": "India",
"networkObject": "---",
"hostName": "null",
"vmName": "null",
"proxyIP": "1.1.1.1",
"user": "Unknown",
"os": "---",
"port": 41128
},
"attacker": {
"ipAddrs": "1.1.1.1",
"risk": "N/A",
"country": "India",
"networkObject": "---",
"hostName": "null",
"vmName": "null",
"proxyIP": "1.1.1.1",
"user": "Unknown",
"os": "---",
"port": 80
},
"cAndcServer": "null",
"source": "null",
"compromisedEndpoint": "null",
"attackedHIPEndpoint": {
"ipAddrs": "1.1.1.1",
"risk": "N/A",
"country": "India",
"networkObject": "---",
"hostName": "null",
"vmName": "null",
"proxyIP": "1.1.1.1",
"user": "Unknown",
"os": "---",
"port": 41128
},
"fastFluxAgent": "null",
"event": {
"domain": "My Company",
"protocol": "http",
"zone": "null",
"alertId": "2246015847757997493",
"attackCount": 1,
"vlan": "-11",
"direction": "Inbound",
"detection": "Signature",
"application": "HTTP",
"device": "NS9100-50",
"result": "Inconclusive",
"time": "Jan 04, 2016 09:50:39",
"relevance": "Unknown",
"matchedPolicy": "CustomFP_Engine_With_AlertOnly",
"interface": "G3/1-G3/2"
}},
"details": {
"malwareFile": {
"engine": "Manager Blacklist",
"fileHash": "3f3f7c3b9722912ddeddf006cff9d9d0",
"malwareConfidence": "Very High",
"malwareName": "null",
"fileName": "/Firewall.cpl",
"size": "6144 bytes"
},
"exceededThreshold": "null",
"callbackDetectors": "null",
"layer7": {
"httpReturnCode": 200,
"httpURI": "/Firewall.cpl",
"httpRequestMethod": "GET",
"httpServerType": "Apache/2.2.13 (Fedora) Last - Modified: Wed, 10 Oct 2012 05: 19: 15 GMT",
"httpHostHeader": "null",
"httpUserAgent": "Wget/1.11.4 (Red Hat modified)"
},
"portScan": "null",
"sqlInjection": "null",
"triggeredComponentAttacks": "null",
"hostSweep": "null",
"matchedSignature": "null",
"communicationRuleMatch": "null",
"fastFlux": "null"
},
"alertState": "UnAcknowledged",
"uniqueAlertId": "6245941293374080682"
}
Is IP Blocked
Description
Check if an IP address is blocked.
Parameters
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Quarantine IP
Description
Quarantine a particular IP address.
Parameters
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Unblock IP
Description
Unblock a particular IP address.
Parameters
N/A
Run On
This action runs on the IP Address entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[{
"EntityResult":
[{
"EPOEvents.ThreatCategory": "av.detect",
"EPOEvents.TargetUserName": "VM-EPOAGENTTEST\\\\\\\\Admin",
"EPOEvents.TargetPort": "None",
"EPOEvents.TargetFileName": "C:\\\\\\\\Users\\\\\\\\Admin\\\\\\\\Desktop\\\\\\\\eicar.txt",
"EPOEvents.TargetIPV4": -1979711347,
"EPOEvents.ThreatName": "EICAR test file",
"EPOEvents.SourceUserName": "None",
"EPOEvents.TargetProcessName": "None",
"EPOEvents.SourceProcessName": "None",
"EPOEvents.ThreatType": "test",
"EPOEvents.SourceIPV4": -1979711347,
"EPOEvents.TargetProtocol": "None",
"VSECustomEvent.MD5": "44d88612fea8a8f36de82e1278abb02f",
"EPOEvents.SourceURL": "None",
"EPOEvents.ThreatActionTaken": "deleted",
"EPOEvents.TargetHostName": "VM-EPOAGENTTEST",
"EPOEvents.ThreatHandled": "True",
"EPOEvents.SourceHostName": "_"
}, {
"EPOEvents.ThreatCategory": "av.detect",
"EPOEvents.TargetUserName": "VM-EPOAGENTTEST\\\\\\\\Admin",
"EPOEvents.TargetPort": "None",
"EPOEvents.TargetFileName": "C:\\\\\\\\Users\\\\\\\\Admin\\\\\\\\Desktop\\\\\\\\eicar.txt",
"EPOEvents.TargetIPV4": -1979711347,
"EPOEvents.ThreatName": "EICAR test file",
"EPOEvents.SourceUserName": "None",
"EPOEvents.TargetProcessName": "None",
"EPOEvents.SourceProcessName": "None",
"EPOEvents.ThreatType": "test",
"EPOEvents.SourceIPV4": -1979711347,
"EPOEvents.TargetProtocol": "None",
"VSECustomEvent.MD5": "44d88612fea8a8f36de82e1278abb02f",
"EPOEvents.SourceURL": "None",
"EPOEvents.ThreatActionTaken": "deleted",
"EPOEvents.TargetHostName": "VM-EPOAGENTTEST",
"EPOEvents.ThreatHandled": "True",
"EPOEvents.SourceHostName": "_"
}],
"Entity": "44d88612fea8a8f36de82e1278abb02f"
}]