Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM API Versioning Guide

McAfee Employee andy777
McAfee Employee
1 7 2,549

Sounds like a good title for a document someone should create, right? Well, hopefully someone finds some time to work on it and do just that...

In the meantime, here is a list of all of the API calls along with the supported versions in case someone is looking to maintain code compatibility across versions.

See documentation with additional details for your respective version at:

  • 9.x - https://<ESM-IP>/rs/esm/help/commands
  • 10.x v1 - https://<ESM-IP>/rs/esm/help
  • 10.x v2 - https://<ESM-IP>/rs/esm/v2/help

McAfee ESM v10.2.0

API CallDescription
ipsDnsLookupGet DNSLookup object with ip Address and hostName information
miscATILookupGets ATILookup details
sysAddEditRemoteCommandAdd Edit Remote Command
sysDeleteRemoteCommandDelete Remote Command from given ID list

McAfee ESM v10.1.2 / v10.1.3 /v10.1.4

API CallDescription
getAssociatedReceiverReturns a Receiver IPSID associated with a device
grpGetDevicePropertiesGets details of a device

McAfee ESM v10.1.0 / v10.1.1

API CallDescription
assetDeleteAssetSourcesNot implemented yet
assetEnableOrDisableAssetRiskNot implemented yet
assetEnableOrDisableThreatRiskNot implemented yet
assetExportAssetListNot implemented yet
assetGetAllAssetSourceListsNot implemented yet
assetGetAssetDetailsNot implemented yet
assetGetAssetSourceDataNot implemented yet
assetGetAssetSourceListNot implemented yet
assetGetAssetSourceTypesNot implemented yet
assetGetOldAssetDaysNot implemented yet
assetGetOSListNot implemented yet
assetGetThreatCountermeasuresNot implemented yet
assetGetThreatDetailsNot implemented yet
assetImportAssetListNot implemented yet
assetResetAssetTagExceptionsNot implemented yet
assetSetAllAssetThirdPartyConfigNot implemented yet
assetSetOldAssetDaysNot implemented yet
assetGetAssetDetailsObjectGets asset Details
assetGetAssetThreatsGets asset threats
addEditBenchmarkGroupAdds or edits a benchmark group
deleteBenchmarkGroupDeletes a benchmark group
getAssetGroupsGets asset groups
getAssetsByGroupGets assets by group
getBenchmarkGroupListget list of benchmarks
getBenchmarkGroupsGets benchmark groups
getBenchmarkListGets the overall scorecard score
getBenchmarksByGroupGets benchmarks by group
getOverallScoreGets the overall scorecard score
getRulesByBenchmarkGets rules by benchmark
getScorecardSettingsGets scorecard settings
getUserBenchmarkSettingsGets user benchmark settings
setScorecardSettingsSets scorecard settings
setUserBenchmarkSettingsSets user benchmark settings

McAfee ESM v10.0.2 / v10.0.3

API CallDescription
alarmGetTriggeredAlarmsWithStatusRetrieves a list of all alarms that have been triggered, if no user specified, the current user will be used.
elasticSearchSearchArchiveSearch for an archived item on an els
ipsGetAlertsNowGet job id for alerts
ipsGetFlowsNowGet job id for flows
miscJobsDetailsGets jobs details
miscJobsSummaryGets jobs summary

McAfee ESM v10.0.0MR1 / v10.0.1

API CallDescription
elmDeviceHasELMReturns the ELM configuration for a device
grpFindDeviceInTreeGets the parent for the specified device.
grpSearchDeviceNamesInTreeSearches the device tree for devices/groups/clients that match the name specified.
sysGetUCFTreeReturn the UCF list

