Showing results for 
Search instead for 
Did you mean:

Script to query McAfee ESM via the API for inactive data sources. Requires Python 3.

1.0 - Script to query ESM 9.x

2.0 - Script to query ESM 10.x

2.01 - Added verbose error message for known ESM bug

Labels (2)

Hi Andy,

This is very interesting.

From a philosophical (?!) point of view there are a number of ways to define a dead data source:

(1) Nothing appears in the ESM - which I think is the use case the script handles.

(2) Nothing is being added to the ELM - this catches events that are not parsed or events being filtered before parsing (I think) so is a superset of (1).

(3) Nothing in the SIEMiverse is seeing anything from the device in addition to (1) and/or (2) - the Norwegian Blue of dead data sources - the source IP address is no more.

Can you think of any way of differentiating between these three scenarios in order to differentiate between 'just sleeping' and 'ex data source'?



Thanks Andrew,

The Receiver communicates with the ELM directly and doesn't traverse the ESM. The logs are sent over from the Receiver when they are either 5 meg in size or 4 hours old. There could potentially be a separate check of the data on the ELM to satisfy #2.

How might you manually conclude that #3 was the case? Try to ping it or something else?


For #3 I've been looking at no other data source recording anything with the source address of the data source of interest. For example, activity might be seen on a firewall - rules firing or flows being reported - while nothing is actually being logged by the data source. I tried to build a correlation rule for this but gave up, I don't think it's possible to have match anything condition followed by a match anything condition. The first condition will always be matched.

It might also be possible to look for events with the data source address as the destination. Success status in these events would imply it's alive whereas failure status would suggest it's dead.

If you could get an event out of the ESM for #1 then you could look for something in #3 in a correlation rule. My experiments have so far failed to see anything in the ESM when a device gets flagged as inactive.



I downloaded your API esmcheckds2 for querying and fetching datasources from your SIEM. While going through the API source code, where in, you have used a url which is " 'https://{}/ess'.format{hostname}" for querying a few methods, which are not available in your command list provided by the API commands documentation for " 'https://{}/rs/esm/v2'.format{hostname}". And when i try to access the `ESS` url from my browser, it does not open up. 

My question is how can I access those extended queries/command list from my browser? Secondly, a lot of Commands from `ESM` documentation require parameters before they are executed. Instead, how will I be able to fetch the whole list instead of a single element from that list?

Version history
Revision #:
1 of 1
Last update:
‎09-06-2016 12:29 PM
Updated by: