McAfee ePO API
McAfee ePolicy Orchestrator (ePO) REST API for centralized security management, including system management, policy assignment, task scheduling, query execution, and threat event retrieval across managed endpoints.
OpenAPI Specification
openapi: 3.1.0
info:
title: McAfee ePO API
description: >-
McAfee ePolicy Orchestrator (ePO) REST API for centralized security
management, including system management, policy assignment, task scheduling,
query execution, and threat event retrieval across managed endpoints.
version: '5.10'
contact:
name: McAfee Support
url: https://www.mcafee.com/enterprise/en-us/support.html
termsOfService: https://www.mcafee.com/enterprise/en-us/about/legal/terms-of-use.html
externalDocs:
description: McAfee ePO Web API Reference Guide
url: https://docs.mcafee.com/bundle/epolicy-orchestrator-web-api-reference-guide
servers:
- url: https://{epo-server}:8443/remote
description: McAfee ePO Server
variables:
epo-server:
default: your-epo-server
description: Hostname or IP of the ePO server
tags:
- name: Core
description: Core server operations and authentication
- name: Policies
description: Manage and assign security policies
- name: Queries
description: Execute ePO queries and retrieve results
- name: Software
description: Manage software repositories and packages
- name: System Groups
description: Manage the ePO System Tree groups
- name: Systems
description: Manage endpoints and systems registered in ePO
- name: Tasks
description: Manage client tasks and server tasks
- name: Threat Events
description: Retrieve threat event data from managed endpoints
security:
- basicAuth: []
paths:
/core.help:
get:
operationId: coreHelp
summary: McAfee List available API commands
description: >-
Returns a list of all available remote API commands on the ePO server
with their descriptions and parameters.
tags:
- Core
parameters:
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of available API commands
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ApiCommand'
'401':
description: Authentication failed
/system.find:
get:
operationId: systemFind
summary: McAfee Search for systems
description: >-
Search for managed systems in the ePO System Tree matching specified
criteria such as name, IP address, tags, or custom properties.
tags:
- Systems
parameters:
- name: searchText
in: query
required: true
description: Search string to match against system names, IP addresses, or other properties
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of matching systems
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/System'
'401':
description: Authentication failed
/system.findTag:
get:
operationId: systemFindTag
summary: McAfee Find systems by tag
description: >-
Retrieve a list of systems that have a specific tag applied.
tags:
- Systems
parameters:
- name: tagName
in: query
required: true
description: Name of the tag to search for
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of systems with the specified tag
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/System'
'401':
description: Authentication failed
/system.applyTag:
post:
operationId: systemApplyTag
summary: McAfee Apply a tag to systems
description: >-
Apply a tag to one or more systems identified by name or ID.
tags:
- Systems
parameters:
- name: names
in: query
required: true
description: Comma-separated list of system names or IDs
schema:
type: string
- name: tagName
in: query
required: true
description: Name of the tag to apply
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Tag applied successfully
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
/system.clearTag:
post:
operationId: systemClearTag
summary: McAfee Remove a tag from systems
description: >-
Remove a tag from one or more systems identified by name or ID.
tags:
- Systems
parameters:
- name: names
in: query
required: true
description: Comma-separated list of system names or IDs
schema:
type: string
- name: tagName
in: query
required: true
description: Name of the tag to remove
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Tag removed successfully
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
/epogroup.find:
get:
operationId: epogroupFind
summary: McAfee Find system tree groups
description: >-
Search for groups in the ePO System Tree by name or other criteria.
tags:
- System Groups
parameters:
- name: searchText
in: query
required: false
description: Search string to match against group names
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of matching groups
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/SystemGroup'
'401':
description: Authentication failed
/epogroup.moveSystem:
post:
operationId: epogroupMoveSystem
summary: McAfee Move a system to a different group
description: >-
Move one or more systems from their current location in the System Tree
to a specified target group.
tags:
- System Groups
parameters:
- name: names
in: query
required: true
description: Comma-separated list of system names to move
schema:
type: string
- name: parentGroupId
in: query
required: true
description: ID of the target parent group
schema:
type: integer
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Systems moved successfully
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
/policy.find:
get:
operationId: policyFind
summary: McAfee Search for policies
description: >-
Search for security policies configured in ePO, optionally filtered by
product or policy type.
