This module aims to provide a simple API wrapper around the McAfee SIEM API principal components. Code design is accessible and pythonic via list-like and dict-like objects interfaces.

• ESM operations: monitor, show statuses
• DataSource operations, via DevTree: add, edit, delete - including client datasources, retreive from ID
• Alarm operations and querying, via AlarmManager: filter, load pages, acknowledge, unacknowledge, delete, get triggering event, retreive from ID
• Event operations and querying, via EventManager and GroupedEventManager: group queries, filter, add fields, set event's note, retreive from ID
• Watchlist operations, via WatchlistManager: list, add/remove watchlists, add/remove values, get values, retreive from ID
• Make direct API calls, via NitroSession

(Links are directing to the latest documentation version)

• msiem CLI : CLI tools for ESM
• esm_healthmon : Monitors ESM operations
• track-host: Rapidly request event logs to track a workstation
• See samples folder or the tests. for other implementation examples and scripts !

pip install -U msiempy

Read the latest documentation.

Or navigate the Index.

The module offers a single point of authentication against your SIEM, so you don't have to worry about authentication when writting your scripts. This means that you need to preconfigure the authentication using the configuration file.

The configuration file is located (by default) securely in your user directory since it contains credentials.

• For Windows: %APPDATA%\.msiem\conf.ini
• For Mac : $HOME/.msiem/conf.ini
• For Linux : $XDG_CONFIG_HOME/.msiem/conf.ini or $HOME/.msiem/conf.ini

Exemple:

[esm]
# Your ESM credentials
host = HOST
user = USER
passwd = PASSWORD's BASE64
[general]
# Verbosity
verbose = no
quiet = no
# Path to a logfile, the logfile output will always be verbose
logfile = 
# Misc 
timeout = 60
ssl_verify = no

To set the password, you can use the msiempy_setup.py script. You can also directly paste the password's base64 in the config file by doing:

>>> import base64 
>>> passwd = 'P@assW0rd'
>>> print(base64.b64encode(passwd.encode('utf-8')).decode()) 
UEBhc3NXMHJk

Please refer to the releases github page.

Pull requests are welcome!

Please read the contributing file.

This is an UNOFFICIAL project and is NOT sponsored or supported by McAfee, Inc. If you accidentally delete all of your datasources, don't call support (or us). Product access will always be in respect to McAfee's intellectual property.