AlienVault USM

Version: 1.3.3

AlienVault USM is a SaaS security monitoring platform designed to centralize threat detection, incident response and compliance management of cloud, hybrid cloud, and on-premises environments from a cloud-based console.

Connect AlienVault USM with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for AlienVault USM.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: URL to your AlienVault USM instance. Example: https://subdomain.alienvault.cloud.
    • Client ID: Client id for AlienVault USM.
    • Secret Key: Secret key for AlienVault USM.
  4. After you've entered all the details, click Connect.

Actions for AlienVault USM

Search Alarms

Retrieves alarms from AlienVault (optionally filtered on various fields).

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Filter: Suppressed

Select True to show only those alarms that have suppressed flag set.

Optional

Filter: Rule Intent

Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}.

Optional

Filter: Rule Method

Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}.

Optional

Filter: Rule Strategy

Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}.

Optional

Filter: Sensor

Select column that contains uuid of the sensor to filter results for.

Optional

Filter: Start Time

Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Filter: End Time

Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Maximum Number Of Results To Return

The maximum number of results to return per call (Default is 100,000).

Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing information of Alarms

Search Alarms V2

Retrieves alarms from AlienVault (optionally filtered on various fields).

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Filter: Suppressed

Select True to show only those alarms that have suppressed flag set.

Optional

Filter: Rule Intent

Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}.

Optional

Filter: Rule Method

Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}.

Optional

Filter: Rule Strategy

Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}.

Optional

Filter: Sensor

Select column that contains uuid of the sensor to filter results for.

Optional

Filter: Start Time

Jinja-templated timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Example {{start_time}} (Default value will be flow start time)

Optional

Filter: End Time

Jinja-templated timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Example {{end_time}} (Default value will be flow end time)

Optional

Maximum Number Of Results To Return

The maximum number of results to return per call (Default is 100,000).

Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing information of Alarms

Get Alarm

Retrieve details for an alarm

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Alarm ID

Select column that contains a value for an alarm id to fetch details.

Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing Alarm Details

Get Events by Alarm

Retrieve events associated with an alarm

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Alarm ID

Select column that contains a value for an alarm id to fetch associated events.

Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing Event Details

Search Events

Retrieves events from AlienVault (optionally filtered on various fields)

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Filter: Account Name

Enter jinja-templated name of the account to filter on.
Example: account or {{account_column}}.

Optional

Filter: Suppressed

Select True to show only those alarms that have suppressed flag set.

Optional

Filter: Plugin

Enter jinja-templated name of the plugin to filter events on.
Example: plugin or {{plugin_column}}.

Optional

Filter: Event Name

Enter jinja-templated name of the event to filter events on.
Example: name or {{name_column}}.

Optional

Filter: Source Name

Enter jinja-templated name of the source to filter events on.
Example: name or {{name_column}}.

Optional

Filter: Source Username

Enter jinja-templated name of the user that triggered the event to filter events on.
Example: [email protected] or {{userid_column}}@email.com.

Optional

Filter: Sensor

Select column that contains uuid of the sensor to filter results for.

Optional

Filter: Start Time

Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Filter: End Time

Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Page

Enter page number (0 based) of results to return.

Optional

Size

Enter number of results to return on each page.

Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing Event Details

Add Label To Alarm

Add a label to an alarm in AlienVault

📘

To get "Label ID", update the label without made any changes using inspect element/network tab. The following image is shown for reference.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Alarm ID

Jinja-templated text containing the id of the alarm. Example: {{alarm_id_column}}.

Required

Label ID

Jinja-templated text containing the id of the label. Example: {{label_id_column}}

Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null

Release Notes

  • v1.3.3 - Updated search alarms action input of start and end time to jinja.

Did this page help you?