McAfee ESM v10.0.0

API CallDescription
alarmGetTriggeredAlarmsRetrieves a list of all alarms that have been triggered
blAddEditNSMBlacklistEntryAdds or edits a blacklist entry
blDeleteNSMBlacklistEntriesDeletes a list of blacklist entries
blEnableGlobalBlacklistingForSensorSets the enabled state for global blacklisting on the specified sensor
blGetAllUseGlobalBlacklistGets the list of blacklists
blGetBlacklistGets the global blacklist entries
blGetSensorBlacklistEntriesGets the entries for the blacklist sensor
blSetUseGlobalBlacklistUpdates the blacklists to use global blacklisting
blSubmitGlobalBlacklistUpdates the entries for the global blacklist
caseAddCaseStatusAdd a case status
caseAddOrganizationAdd a case organization
caseDeleteCaseStatusDelete a case status.
caseGetCaseEventsDetailGet case events details
caseGetCaseUsersGet case users
caseGetOrganizationListGet case organizations
createViewCreate a new View/Widget
deleteViewDelete an existing Views/Widgets
devGetDeviceListRawGet a list of all devices defined in the system
dsGetDataSourceXmlXML datasource list
dsGetEpoListGet a list of valid ePO servers for the given target IPs
elasticSearchDeleateSearchHistoryIf a search is in progress stop it and delete the search
elasticSearchGetSearchHistoryGet search history
elasticSearchGetSearchResultsGet search Results
elasticSearchPerformSearchSearch ELS
elmDownloadLogFileForEventGets the download information for an ELM archive
elmGetElmListGet a list of ELM/ELS devices
essmgtDeleteFileDeletes the file
essmgtGetBuildStampGets the ESM build Stamp
essmgtGetPCapPacketGets the packet token
getActionListGet actions
getAllFlashViewsgets a list of existing flash views
getFlashViewInfoGet view info
getUserLocaleGet user session locale
getUsersInGroupslist of users that can be shared with
getUserViewDefaultsGet view defaults for user
getViewGet an existing View/Widget
grpGetDisplayListThis method gets all of the displays for the ESM
grpGetDSAgentsGets the datasource agents for a datasource
grpGetSystemTreeThis API returns the system tree as an array of root nodes
ipsAddAlertNoteThis function sets the note for the event
ipsGetAFValuesThis function gets the alert flow values
ipsGetAlertDataGets alert data
ipsGetAlertPacketThis function gets the packet for the event
ipsGetCorrRawEventsGet the corr raw events
ipsGetFlowDataGets the flow data values
ipsGetIpsNamesGet the names for ipsids entered
ipsIsEventCorrelationGet a list of all event correlations
ipsWhoIsGets the details for the call
miscCancelJobCancel a job
miscGetFilenameFromTokenGets the filename for a given token (no path)
miscGetRemedyEventEmailDataGets the data to send to the remedy
miscJobStatusThis gets the job status
miscKeepAliveKeeps the session alive
miscMaskIPAddressThis masks a given IP Address using the mask specified
miscSendRemedyEmailSends the event to the remedy
miscSendTestEmailSend a test email with the Email Server Settings
miscSetRemedyCaseIDSets the remedy case id for the specified alert
miscSubmitJobSubmits a new job
notifyAddAddressAdd a notification recipient address
notifyAddCaseIDToTrigAlarmAdds a case to a triggered alarm
notifyAddGroupAdd a notification Email group
notifyDeleteAddressRemove notification recipient address(es)
notifyDeleteGroupDelete a group of email recipients
notifyEditAddressEdit a notification recipient address
notifyEditGroupEdit a group of email recipients
notifyGetAddressListGet list of recipient addresses by type
notifyGetEmailGroupListGet the list of Email Groups
notifyGetNotificationSettingsGet the email server settings
notifyGetTriggeredNotificationGet the triggered notification
notifyGetTriggeredNotificationDetailGets the details for the triggered alarm
notifyGetVisualTriggeredAlarmsGets the list of triggered visual alarms
notifySetNotificationSettingsSet the email server settings
notifySetTriggeredAlarmAssigneeAssigns a user to a triggered alarm
plcyGetAssetGroupsListGet all asset groups defined in the system
plcyGetAssetListGet all assets defined in the system
plcyGetNormalizedRulesGet all normalized rules based on display options given
plcyGetTagListGet tags
qryAllEsmTableFieldsThis function returns a List of all esm available fields without parameters
qryDeleteAlertFlowDataDeletes one or more events or flows
qryExecuteExecute a query against the database.
qryGetFilterSetReturns a filter set by id.
qryGetFilterSetListThis method returns all the folder structure of a filterSet
qryGetIocDataGets all relevant data about a specific IOC
qryGetTrendTimeSliceQry get trend time slice
qryGetWmiTypesGet a list of WMI Types
qryMarkAsReviewedMark an event(s) as reviewed
qrySaveFilterSetSave a new FilterSet or update it
rskGetCorrelationTriggerInfoReturn Esm Correlation Trigger Info
secAuthorizeDownloadAuthorize the user for an download based on Session ID
secAuthorizeUploadAuthorize the user for an upload based on Session ID
setUserViewDefaultsSet view defaults for user
sysCanEditItemsGets the items that can or can't be edited
sysDeleteFolderDelete an existing Folder
sysExecuteRemoteCommandExecute remote system command
sysGetActiveDirectoryGroupsGet Active Directory groups
sysGetADGroupNameReturn de Active Directive group name
sysGetAllChangesReturns all changes since the last check
sysGetAllFoldersAndViewsGet a tree of all folder and all their views
sysGetCustomSettingsGet the details for the custom settings screen
sysGetEventForwardingListGets the event forwarding list
sysGetFilterFieldsListThis method returns the user filter list
sysGetFolderGet an existing Folder
sysGetItemRightsForShareget item rights
sysGetItemRightsForUGGets an arrayList of folders and an arrayList of items
sysGetMaxDaysGet the number of days that events and flows are stored and the time frame when new events and flows may be added to the database
sysGetMaxRecsReturns the database allocation information for index and data drives
sysGetMinutesLeftMinutes left until logout timer
sysGetRemoteCommandDetailsThe Command Details for the item you want
sysGetRemoteCommandListList of remote commands
sysGetSelectProfileListReturns the selected profile type list
sysGetSysInfoThis method returns all the overview system information
sysSaveFolderCreate a new Folder
sysSetCustomSettingsSets the custom settings details
sysSetItemRightsForShareset item rights
sysSetMaxDaysThis method sets the time frames for saving and inserting events flows into the database
sysSetMaxRecsThis method sets the database allocation partitions to the requested format
updateViewUpdate an existing View/Widget
userAuthorizeDownloadAuthorize the user to download the file based upon the fileToken provided
userAuthorizeUploadAuthorize the user for an upload based on Session ID
userGetUserTimeFrameUser time frame
userModifyUserChanges the user password
userSetAutoGetPacketThis function sets the new state of the Auto-Get Packet for the current user
userSetExtendedLoginInfoSend to MW new extended login info: jwt and CSRF data
zoneGetTopLevelZonesGets the top level zones

