AlienVault USM Anywhere

Integration version: 29.0

Network access to AT&T Cybersecurity USM Anywhere

API access from Google Security Operations SOAR to AT&T Cybersecurity USM Anywhere: Allow traffic over port 443 (HTTPS).

Configure AlienVault USM Anywhere integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Api Root String N/A Yes Address of the AT&T Cybersecurity USM Anywhere instance.
ClientID String N/A Yes The ID of the user.
Secret Password N/A Yes The password of the user account.
Product Version String V2 Yes Version of the AT&T Cybersecurity USM Anywhere product.
Use SSL Checkbox Checked No Use this checkbox if your AT&T Cybersecurity USM Anywhere connection requires an SSL verification.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Get Alarm Details

Description

Retrieves details for an alarm by ID.

Parameters

Parameter name Type Default value Is mandatory Description
Alarm ID String N/A Yes The alarm ID. Can be obtained by running connector.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
N/A
Case wall
Result type Description Type
Output message*

In case of error: "Failed to get details about AlienVault Anywhere alarm! Error is {}. action should fail."

Action pass successfully: "Successfully returned AlienVault Anywhere alarm {} details"

When Product version parameter is set to V1: "Action should fail with clear message that is supported in V2."

General
CSV Table

Columns:

  • ID
  • Priority
  • Occurred Time
  • Received Time
  • Source
  • Source Organization
  • Source Country
  • Destination
  • Rule Attack ID
  • Rule Strategy
  • Rule ID
  • Rule Attack Tactic
  • Rule Attack Technique
  • Rule Intent
General

List Events

Description

Search for AlienVault events.

Parameters

Parameter name Type Default value Is mandatory Description
Alarms Limit String N/A No Maximum number of alarms to return.
Account Name String N/A No The account name.
Event Name String N/A No The name of the event.
Start Time String N/A No

Filtered results will include events that occurred after this timestamp.

Format: "%d/%m/%Y"

End Time String N/A No

Filtered results will include events that occurred before this timestamp.

Format: "%d/%m/%Y"

Suppressed Checkbox N/A No Whether to filter events by the suppressed flag.
Source Name String N/A No The source name.

Run on

This action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
{
    "rep_device_fqdn": "172.30.202.30",
    "sorce_name": "172.30.202.30",
    "tag": "pdate-esp-kernelmodle.sh",
    "timestamp_occred": "1596541223000",
    "destination_address": "10.7.0.130",
    "rep_dev_canonical": "172.30.202.30",
    "destination_name": "10.7.0.130",
    "received_from": "Centos7-001",
    "timestamp_occred_iso8601": "2020-08-04T11:40:23.000Z",
    "id": "f52dd545-ff14-5576-3b70-47f10f528f53",
    "needs_enrichment": True,
    "rep_device_asset_id": "256fa9b1-a066-c9eb-561a-c2110035978a",
    "timestamp_received": "1596541223152",
    "sorce_canonical": "256fa9b1-a066-c9eb-561a-c2110035978a",
    "destination_fqdn": "10.7.0.130",
    "_links": {
        "self": {
            "href": "https://siemplify.alienvalt.clod/api/2.0/events/f52dd545-ff14-5576-3b70-47f10f528f53"
        }
    },
    "has_alarm": False,
    "rep_device_address": "172.30.202.30",
    "event_name": "pdate-esp-kernelmodle.sh event",
    "sed_hint": False,
    "transient": False,
    "packet_type": "log",
    "was_fzzied": True,
    "sppressed": False,
    "log": "<13>Ag  4 14:40:23 Centos7-001 pdate-esp-kernelmodle.sh: McAfeeESPFileAccess installed in this system is - 10.7.0.130",
    "sorce_asset_id": "256fa9b1-a066-c9eb-561a-c2110035978a",
    "timestamp_received_iso8601": "2020-08-04T11:40:23.152Z",
    "destination_canonical": "10.7.0.130",
    "time_offset": "Z"
}
Case wall
Result type Description Type
Output message*

In case of general error: "Action didn't complete due to error: {error}", result value should be set to false and the action should fail.

If the action is completed successfully: "Successfully returned {len(events)} AlienVault Anywhere events"

If the action failed to run: "Failed to list Endgame AlienVault Anywhere events!"

When Product version parameter is set to V1: "Action should fail with clear message that is supported in V2."

