AlienVault USM

Version: 2.0.0

AlienVault USM is a SaaS security monitoring platform designed to centralize threat detection, incident response and compliance management of cloud, hybrid cloud, and on-premises environments from a cloud-based console.

Connect AlienVault USM with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for AlienVault USM.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: URL to your AlienVault USM instance. Example: https://subdomain.alienvault.cloud.
    • Client ID: Client id for AlienVault USM.
    • Secret Key: Secret key for AlienVault USM.
  4. After you've entered all the details, click Connect.

Actions for AlienVault USM

Search Alarms

Retrieves alarms from AlienVault (optionally filtered on various fields).

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Filter: SuppressedSelect True to show only those alarms that have suppressed flag set.Optional
Filter: Rule IntentEnter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}.Optional
Filter: Rule MethodEnter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}.Optional
Filter: Rule StrategyEnter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}.Optional
Filter: SensorSelect column that contains uuid of the sensor to filter results for.Optional
Filter: Start TimeEnter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.Optional
Filter: End TimeEnter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.Optional
Maximum Number Of Results To ReturnThe maximum number of results to return per call (Default is 100,000).Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing information of Alarms

Search Alarms V2

Retrieves alarms from AlienVault (optionally filtered on various fields).

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Filter: SuppressedSelect True to show only those alarms that have suppressed flag set.Optional
Filter: Rule IntentEnter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}.Optional
Filter: Rule MethodEnter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}.Optional
Filter: Rule StrategyEnter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}.Optional
Filter: SensorSelect column that contains uuid of the sensor to filter results for.Optional
Filter: Start TimeJinja-templated timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Example {{start_time}} (Default value will be flow start time)Optional
Filter: End TimeJinja-templated timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Example {{end_time}} (Default value will be flow end time)Optional
Maximum Number Of Results To ReturnThe maximum number of results to return per call (Default is 100,000).Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing information of Alarms

Get Alarm

Retrieve details for an alarm

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alarm IDSelect column that contains a value for an alarm id to fetch details.Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing Alarm Details

Get Events by Alarm

Retrieve events associated with an alarm

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alarm IDSelect column that contains a value for an alarm id to fetch associated events.Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing Event Details

Search Events

Retrieves events from AlienVault (optionally filtered on various fields)

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Filter: Account NameEnter jinja-templated name of the account to filter on.
Example: account or {{account_column}}.
Optional
Filter: SuppressedSelect True to show only those alarms that have suppressed flag set.Optional
Filter: PluginEnter jinja-templated name of the plugin to filter events on.
Example: plugin or {{plugin_column}}.
Optional
Filter: Event NameEnter jinja-templated name of the event to filter events on.
Example: name or {{name_column}}.
Optional
Filter: Source NameEnter jinja-templated name of the source to filter events on.
Example: name or {{name_column}}.
Optional
Filter: Source UsernameEnter jinja-templated name of the user that triggered the event to filter events on.
Example: [email protected] or {{userid_column}}@email.com.
Optional
Filter: SensorSelect column that contains uuid of the sensor to filter results for.Optional
Filter: Start TimeEnter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.Optional
Filter: End TimeEnter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.Optional
PageEnter page number (0 based) of results to return.Optional
SizeEnter number of results to return on each page.Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null
  • other keys containing Event Details

Add Label To Alarm

Add a label to an alarm in AlienVault

📘

To get "Label ID", update the label without made any changes using inspect element/network tab. The following image is shown for reference.

3350

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alarm IDJinja-templated text containing the id of the alarm. Example: {{alarm_id_column}}.Required
Label IDJinja-templated text containing the id of the label. Example: {{label_id_column}}Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False
  • error: message/null

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.3.3 - Updated search alarms action input of start and end time to jinja.

© 2017-2021 LogicHub®. All Rights Reserved.