tags:
- Policies
parameters:
- name: searchText
in: query
required: false
description: Search string to match against policy names
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of matching policies
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Policy'
'401':
description: Authentication failed
/policy.assignToSystem:
post:
operationId: policyAssignToSystem
summary: McAfee Assign a policy to a system
description: >-
Assign a specific policy to one or more systems, overriding the
inherited group policy.
tags:
- Policies
parameters:
- name: names
in: query
required: true
description: Comma-separated list of system names
schema:
type: string
- name: productId
in: query
required: true
description: Product ID for the policy
schema:
type: string
- name: typeId
in: query
required: true
description: Policy type ID
schema:
type: string
- name: objectId
in: query
required: true
description: Policy object ID
schema:
type: integer
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Policy assigned successfully
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
/policy.assignToGroup:
post:
operationId: policyAssignToGroup
summary: McAfee Assign a policy to a group
description: >-
Assign a specific policy to a System Tree group, which is then inherited
by all child systems and sub-groups.
tags:
- Policies
parameters:
- name: groupId
in: query
required: true
description: Target group ID
schema:
type: integer
- name: productId
in: query
required: true
description: Product ID for the policy
schema:
type: string
- name: typeId
in: query
required: true
description: Policy type ID
schema:
type: string
- name: objectId
in: query
required: true
description: Policy object ID
schema:
type: integer
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Policy assigned to group successfully
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
/clienttask.find:
get:
operationId: clienttaskFind
summary: McAfee Search for client tasks
description: >-
Search for client tasks that can be deployed to managed systems.
tags:
- Tasks
parameters:
- name: searchText
in: query
required: false
description: Search string to match against task names
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of matching client tasks
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ClientTask'
'401':
description: Authentication failed
/clienttask.run:
post:
operationId: clienttaskRun
summary: McAfee Run a client task on systems
description: >-
Execute a client task immediately on one or more specified systems.
tags:
- Tasks
parameters:
- name: names
in: query
required: true
description: Comma-separated list of system names
schema:
type: string
- name: productId
in: query
required: true
description: Product ID for the task
schema:
type: string
- name: taskId
in: query
required: true
description: Client task ID to execute
schema:
type: integer
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Task execution initiated
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
/core.executeQuery:
get:
operationId: coreExecuteQuery
summary: McAfee Execute a saved query
description: >-
Execute a previously saved ePO query by ID and return the results. Queries
can retrieve data about systems, events, policies, and other ePO objects.
tags:
- Queries
parameters:
- name: queryId
in: query
required: true
description: ID of the saved query to execute
schema:
type: integer
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Query results
content:
application/json:
schema:
type: array
items:
type: object
additionalProperties: true
'401':
description: Authentication failed
'404':
description: Query not found
/core.listQueries:
get:
operationId: coreListQueries
summary: McAfee List saved queries
description: >-
Retrieve a list of all saved queries available on the ePO server.
tags:
- Queries
parameters:
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of saved queries
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/SavedQuery'
'401':
description: Authentication failed
/detectedsystem.find:
get:
operationId: detectedsystemFind
summary: McAfee Find threat events
description: >-
Search for detected threat events across managed systems, returning
details about malware detections, intrusion attempts, and other security events.
tags:
- Threat Events
parameters:
- name: searchText
in: query
required: false
description: Search text to filter threat events
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of threat events
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ThreatEvent'
'401':
description: Authentication failed
/repository.findPackages:
get:
operationId: repositoryFindPackages
summary: McAfee Find software packages
description: >-
Search for software packages in the ePO master repository, including
DAT files, engine updates, and product packages.
tags:
- Software
parameters:
- name: searchText
in: query
required: false
description: Search string to filter packages
schema:
type: string
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of matching packages
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/SoftwarePackage'
'401':
description: Authentication failed
/scheduler.listServerTasks:
get:
operationId: schedulerListServerTasks
summary: McAfee List server tasks
description: >-
Retrieve a list of all configured server tasks in ePO, including
pull tasks, replication tasks, and custom automation tasks.
tags:
- Tasks
parameters:
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: List of server tasks
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/ServerTask'
'401':
description: Authentication failed
/scheduler.runServerTask:
post:
operationId: schedulerRunServerTask
summary: McAfee Run a server task
description: >-
Execute a server task immediately by its ID.
tags:
- Tasks
parameters:
- name: taskId
in: query
required: true
description: ID of the server task to execute
schema:
type: integer
- $ref: '#/components/parameters/outputType'
responses:
'200':
description: Server task execution initiated
content:
application/json:
schema:
$ref: '#/components/schemas/CommandResult'
'401':
description: Authentication failed
components:
securitySchemes:
basicAuth:
type: http
scheme: basic
description: >-
HTTP Basic authentication using ePO administrator credentials.
