Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

McAfee ePolicy Orchestrator (McAfee ePO) is an advanced, extensible, and scalable centralized security management software. It unifies security management through an open platform and makes risk and compliance management simpler and more successful for organizations of all sizes.

This document provides information about the McAfee ePO connector, which facilitates automated interactions with a McAfee ePO server using FortiSOAR™ playbooks. Add the McAfee ePO connector as a step in FortiSOAR™ playbooks and perform automated operations, such as running client tasks on specified systems on the McAfee ePO server or searching systems in the McAfee ePO tree.

Version information

Connector Version: 1.0.1

Authored By: Community

Certified: No

Release Notes for version 1.0.1

Following important bug fixes have been made to the McAfee ePO Connector in version 1.0.1:

  • Fixed the error that the connector "Health Check" was failing and showing "Disconnected" even when a valid URI, and other credentials, were specified in the connector configuration if the URI was appended with HTTPS or HTTP. Now, if you enter a valid URI, with or without HTTPS or HTTP, and other valid credentials in the connector configuration, then the "Health Check" will not fail and will display "Available".

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-mcafee-epo

Prerequisites to configuring the connector

  • You must have the URL of the McAfee ePO server to which you will connect and perform automated operations, and the credentials (username-password pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the McAfee ePO connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the McAfee ePO server to which you will connect and perform the automated operations.
Username Username to access the McAfee ePO server to which you will connect and perform the automated operations.
Password Password to access the McAfee ePO server to which you will connect and perform the automated operations.
Port Port number used for connecting to the McAfee ePO server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Run Client Task Runs a client task on the specified systems on the McAfee ePO server, based on the task ID, system names, and product ID you have specified. run_client_task
Investigation
Check Task Status Checks the status of a running task on the McAfee ePO server, based on the task name or task ID and other input parameters you have specified. check_task_status
Investigation
Search Client Task Searches for a client task on the McAfee ePO server, based on the input search text you have specified. search_task
Investigation
Search Systems Searches for systems in the McAfee ePO tree, based on the input search text you have specified. search_systems
Investigation
Apply Tag Applies or adds a tag to an endpoint on the McAfee ePO tree, based on the tag name and endpoint IP address or hostname you have specified. apply_tag
Containment
Clear Tag Clears or removes a tag from an endpoint on the McAfee ePO tree, based on the tag name and endpoint IP address or hostname you have specified. clear_tag
Remediation
Wakeup Agent Wakes up an agent on the specified systems on the McAfee ePO server, based on the list of system names you have specified. wakeup_agents
Remediation

operation: Run Client Task

Input parameters

Parameter Description
System Names List of names of systems on the McAfee ePO server on which you want to run a client task.
Product ID ID of the product on the McAfee ePO server on which you want to run a client task.
Note: You can use the Search operations such as Search Client Task or Search Systems to find the product ID.
Task ID ID of the task that you want to run on the McAfee ePO server.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Check Task Status

Note: All the input parameters are optional. If you do not specify any parameter, then the status of all the tasks for the previous day (default) is retrieved from the McAfee ePO server.

Input parameters

Parameter Description
Task Name/Task ID Name or ID of the task for which you want to retrieve the last running status from the McAfee ePO server.
Task Source Name of the task source for which you want to retrieve the last running status from the McAfee ePO server.
Count Maximum number of results (rows) that this operation should display.
Age Age of historical data that this operation should display.
For example, If you have specified: Age = 1 and Unit - Days. This means that the operation should display historical data for tasks up to 1 day old.
Unit Unit of age. You can choose from the following options: Days, Weeks, Months, or Years.
By default, it is set to Days.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "duration": "",
     "endDate": "",
     "userName": "",
     "id": "",
     "startDate": "",
     "status": "",
     "taskSource": ""
}

operation: Search Client Task

Input parameters

Parameter Description
Search Text Search text based on which you want to find client tasks on the McAfee ePO server.

