AlienVault USM
Version: 2.0.0
AlienVault USM is a SaaS security monitoring platform designed to centralize threat detection, incident response and compliance management of cloud, hybrid cloud, and on-premises environments from a cloud-based console.
Connect AlienVault USM with LogicHub
- Navigate to Automations > Integrations.
- Search for AlienVault USM.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: URL to your AlienVault USM instance. Example: https://subdomain.alienvault.cloud.
- Client ID: Client id for AlienVault USM.
- Secret Key: Secret key for AlienVault USM.
- After you've entered all the details, click Connect.
Actions for AlienVault USM
Search Alarms
Retrieves alarms from AlienVault (optionally filtered on various fields).
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter: Suppressed | Select True to show only those alarms that have suppressed flag set. | Optional |
| Filter: Rule Intent | Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}. | Optional |
| Filter: Rule Method | Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}. | Optional |
| Filter: Rule Strategy | Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}. | Optional |
| Filter: Sensor | Select column that contains uuid of the sensor to filter results for. | Optional |
| Filter: Start Time | Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter. | Optional |
| Filter: End Time | Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter. | Optional |
| Maximum Number Of Results To Return | The maximum number of results to return per call (Default is 100,000). | Optional |
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- other keys containing information of Alarms
Search Alarms V2
Retrieves alarms from AlienVault (optionally filtered on various fields).
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter: Suppressed | Select True to show only those alarms that have suppressed flag set. | Optional |
| Filter: Rule Intent | Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}. | Optional |
| Filter: Rule Method | Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}. | Optional |
| Filter: Rule Strategy | Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}. | Optional |
| Filter: Sensor | Select column that contains uuid of the sensor to filter results for. | Optional |
| Filter: Start Time | Jinja-templated timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Example {{start_time}} (Default value will be flow start time) | Optional |
| Filter: End Time | Jinja-templated timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Example {{end_time}} (Default value will be flow end time) | Optional |
| Maximum Number Of Results To Return | The maximum number of results to return per call (Default is 100,000). | Optional |
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- other keys containing information of Alarms
Get Alarm
Retrieve details for an alarm
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alarm ID | Select column that contains a value for an alarm id to fetch details. | Required |
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- other keys containing Alarm Details
Get Events by Alarm
Retrieve events associated with an alarm
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alarm ID | Select column that contains a value for an alarm id to fetch associated events. | Required |
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- other keys containing Event Details
Search Events
Retrieves events from AlienVault (optionally filtered on various fields)
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter: Account Name | Enter jinja-templated name of the account to filter on. Example: account or {{account_column}}. | Optional |
| Filter: Suppressed | Select True to show only those alarms that have suppressed flag set. | Optional |
| Filter: Plugin | Enter jinja-templated name of the plugin to filter events on. Example: plugin or {{plugin_column}}. | Optional |
| Filter: Event Name | Enter jinja-templated name of the event to filter events on. Example: name or {{name_column}}. | Optional |
| Filter: Source Name | Enter jinja-templated name of the source to filter events on. Example: name or {{name_column}}. | Optional |
| Filter: Source Username | Enter jinja-templated name of the user that triggered the event to filter events on. Example: [email protected] or {{userid_column}}@email.com. | Optional |
| Filter: Sensor | Select column that contains uuid of the sensor to filter results for. | Optional |
| Filter: Start Time | Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter. | Optional |
| Filter: End Time | Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter. | Optional |
| Page | Enter page number (0 based) of results to return. | Optional |
| Size | Enter number of results to return on each page. | Optional |
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- other keys containing Event Details
Add Label To Alarm
Add a label to an alarm in AlienVault
To get "Label ID", update the label without made any changes using inspect element/network tab. The following image is shown for reference.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alarm ID | Jinja-templated text containing the id of the alarm. Example: {{alarm_id_column}}. | Required |
| Label ID | Jinja-templated text containing the id of the label. Example: {{label_id_column}} | Required |
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.3.3- Updated search alarms action input of start and end time to jinja.
Updated about 1 year ago