Arbor Sightline
Version: 1.1.1
Arbor Sightline provides robust capabilities from network-wide capacity planning, to identifying and managing the mitigation of threats to the network.
Connect Arbor Sightline with LogicHub
- Navigate to Automations > Integrations.
- Search for Arbor Sightline.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Key: API key for Arbor Sightline. It should have all the necessary permissions.
- Tenant: Tenant name. Example 'mariner' without quotes.
- Arbor Sightline API: Select the Arbor Sightline API that you are accessing to ensure that the correct configurations are validated. Default is Web Services
- After you've entered all the details, click Connect.
Actions for Arbor Sightline
Fetch Alert
This action allows you to search for and retrieve XML alert information.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| limit | The maximum number of alerts to return that match the filter. | Optional |
| Filter | Jinja-templated text containing keywords by which you want to filter search results. You can enter the same search strings that you can enter in the search box on the alerts pages in the sightline UI. Example: 'host'. | Optional |
Output
JSON containing the following items:
{
"result": [
{
"id": "4",
"type": "DoS Host Alert",
"is_fast_detected": false,
"importance": "low",
"classification": "Possible Attack",
"device_gid": "13",
"device_name": "T-001",
"direction": "Incoming",
"start": "2024-06-19T07:15:45",
"duration": "89",
"ongoing": true,
"resource": {
"cidr": "123.8",
"ipVersion": "4",
"managedObjects": [
{
"name": "SOR",
"id": "56",
"importance": "low"
}
]
},
"threshold": "100000",
"severity_pct": "55",
"unit": "pps",
"misuseTypes": [
"UP"
],
"annotations": [
{
"added": "2024-06-19T07:15:45",
"author": "auto-annotation",
"content": "The \"UP\" misuse type was detected by host detection at router \"S03\". (expected rate: 600.00 Mbps/50.00 Kpps, observed rate: 260.44 Mbps/54.77 Kpps)"
}
],
"max_impact_bps": "260437584",
"max_impact_pps": "54774",
"max_impact_boundary": "S03",
"impact_bps_points": [
"260437590",
"240316767"
],
"impact_pps_points": [
"54774",
"50462"
],
"impact_recorded": [
"1718781345",
"1718781405"
]
}
],
"error": null,
"has_error": false
}
Fetch Mitigations
This action allows you to search for and retrieve XML mitigations information.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| limit | The maximum number of alerts to return that match the filter. | Optional |
| Filter | Jinja-templated text containing keywords by which you want to filter search results. You can enter the same search strings that you can enter in the search box on the mitigations pages in the sightline UI. Example: 'auto-mitigation'. | Optional |
Output
JSON containing the following items:
{
"result": [
{
"id": "1301",
"type": "tms_mitigation",
"name": "DoS Alert 2114050",
"user": "gu",
"ip_version": "4",
"alert_id": "2114050",
"prefix": "20/32",
"is_automitigation": false,
"is_learning": false,
"learning_cancelled": false,
"managed_object_id": "904",
"managed_object_name": "IPv4-P",
"ongoing": true,
"duration": "11379",
"start": "2024-06-19T04:11:40",
"annotations": [
{
"added": "2024-06-19T05:14:00",
"author": "gu",
"content": "authentication countermeasure disabled."
}
]
}
],
"error": null,
"has_error": false
}
Fetch Managed Object
This action allows you to view managed object configuration data.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-templated text containing keywords by which you want to filter search results. You can enter the same search strings that you can enter in the Search box on the alerts pages in the sightline UI. Example: 'host'. | Optional |
Output
JSON containing the following items:
{
"result": [],
"error": null,
"has_error": false
}
Fetch REST API Alert
This action returns the alerts in the deployment.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-templated text containing filter by which you want to filter search results. Example perPage={{perPage_filter}}&filter=/data/attributes/start_time>{{start_time}} AND /data/attributes/start_time<{{end_time}} AND /data/attributes/importance > {{importance_value}} AND /data/attributes/alert_class={{alert_class}}. | Optional |
Output
JSON containing the following items:
{
"result": {"rest_api_obj"},
"error": null,
"has_error":false,
}
Get REST API Alert's Annotations
This action returns the annotations for the specified alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert Id | Jinja-templated text containing alert ID. | Required |
Output
JSON containing the following items:
{
"result": {"rest_api_alert"},
"error": null,
"has_error":false,
}
Get REST API Alert's Source IP
This action returns the source IP addresses for the specified alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert Id | Jinja-templated text containing alert ID. | Required |
Output
JSON containing the following items:
{
"result": {"rest_api_alert_source"},
"error": null,
"has_error":false,
}
Get REST API Device
This action returns the specified device.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Device Id | Jinja-templated text containing device ID. | Required |
Output
JSON containing the following items:
{
"result": {"rest_api_device"},
"error": null,
"has_error":false,
}
Get REST API Managed Object
This action returns the specified managed object.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Managed Object Id | Jinja-templated text containing managed object ID. | Required |
Output
JSON containing the following items:
{
"result": {"rest_api_managed_obj"},
"error": null,
"has_error":false,
}
Release Notes
v1.1.1- Added support for REST APIs namely :Fetch REST API Alert,Get REST API Alert's Annotations,Get REST API Alert's Source IP,Get REST API DeviceandGet REST API Managed Objectv1.0.0- Initial release.
Updated about 1 month ago