McAfee ESM Event Query activity The McAfee ESM Event Query workflow activity searches the McAfee ESM event logs for malicious indicators. The McAfee ESM Event Query activity can be used with any workflow to search the HPE Security ArcSight Logger event logs. Results Possible results for this activity are: Table 1. Results Result Description Success Query succeeded. Failure An error occurred while attempting to verify the query. More error information is available in the activity output error. Input variables Input variables determine the initial behavior of the activity. Variable Description user User name for the McAfee ESM system. password Password for the McAfee ESM system. observables Search syntax. $(observable) is the default. base_url Base URL of the third-party integration API. link_base_url Link to a McAfee web interface, when available. observables The list of observables from Trusted Security Circles or the security incident task to search for. Returned in JSON format. query Search syntax. $(observable) is the default. max_rows Maximum rows to return from the query. The limit depends on the third-party integration. days_to_search Days to search from the current day backwards. Default is 7. source Source of the request to run the workflow. Supported inputs are: Trusted Security Circles or security incident task. Output variables The output variables contain data that can be used in subsequent activities. Table 2. Output variables Variable Description output Output of the query in JSON format. Capability Execution Tracking - Failure activityThe Capability Execution Tracking - Failure workflow activity records a failure to the audit record.