General
CSV Table

Table Title: Events

Table Columns:

  • ID
  • Name
  • Occurred Time
  • Received Time
  • Suppressed
  • Severity
  • Category
  • Sub Category
  • Access Control Outcome
  • Destination
  • Destination Port
  • Source
  • Source Port

Values:

  1. id= uuid
  2. name = event_name
  3. Occurred Time=timestamp_occurred_iso8601
  4. Received Time=timestamp_received_iso8601
  5. Suppressed =suppressed
  6. Severity = event_severity
  7. Category = event_category
  8. Sub Category = event_subcategory
  9. Access Control Outcome = access_control_outcome
  10. Destination = destination_name
  11. Destination Port = destination_port
  12. Source = source_name
  13. Source Port= source_port
General

Ping

Description

Test connectivity.

Parameters

N/A

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
success True or False success:False

Connectors

AlienVault USM Anywhere Connector

Description

This topic illustrates the mechanism and configuration by which Google Security Operations SOAR connects and integrates with AlienVault Anywhere along with supported working flows and actions taken within the platform.

AT&T Cybersecurity USM Anywhere case forwarding to Google Security Operations SOAR

Google Security Operations SOAR fetches alarms from AT&T Cybersecurity USM Anywhere in near real-time and forwards them as "alerts" for cases.

Configure AlienVault USM Anywhere Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name Type Default value Is mandatory Description
Environment DDL N/A Yes

Select the required environment. For example, "Customer One".

In case that the alert's Environment field is empty, this alert will be injected to this environment.

Run Every Integer 0:0:0:10 No Select the time to run the connection.
Product Field Name String device_product Yes The field name used to determine the device product.
Event Field Name String event_name Yes The field name used to determine the event name (sub-type).
Max Days Backwards Integer 1 Yes This field is used in the connector's first running cycle and determines the start time. Example: 3. Fetches emails from X days backward each cycle.
Max Alerts Per Cycle Integer 10 Yes

The maximum number of alerts to fetch in each connector's cycle.

Limits the number of alerts in every cycle.

Verify SSL Checkbox Unchecked No Indicates whether to verify the SSL certificates of the AT&T Cybersecurity USM Anywhere server.
Product Version String V2 Yes AlienVault Anywhere version - V1, V2.
Secret Password N/A Yes The password of the according user.
ClientID String N/A Yes ID of the user.
Api Root String N/A Yes Example: https://<instance>.alienvault.com
Script Timeout (Seconds) String 60 Yes The timeout limit (in seconds) for the python process running current script.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.
Proxy Server Address String N/A No The address of the proxy server to use.
Rule Method String N/A No Filter alarms by rule method. The method would provide additional detail on the target of the attack and the particular vulnerability. Example: Firefox - CVE-2008-4064
Rule Strategy String N/A No The strategy of the rule that triggered the alarm. For example, use Client-Side Attack - Known Vulnerability when trying to exploit a known vulnerability in a web browser the attacker.
Rule Intent String N/A No Filter alarms by the purpose of the alarm. The intent describes the context of the behavior that is being observed. These are the threat categories: System Compromise, Exploitation & Installation, Delivery & Attack, Reconnaissance & Probing, Environmental Awareness.
Priority String N/A No Filter by alarm priority, comma-separated. Valid value: high/medium/low
Use Suppressed Filter Checkbox Unchecked No This parameter will be used to determine whether to filter the incoming alerts using the Show Suppressed filter or not.
Show Suppressed Checkbox Checked No Whether to include suppressed alarms in the search.
Padding Period Integer 0 No Padding period in hours for the connector execution.

The Google Security Operations SOAR - AlienVault integration connector has two parameters, allowing smart filtering of the alerts being ingested into Google Security Operations SOAR, regarding the "Suppressed" attribute that those alerts have:

  • Use Suppressed Filter: This parameter determines whether to filter the incoming alerts using the "Show Suppressed" filter or not.
  • Show Suppressed: This parameter determines whether to include suppressed alarms in the search or not. There are three options in this connector:

    1. Bring all the AV alerts in, suppressed and not suppressed - uncheck both boxes.
    2. Bring only the non-suppressed alarms from AV - check the "Use Suppressed Filter" box and uncheck the "Show Suppressed" box.
    3. Bring only the suppressed alarms from AV but nothing else - Check both the "Use Suppressed Filter" and "Show Suppressed" boxes. It's a default option.

For more information on alarm suppression in AlienVault, see Creating Suppression Rules from the Alarms Page.

Connector rules

Proxy support

The connector supports Proxy.