Arbor Sightline

Version: 1.1.1

Arbor Sightline provides robust capabilities from network-wide capacity planning, to identifying and managing the mitigation of threats to the network.

Connect Arbor Sightline with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Arbor Sightline.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • API Key: API key for Arbor Sightline. It should have all the necessary permissions.
    • Tenant: Tenant name. Example 'mariner' without quotes.
    • Arbor Sightline API: Select the Arbor Sightline API that you are accessing to ensure that the correct configurations are validated. Default is Web Services
  4. After you've entered all the details, click Connect.

Actions for Arbor Sightline

Fetch Alert

This action allows you to search for and retrieve XML alert information.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
limitThe maximum number of alerts to return that match the filter.Optional
FilterJinja-templated text containing keywords by which you want to filter search results. You can enter the same search strings that you can enter in the search box on the alerts pages in the sightline UI. Example: 'host'.Optional

Output

JSON containing the following items:

{
  "result": [
    {
      "id": "4",
      "type": "DoS Host Alert",
      "is_fast_detected": false,
      "importance": "low",
      "classification": "Possible Attack",
      "device_gid": "13",
      "device_name": "T-001",
      "direction": "Incoming",
      "start": "2024-06-19T07:15:45",
      "duration": "89",
      "ongoing": true,
      "resource": {
        "cidr": "123.8",
        "ipVersion": "4",
        "managedObjects": [
          {
            "name": "SOR",
            "id": "56",
            "importance": "low"
          }
        ]
      },
      "threshold": "100000",
      "severity_pct": "55",
      "unit": "pps",
      "misuseTypes": [
        "UP"
      ],
      "annotations": [
        {
          "added": "2024-06-19T07:15:45",
          "author": "auto-annotation",
          "content": "The \"UP\" misuse type was detected by host detection at router \"S03\". (expected rate: 600.00 Mbps/50.00 Kpps, observed rate: 260.44 Mbps/54.77 Kpps)"
        }
      ],
      "max_impact_bps": "260437584",
      "max_impact_pps": "54774",
      "max_impact_boundary": "S03",
      "impact_bps_points": [
        "260437590",
        "240316767"
      ],
      "impact_pps_points": [
        "54774",
        "50462"
      ],
      "impact_recorded": [
        "1718781345",
        "1718781405"
      ]
    }
  ],
  "error": null,
  "has_error": false
}

Fetch Mitigations

This action allows you to search for and retrieve XML mitigations information.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
limitThe maximum number of alerts to return that match the filter.Optional
FilterJinja-templated text containing keywords by which you want to filter search results. You can enter the same search strings that you can enter in the search box on the mitigations pages in the sightline UI. Example: 'auto-mitigation'.Optional

Output

JSON containing the following items:

{
  "result": [
    {
      "id": "1301",
      "type": "tms_mitigation",
      "name": "DoS Alert 2114050",
      "user": "gu",
      "ip_version": "4",
      "alert_id": "2114050",
      "prefix": "20/32",
      "is_automitigation": false,
      "is_learning": false,
      "learning_cancelled": false,
      "managed_object_id": "904",
      "managed_object_name": "IPv4-P",
      "ongoing": true,
      "duration": "11379",
      "start": "2024-06-19T04:11:40",
      "annotations": [
        {
          "added": "2024-06-19T05:14:00",
          "author": "gu",
          "content": "authentication countermeasure disabled."
        }
      ]
    }
  ],
  "error": null,
  "has_error": false
}

Fetch Managed Object

This action allows you to view managed object configuration data.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FilterJinja-templated text containing keywords by which you want to filter search results. You can enter the same search strings that you can enter in the Search box on the alerts pages in the sightline UI. Example: 'host'.Optional

Output

JSON containing the following items:

{
  "result": [],
  "error": null,
  "has_error": false
}

Fetch REST API Alert

This action returns the alerts in the deployment.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FilterJinja-templated text containing filter by which you want to filter search results. Example perPage={{perPage_filter}}&filter=/data/attributes/start_time>{{start_time}} AND /data/attributes/start_time<{{end_time}} AND /data/attributes/importance > {{importance_value}} AND /data/attributes/alert_class={{alert_class}}.Optional

Output

JSON containing the following items:

{
"result": {"rest_api_obj"},
"error": null,
"has_error":false,
}

Get REST API Alert's Annotations

This action returns the annotations for the specified alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IdJinja-templated text containing alert ID.Required

Output

JSON containing the following items:

{
"result": {"rest_api_alert"},
"error": null,
"has_error":false,
}

Get REST API Alert's Source IP

This action returns the source IP addresses for the specified alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IdJinja-templated text containing alert ID.Required

Output

JSON containing the following items:

{
"result": {"rest_api_alert_source"},
"error": null,
"has_error":false,
}

Get REST API Device

This action returns the specified device.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Device IdJinja-templated text containing device ID.Required

Output

JSON containing the following items:

{
"result": {"rest_api_device"},
"error": null,
"has_error":false,
}

Get REST API Managed Object

This action returns the specified managed object.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Managed Object IdJinja-templated text containing managed object ID.Required

Output

JSON containing the following items:

{
"result": {"rest_api_managed_obj"},
"error": null,
"has_error":false,
}

Release Notes

  • v1.1.1 - Added support for REST APIs namely : Fetch REST API Alert, Get REST API Alert's Annotations, Get REST API Alert's Source IP, Get REST API Device and Get REST API Managed Object
  • v1.0.0 - Initial release.

© Devo Technology Inc. All Rights Reserved.