Output

The output contains the following populated JSON schema:
{
     "productId": "",
     "typeId": "",
     "objectName": "",
     "productName": "",
     "objectId": "",
     "typeName": ""
}

operation: Search Systems

Input parameters

Parameter Description
Search Text Search text based on which you want to find systems on the McAfee ePO server.
You can search for systems based on IP address, MAC address, username, agent GUID, or tag.

Output

The output contains the following populated JSON schema:
{
     "EPOComputerProperties.NumOfCPU": "",
     "EPOComputerProperties.LastAgentHandler": "",
     "EPOLeafNode.Tags": "",
     "EPOComputerProperties.SystemDescription": "",
     "EPOLeafNode.AgentVersion": "",
     "EPOComputerProperties.OSServicePackVer": "",
     "EPOComputerProperties.IPXAddress": "",
     "EPOComputerProperties.UserProperty1": "",
     "EPOComputerProperties.SubnetMask": "",
     "EPOComputerProperties.CPUSerialNum": "",
     "EPOComputerProperties.UserProperty2": "",
     "EPOLeafNode.LastUpdate": "",
     "EPOComputerProperties.OSVersion": "",
     "EPOLeafNode.AgentGUID": "",
     "EPOComputerProperties.Description": "",
     "EPOComputerProperties.FreeMemory": "",
     "EPOComputerProperties.OSBuildNum": "",
     "EPOComputerProperties.IPV6": "",
     "EPOComputerProperties.UserProperty3": "",
     "EPOComputerProperties.OSPlatform": "",
     "EPOComputerProperties.IPAddress": "",
     "EPOComputerProperties.FreeDiskSpace": "",
     "EPOComputerProperties.TimeZone": "",
     "EPOComputerProperties.IPV4x": "",
     "EPOBranchNode.AutoID": "",
     "EPOComputerProperties.UserProperty8": "",
     "EPOComputerProperties.OSBitMode": "",
     "EPOComputerProperties.DefaultLangID": "",
     "EPOComputerProperties.ParentID": "",
     "EPOComputerProperties.UserProperty4": "",
     "EPOComputerProperties.UserProperty5": "",
     "EPOComputerProperties.OSOEMID": "",
     "EPOComputerProperties.SysvolTotalSpace": "",
     "EPOComputerProperties.IPHostName": "",
     "EPOComputerProperties.UserProperty6": "",
     "EPOComputerProperties.NetAddress": "",
     "EPOComputerProperties.IPSubnet": "",
     "EPOComputerProperties.DomainName": "",
     "EPOComputerProperties.Vdi": "",
     "EPOComputerProperties.OSType": "",
     "EPOLeafNode.ExcludedTags": "",
     "EPOComputerProperties.CPUSpeed": "",
     "EPOComputerProperties.UserName": "",
     "EPOComputerProperties.SysvolFreeSpace": "",
     "EPOComputerProperties.IPSubnetMask": "",
     "EPOComputerProperties.SubnetAddress": "",
     "EPOComputerProperties.TotalDiskSpace": "",
     "EPOLeafNode.ManagedState": "",
     "EPOComputerProperties.UserProperty7": "",
     "EPOComputerProperties.IsPortable": "",
     "EPOComputerProperties.ComputerName": "",
     "EPOComputerProperties.CPUType": "",
     "EPOComputerProperties.TotalPhysicalMemory": ""
}

operation: Apply Tag

Input parameters

Parameter Description
Endpoint IP address or hostname of the endpoint on the McAfee ePO server to which you want to add the specified tag.
Tag Name of the tag that you want to apply to the specified endpoint.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Clear Tag

Input parameters

Parameter Description
Endpoint IP address or hostname of the endpoint on the McAfee ePO server from which you want to remove the specified tag.
Tag Name of the tag that you want to remove from the specified endpoint.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Wakeup Agent

Input parameters

Parameter Description
System Names List of names of systems on the McAfee ePO server on which you want to wakeup agent.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

Included playbooks

The Sample - McAfee ePO - 1.0.1 playbook collection comes bundled with the McAfee ePO connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the McAfee ePO connector.

  • Apply Tag
  • Check Task Status
  • Clear Tag
  • Run Client Task
  • Search Client Task
  • Search Systems
  • Wakeup Agent

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

McAfee ePolicy Orchestrator (McAfee ePO) is an advanced, extensible, and scalable centralized security management software. It unifies security management through an open platform and makes risk and compliance management simpler and more successful for organizations of all sizes.

This document provides information about the McAfee ePO connector, which facilitates automated interactions with a McAfee ePO server using FortiSOAR™ playbooks. Add the McAfee ePO connector as a step in FortiSOAR™ playbooks and perform automated operations, such as running client tasks on specified systems on the McAfee ePO server or searching systems in the McAfee ePO tree.

Version information

Connector Version: 1.0.1

Authored By: Community

Certified: No

Release Notes for version 1.0.1

Following important bug fixes have been made to the McAfee ePO Connector in version 1.0.1:

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™repository and run the yum command as a root user to install connectors:

yum install cyops-connector-mcafee-epo

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the McAfee ePO connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the McAfee ePO server to which you will connect and perform the automated operations.
Username Username to access the McAfee ePO server to which you will connect and perform the automated operations.
Password Password to access the McAfee ePO server to which you will connect and perform the automated operations.
Port Port number used for connecting to the McAfee ePO server.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Run Client Task Runs a client task on the specified systems on the McAfee ePO server, based on the task ID, system names, and product ID you have specified. run_client_task
Investigation
Check Task Status Checks the status of a running task on the McAfee ePO server, based on the task name or task ID and other input parameters you have specified. check_task_status
Investigation
Search Client Task Searches for a client task on the McAfee ePO server, based on the input search text you have specified. search_task
Investigation
Search Systems Searches for systems in the McAfee ePO tree, based on the input search text you have specified. search_systems
Investigation
Apply Tag Applies or adds a tag to an endpoint on the McAfee ePO tree, based on the tag name and endpoint IP address or hostname you have specified. apply_tag
Containment
Clear Tag Clears or removes a tag from an endpoint on the McAfee ePO tree, based on the tag name and endpoint IP address or hostname you have specified. clear_tag
Remediation
Wakeup Agent Wakes up an agent on the specified systems on the McAfee ePO server, based on the list of system names you have specified. wakeup_agents
Remediation

operation: Run Client Task

Input parameters

Parameter Description
System Names List of names of systems on the McAfee ePO server on which you want to run a client task.
Product ID ID of the product on the McAfee ePO server on which you want to run a client task.
Note: You can use the Search operations such as Search Client Task or Search Systems to find the product ID.
Task ID ID of the task that you want to run on the McAfee ePO server.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Check Task Status

Note: All the input parameters are optional. If you do not specify any parameter, then the status of all the tasks for the previous day (default) is retrieved from the McAfee ePO server.

Input parameters

Parameter Description
Task Name/Task ID Name or ID of the task for which you want to retrieve the last running status from the McAfee ePO server.
Task Source Name of the task source for which you want to retrieve the last running status from the McAfee ePO server.
Count Maximum number of results (rows) that this operation should display.
Age Age of historical data that this operation should display.
For example, If you have specified: Age = 1 and Unit - Days. This means that the operation should display historical data for tasks up to 1 day old.
Unit Unit of age. You can choose from the following options: Days, Weeks, Months, or Years.
By default, it is set to Days.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "duration": "",
     "endDate": "",
     "userName": "",
     "id": "",
     "startDate": "",
     "status": "",
     "taskSource": ""
}

operation: Search Client Task

Input parameters

Parameter Description
Search Text Search text based on which you want to find client tasks on the McAfee ePO server.

Output

The output contains the following populated JSON schema:
{
     "productId": "",
     "typeId": "",
     "objectName": "",
     "productName": "",
     "objectId": "",
     "typeName": ""
}

operation: Search Systems

Input parameters

Parameter Description
Search Text Search text based on which you want to find systems on the McAfee ePO server.
You can search for systems based on IP address, MAC address, username, agent GUID, or tag.

