AlienVault USM

AlienVault USM is a SaaS security monitoring platform designed to centralize threat detection, incident response and compliance management of cloud, hybrid cloud, and on-premises environments from a cloud-based console.

Integration with LogicHub

Connecting with AlienVault USM

To connect to AlienVault USM following details are required:

Actions with AlienVault USM

Search Alarms

Retrieves alarms from AlienVault (optionally filtered on various fields)

Inputs to this action:

  • Connection: Choose a connection that you have created.
  • Filter: Suppressed (Optional): Select True to show only those alarms that have suppressed flag set
  • Filter: Rule Intent (Optional): Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}
  • Filter: Rule Method (Optional): Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}
  • Filter: Rule Strategy (Optional): Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}
  • Filter: Sensor (Optional): Select column that contains uuid of the sensor to filter results for
  • Filter: Start Time (Optional): Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.
  • Filter: End Time (Optional): Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.
  • Maximum Number Of Results To Return (Optional): The maximum number of results to return per call (Default is 100,000)

Output of action:
multiple rows of result JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other keys containing information of Alarms

Get Alarm

Retrieve details for an alarm

Inputs to this action:

  • Connection: Choose a connection that you have created.
  • Alarm ID: Select column that contains a value for an alarm id to fetch details

Output of action:
correlated rows of result json containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing Alarm Details

Get Events by Alarm

Retrieve events associated with an alarm

Inputs to this action:

  • Connection: Choose a connection that you have created.
  • Alarm ID: Select column that contains a value for an alarm id to fetch associated events

Output of action:
correlated rows of result json containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing Event Details

Search Events

Retrieves events from AlienVault (optionally filtered on various fields)

Inputs to this action:

  • Connection: Choose a connection that you have created.
  • Filter: Account Name (Optional): Enter jinja-templated name of the account to filter on. Eg: account or {{account_column}}
  • Filter: Suppressed (Optional): Select True to show only those alarms that have suppressed flag set
  • Filter: Plugin (Optional): Enter jinja-templated name of the plugin to filter events on. Eg: plugin or {{plugin_column}}
  • Filter: Event Name (Optional): Enter jinja-templated name of the event to filter events on. Eg: name or {{name_column}}
  • Filter: Source Name (Optional): Enter jinja-templated name of the source to filter events on. Eg: name or {{name_column}}
  • Filter: Source Username (Optional): Enter jinja-templated name of the user that triggered the event to filter events on. Eg: [email protected] or {{userid_column}}@email.com
  • Filter: Sensor (Optional): Select column that contains uuid of the sensor to filter results for
  • Filter: Start Time (Optional): Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.
  • Filter: End Time (Optional): Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.
  • Page (Optional): Enter page number (0 based) of results to return
  • Size (Optional): Enter number of results to return on each page

Output of action:
correlated rows of result JSON containing following items:

  • has_error: True/False
  • error: message/null
  • other keys containing Event Details

Add Label To Alarm

Add a label to an alarm in AlienVault

📘

Note

To get "Label ID", update the label without made any changes using inspect element/network tab. The following image is shown for reference.

Inputs to this action:

  • Connection: Choose a connection that you have created.
  • Jinja Template Alarm ID: Jinja-templated text containing the id of the alarm. Example: {{alarm_id_column}}.
  • Jinja Template Label ID: Jinja-templated text containing the id of the label. Example: {{label_id_column}}

Output of action:
correlated rows of result json containing following items:

  • has_error: True/False
  • error: message/null

Did this page help you?