Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

Pulling Field Info from Event and sending to external script/firewall


I need to pull the data from two fields in a packet (username and IP address) and send the information to a firewall we have for it to create a dynamic rule.

What would be the best way to accomplish this? 

I have considered forwarding the event with the packet to an external script server that would then have to do all of the work of parsing the packet and sending the info to the firewall. 

However, I am wondering if the ESM has the capability to send the information directly to the firewall?

Thanks for any help in advance.

3 Replies

Re: Pulling Field Info from Event and sending to external script/firewall

I don't believe there's a method to send the info you're looking for directly to the firewall.  However, we can send the fields you need to a script of your design, which can then take care of forwarding the info to the firewall as appropriate.  To accomplish this:

  1. Design your script and host it on a system that supports remote SSH authentication.  Script should support passing the parameters you need on the command line (e.g. "send_to_firewall username".
  2. Set up an alarm that triggers based on the conditions under which you'd like your script to be invoked.  This may require building a correlation rule (and triggering the alarm based on the rule firing), depending on how sophisticated you need the conditions to be.
  3. For an action, set the alarm to Execute Remote Command. 
    • Host/Port: IP and SSH port for your scripting host.
    • Username/Password: Credentials ESM should use to authenticate to this host.
    • Command String: "send_to_fiirewall [$%Source_UserID] [$Destination IP]"

          If you have other fields you'd like to send to your script, you'll find them all in a popup menu underneath the green arrow icon.


Level 9
Report Inappropriate Content
Message 3 of 4

Re: Pulling Field Info from Event and sending to external script/firewall


Any way to create a log when the command executes? I see in the alarm that the action is logged, but the data is not getting to the epo server. My example is different than above, but this is my command string.  I have tried a pipe to a log file with no luck.

python /lvdata/mcafee/tie/[$%MD5_Hash][$%Filename][$%SHA1_Hash][$%SHA256_Hash]>>addhash.log


Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Pulling Field Info from Event and sending to external script/firewall


Could someone upload a picture of their API Configuration in the ESM?

(dont' forget to blur the IP Details etc.)

I Cant get to trigger for some reason.

i created in a host a file that starts to log events when getting a trigger from the ESM.

i configured in the ESM the Detail's of the host, but nothing...


Best Regards👍👍👍

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community