McAfee MVISION EDR Integration

Overview

This integration allows you to connect to McAfee MVISION EDR to perform endpoint remediation actions like quarantining/unquarantining, killing processes, removing files, dismissing threats, enriching endpoint information, and testing connectivity.

Configuration

The configuration for this integration (API endpoint, credentials, etc.) is managed within the SOAR platform’s Marketplace tab. The actions utilize these pre-configured settings.

Actions

Quarantine Endpoint

Create quarantine endpoint task on the McAfee MVISION EDR server based on the Siemplify IP or Host Siemplify entities.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on. Supports IP and Host entities.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution.

Enrich Endpoint

Fetch endpoint’s system information by its hostname or IP address.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on. Supports IP and Host entities.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution, including endpoint system information.

Ping

Test Connectivity to McAfee MVISION EDR.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the ping action.

Kill Process

Stop a running process and remove its file. If the process is not running, then its file is just removed from the managed endpoint.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • process_identifier_type (List[str], required): Specify which process identifier type to use.

  • process_identifier (string, required): Specify the value for the process identifier.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on. Supports IP and Host entities.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution.

Stop And Remove Content

Stop interpreter process by PID (Ex. Python, Bash, etc.) and remove the associated script by full path on the McAfee Mvision Endpoint.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • pid (string, required): Specify the PID of the interpreter.

  • full_file_path (string, required): Specify the full path to the file that you want to remove.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on. Supports IP and Host entities.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution.

Unquarantine Endpoint

Create unquarantine endpoint task on the McAfee MVISION EDR server based on the Siemplify IP or Host Siemplify entities.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on. Supports IP and Host entities.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution.

Remove File

Remove file from the endpoint.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • full_file_path (string, required): Specify the full path to the file that you want to remove.

  • safe_removal (bool, required): If enabled, will ignore files that may be critical or trusted.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on. Supports IP and Host entities.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution.

Dismiss Threat

Dismiss Threat in McAfee MVISION EDR.

Arguments:

  • case_id (string, required): The ID of the case.

  • alert_group_identifiers (List[string], required): Identifiers for the alert groups.

  • threat_id (string, required): Specify the ID of the threat that you want to dismiss.

  • target_entities (List[TargetEntity], optional): Optional list of specific target entities (Identifier, EntityType) to run the action on.

  • scope (string, optional): Defines the scope for the action. Defaults to “All entities”.

Returns:

  • dict: A dictionary containing the result of the action execution.

Notes

  • Ensure the McAfee MVISION EDR integration is properly configured in the SOAR Marketplace tab.

  • Most actions operate on Hostname or IP address entities within the specified scope.