Credentials are transmitted as a Base64-encoded username:password pair.
parameters:
outputType:
name: :output
in: query
required: false
description: >-
Output format for the response. Defaults to JSON when not specified.
schema:
type: string
enum:
- json
- xml
- terse
- verbose
default: json
schemas:
System:
type: object
properties:
EPOComputerProperties.ParentID:
type: integer
description: Parent group ID in the System Tree
EPOComputerProperties.ComputerName:
type: string
description: NetBIOS computer name
EPOComputerProperties.IPAddress:
type: string
description: IP address of the system
EPOComputerProperties.OSType:
type: string
description: Operating system type
EPOComputerProperties.OSVersion:
type: string
description: Operating system version
EPOComputerProperties.DomainName:
type: string
description: Domain or workgroup name
EPOComputerProperties.UserName:
type: string
description: Logged-in user name
EPOComputerProperties.Tags:
type: string
description: Comma-separated list of applied tags
EPOLeafNode.AgentGUID:
type: string
description: Unique McAfee Agent GUID
EPOLeafNode.AgentVersion:
type: string
description: Installed McAfee Agent version
EPOLeafNode.LastUpdate:
type: string
format: date-time
description: Last agent-server communication time
EPOLeafNode.ManagedState:
type: string
description: Management state of the system
SystemGroup:
type: object
properties:
groupId:
type: integer
description: Unique group ID
groupPath:
type: string
description: Full path in the System Tree
groupName:
type: string
description: Name of the group
Policy:
type: object
properties:
objectId:
type: integer
description: Policy object ID
objectName:
type: string
description: Policy name
productId:
type: string
description: Product ID the policy belongs to
typeId:
type: string
description: Policy type identifier
productName:
type: string
description: Display name of the product
ClientTask:
type: object
properties:
objectId:
type: integer
description: Task object ID
objectName:
type: string
description: Task name
productId:
type: string
description: Product ID the task belongs to
typeId:
type: string
description: Task type identifier
productName:
type: string
description: Display name of the product
ServerTask:
type: object
properties:
id:
type: integer
description: Server task ID
name:
type: string
description: Server task name
description:
type: string
description: Server task description
enabled:
type: boolean
description: Whether the task is enabled
nextRunTime:
type: string
format: date-time
description: Next scheduled run time
SavedQuery:
type: object
properties:
id:
type: integer
description: Query ID
name:
type: string
description: Query name
description:
type: string
description: Query description
createdBy:
type: string
description: User who created the query
groupName:
type: string
description: Query group name
ThreatEvent:
type: object
properties:
AutoID:
type: integer
description: Auto-incremented event ID
DetectedUTC:
type: string
format: date-time
description: Detection time in UTC
ReceivedUTC:
type: string
format: date-time
description: Time the event was received by ePO
ThreatName:
type: string
description: Name of the detected threat
ThreatType:
type: string
description: Type of threat (e.g., virus, trojan, PUP)
ThreatSeverity:
type: integer
description: Severity level of the threat
ThreatActionTaken:
type: string
description: Action taken on the threat (e.g., cleaned, deleted, quarantined)
SourceHostName:
type: string
description: Hostname of the system where the threat was detected
SourceIPV4:
type: string
description: IPv4 address of the source system
TargetFileName:
type: string
description: File path of the affected file
AnalyzerName:
type: string
description: Name of the product that detected the threat
AnalyzerVersion:
type: string
description: Version of the detecting product
SoftwarePackage:
type: object
properties:
productId:
type: string
description: Package product ID
packageType:
type: string
description: Package type (e.g., DAT, Engine, Product)
packageVersion:
type: string
description: Package version string
packageName:
type: string
description: Display name of the package
CommandResult:
type: object
properties:
result:
type: string
description: Result status message
ApiCommand:
type: object
properties:
command:
type: string
description: Command name
description:
type: string
description: Command description
parameters:
type: array
items:
type: object
properties:
name:
type: string
required:
type: boolean
description:
type: string