McAfee ESM v9.x

API Call
alarmAcknowledgeTriggeredAlarmMark a triggered alarm as acknowledged
alarmDeleteTriggeredAlarmDelete a triggered alarm
alarmGetTriggeredAlarmsRetrieves a list of all alarms that have been triggered
alarmGetTriggeredAlarmsPagedRetrieves a paged list of alarms that have been triggered
alarmGetUnacknowledgedTriggeredAlarmsRetrieves a list of alarms that have been triggered and have not been acknowledged
alarmUnacknowledgeTriggeredAlarmMark a triggered alarm as unacknowledged
caseAddCaseAdd a case to the system
caseEditCaseEdit an existing case
caseGetCaseDetailGet detail on an existing case
caseGetCaseListGet a list of cases from the system
caseGetCaseStatusListGet a list of valid case statuses from the system
devGetDeviceListGet a list of all devices defined in the system
dsAddDataSourceAdd a data source
dsAddDataSourceListAdd a list of data sources
dsDeleteDataSourceDelete a data source
dsEditDataSourceEdit a data source's properties
dsGetDataSourceDetailGet the details for a specific data sources
dsGetDataSourceListGet a list of defined data sources
dsGetDataSourceTypesGet all data source types
dsGetUserDefinedDataSourcesGet user defined data sources.
dsSetUserDefinedDataSourcesSet user defined data sources.
essmgtESSRebootReboots the ESM Device
essmgtESSRestartRestarts the services on the ESM Device
essmgtGetESSTimeGet the system time of the ESM Device
geoGetGeoLocRegionListGet the top level geo locations
geoGetGeoLocsGet geo locations within the given location
getActiveResponseCollectorsGet a list of Active Response Collectors
getVersionGet the version information for this ESM
grpGetDeviceTreeGets the basic device tree structure with only basic properties loaded.
grpGetDeviceTreeExThis version of the call returns more detail per device than getDeviceList, wrapped in an esmDeviceList object
plcyGetPolicyListGet the list of all policies defined in the ESM
plcyGetVariableListGet all variables defined in the system
qryCloseCloses the query results, must be called after a query's results have been processed.
qryExecuteDetailExecute a standard detail (non-grouped) query.
qryExecuteGroupedExecute a grouped query on a field.
qryGetCorrEventDataForIDGet the source events and flows for a given correlated event ID
qryGetFilterFieldsGet all fields that can be used in query filters, with type information for each field.
qryGetResultsGet the results for a query.