Output

The output contains the following populated JSON schema:
{
     "EPOComputerProperties.NumOfCPU": "",
     "EPOComputerProperties.LastAgentHandler": "",
     "EPOLeafNode.Tags": "",
     "EPOComputerProperties.SystemDescription": "",
     "EPOLeafNode.AgentVersion": "",
     "EPOComputerProperties.OSServicePackVer": "",
     "EPOComputerProperties.IPXAddress": "",
     "EPOComputerProperties.UserProperty1": "",
     "EPOComputerProperties.SubnetMask": "",
     "EPOComputerProperties.CPUSerialNum": "",
     "EPOComputerProperties.UserProperty2": "",
     "EPOLeafNode.LastUpdate": "",
     "EPOComputerProperties.OSVersion": "",
     "EPOLeafNode.AgentGUID": "",
     "EPOComputerProperties.Description": "",
     "EPOComputerProperties.FreeMemory": "",
     "EPOComputerProperties.OSBuildNum": "",
     "EPOComputerProperties.IPV6": "",
     "EPOComputerProperties.UserProperty3": "",
     "EPOComputerProperties.OSPlatform": "",
     "EPOComputerProperties.IPAddress": "",
     "EPOComputerProperties.FreeDiskSpace": "",
     "EPOComputerProperties.TimeZone": "",
     "EPOComputerProperties.IPV4x": "",
     "EPOBranchNode.AutoID": "",
     "EPOComputerProperties.UserProperty8": "",
     "EPOComputerProperties.OSBitMode": "",
     "EPOComputerProperties.DefaultLangID": "",
     "EPOComputerProperties.ParentID": "",
     "EPOComputerProperties.UserProperty4": "",
     "EPOComputerProperties.UserProperty5": "",
     "EPOComputerProperties.OSOEMID": "",
     "EPOComputerProperties.SysvolTotalSpace": "",
     "EPOComputerProperties.IPHostName": "",
     "EPOComputerProperties.UserProperty6": "",
     "EPOComputerProperties.NetAddress": "",
     "EPOComputerProperties.IPSubnet": "",
     "EPOComputerProperties.DomainName": "",
     "EPOComputerProperties.Vdi": "",
     "EPOComputerProperties.OSType": "",
     "EPOLeafNode.ExcludedTags": "",
     "EPOComputerProperties.CPUSpeed": "",
     "EPOComputerProperties.UserName": "",
     "EPOComputerProperties.SysvolFreeSpace": "",
     "EPOComputerProperties.IPSubnetMask": "",
     "EPOComputerProperties.SubnetAddress": "",
     "EPOComputerProperties.TotalDiskSpace": "",
     "EPOLeafNode.ManagedState": "",
     "EPOComputerProperties.UserProperty7": "",
     "EPOComputerProperties.IsPortable": "",
     "EPOComputerProperties.ComputerName": "",
     "EPOComputerProperties.CPUType": "",
     "EPOComputerProperties.TotalPhysicalMemory": ""
}

operation: Apply Tag

Input parameters

Parameter Description
Endpoint IP address or hostname of the endpoint on the McAfee ePO server to which you want to add the specified tag.
Tag Name of the tag that you want to apply to the specified endpoint.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Clear Tag

Input parameters

Parameter Description
Endpoint IP address or hostname of the endpoint on the McAfee ePO server from which you want to remove the specified tag.
Tag Name of the tag that you want to remove from the specified endpoint.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

operation: Wakeup Agent

Input parameters

Parameter Description
System Names List of names of systems on the McAfee ePO server on which you want to wakeup agent.

Output

The output contains the following populated JSON schema:
{
     "result": "",
     "status": ""
}

Included playbooks

The Sample - McAfee ePO - 1.0.1 playbook collection comes bundled with the McAfee ePO connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the McAfee ePO connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.