Get the fields available for selecting in queries.

qryGetStatusGet the status for a query that has been executed.
runActiveResponseSearchExecute a ActiveResponse search and return the results
sysAddWatchlistAdd a watchlist to the system.
sysAddWatchlistValuesAdd values to a watchlist.
sysEditWatchlistEdit properties of a watchlist. (Watchlist Type will not be modified)
sysGetWatchlistDetailsGet detailed information about a watchlist.
sysGetWatchlistFieldsGet watchlist fields/types.
sysGetWatchlistsReturn basic information on all watchlists in the system

Read the content of a watchlist value file.

sysRemoveWatchlistRemove a watchlist from the system.
sysRemoveWatchlistValuesRemove values from a watchlist.
userAddAccessGroupAdd an access group
userAddUserAdd a user to the system.
userDeleteAccessGroupDelete an access group.
userDeleteUserDelete a user from the system.
userEditAccessGroupEdit properties of an access group.
userEditUserUsed by the master user to update information about another user.
userGetAccessGroupDetailGet extended information about an access group.
userGetAccessGroupListGet all user access groups defined in the system.
userGetRightsListGet all rights defined in the system.
userGetTimeZonesGet a list of timezones this system recognizes
userGetUserListGet a list of all users.
userGetUserRightsGet all rights defined for the current user.
userLoginLog into the SIEM with the given username and password.
userLogoutLog the user out of their SIEM session
zoneAddSubZoneAdd a new subzone under a zone
zoneAddZoneCreate a new zone.
zoneDeleteSubZoneDelete the sub zone
zoneDeleteZoneDelete the zone
zoneEditSubZoneEdit the given sub zone.
zoneEditZoneEdit the given zone.
zoneGetSubZoneGet detailed information on a sub zone
zoneGetZoneGet extended detail on a zone.
zoneGetZoneTreeGet the full tree of zones defined in the ESM.
Level 8
0 0 2,549

Hi Andy,

I really appreciate your work.

I've got two questions regarding APIs:

1. Is there any difference between V1(/rs/esm/help) and V2(/rs/esm/v2/help) APIs?

2. Where I can find some information/documentation about /ess private API? Or if I can "debug" it somehow from logs what endpoints were used in live?

Level 8
0 0 2,549

I would like to contribute GitHub - andywalden/mfe_saw: McAfee SIEM API Wrapper (MFE_SAW) for ESM 10.x: .

But I need these information to cover all possibile ways to gather information.

McAfee Employee andy777
McAfee Employee
0 0 2,549

Good question. The v2 API has a simpler syntax.

No documentation exists that I'm aware of for the private API, including for myself. There's no guarantee that anything using the private API will perserevere through code releases and there isn't any support for it.

I use something like Burp Suite or Fiddler to to debug.

McAfee Employee andy777
McAfee Employee
0 0 2,549

mfe_saw is still incubating. I will merge in the device tree from esmcheckds2 once the bugs have been worked out.

esmcheckds2 is the best example for how I use both APIs right now. There is a layer of abstraction in mfe_saw that obscures the queries that is not used in esmcheckds2 so it offers a more straightforward example.

Which functionality are you interested in (data sources, watchlists, queries, etc)?

Level 7
0 0 2,549

Hi Andy,

Thanks for your help and introduction to the ESM API. I'm having problems trying to read a full watchlist values with the "sysGetWatchlistValues" API Call.

The documentation says "The size of the data returned may be less than count, depending on the amount of file data available".

Do you know if there is a solution for this restriction?


Level 7
0 0 1,586

Just a heads up I was advised by McAfee support that ipsGetAlertPacket has been removed as of 10.2.0 or earlier. Specifically:


That particular get is not meant to be used in the external API. It should only be used from the interface, and has been removed since the version of the ESM you are on. If you want to use that externally then you need to submit it as a per.



Level 9
0 0 175

Hi Andy,


Just to bump this quickly: are there any significant differences for the v11* API?

Many thanks