AlienVault USM Anywhere
Integration version: 25.0
Network access to AT&T Cybersecurity USM Anywhere
API access from Google Security Operations SOAR to AT&T Cybersecurity USM Anywhere: Allow traffic over port 443 (HTTPS).
Configure AlienVault USM Anywhere integration in Google Security Operations SOAR
For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | N/A | Yes | Address of the AT&T Cybersecurity USM Anywhere instance. |
| ClientID | String | N/A | Yes | The ID of the user. |
| Secret | Password | N/A | Yes | The password of the user account. |
| Product Version | String | V2 | Yes | Version of the AT&T Cybersecurity USM Anywhere product. |
| Use SSL | Checkbox | Checked | No | Use this checkbox if your AT&T Cybersecurity USM Anywhere connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Get Alarm Details
Description
Retrieves details for an alarm by ID.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Alarm ID | String | N/A | Yes | The alarm ID. Can be obtained by running connector. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
N/A
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | In case of error: "Failed to get details about AlienVault Anywhere alarm! Error is {}. action should fail." Action pass successfully: "Successfully returned AlienVault Anywhere alarm {} details" When Product version parameter is set to V1: "Action should fail with clear message that is supported in V2." |
General |
| CSV Table | Columns:
|
General |
List Events
Description
Search for AlienVault events.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Alarms Limit | String | N/A | No | Maximum number of alarms to return. |
| Account Name | String | N/A | No | The account name. |
| Event Name | String | N/A | No | The name of the event. |
| Start Time | String | N/A | No | Filtered results will include events that occurred after this timestamp. Format: "%d/%m/%Y" |
| End Time | String | N/A | No | Filtered results will include events that occurred before this timestamp. Format: "%d/%m/%Y" |
| Suppressed | Checkbox | N/A | No | Whether to filter events by the suppressed flag. |
| Source Name | String | N/A | No | The source name. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
{
"rep_device_fqdn": "172.30.202.30",
"sorce_name": "172.30.202.30",
"tag": "pdate-esp-kernelmodle.sh",
"timestamp_occred": "1596541223000",
"destination_address": "10.7.0.130",
"rep_dev_canonical": "172.30.202.30",
"destination_name": "10.7.0.130",
"received_from": "Centos7-001",
"timestamp_occred_iso8601": "2020-08-04T11:40:23.000Z",
"id": "f52dd545-ff14-5576-3b70-47f10f528f53",
"needs_enrichment": True,
"rep_device_asset_id": "256fa9b1-a066-c9eb-561a-c2110035978a",
"timestamp_received": "1596541223152",
"sorce_canonical": "256fa9b1-a066-c9eb-561a-c2110035978a",
"destination_fqdn": "10.7.0.130",
"_links": {
"self": {
"href": "https://siemplify.alienvalt.clod/api/2.0/events/f52dd545-ff14-5576-3b70-47f10f528f53"
}
},
"has_alarm": False,
"rep_device_address": "172.30.202.30",
"event_name": "pdate-esp-kernelmodle.sh event",
"sed_hint": False,
"transient": False,
"packet_type": "log",
"was_fzzied": True,
"sppressed": False,
"log": "<13>Ag 4 14:40:23 Centos7-001 pdate-esp-kernelmodle.sh: McAfeeESPFileAccess installed in this system is - 10.7.0.130",
"sorce_asset_id": "256fa9b1-a066-c9eb-561a-c2110035978a",
"timestamp_received_iso8601": "2020-08-04T11:40:23.152Z",
"destination_canonical": "10.7.0.130",
"time_offset": "Z"
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | In case of general error: "Action didn't complete due to error: {error}", result value should be set to false and the action should fail. If the action is completed successfully: "Successfully returned {len(events)} AlienVault Anywhere events" If the action failed to run: "Failed to list Endgame AlienVault Anywhere events!" When Product version parameter is set to V1: "Action should fail with clear message that is supported in V2." |
General |
| CSV Table | Table Title: Events Table Columns:
Values:
|
General |
Ping
Description
Test connectivity.
Parameters
N/A
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True or False | success:False |
Connectors
AlienVault USM Anywhere Connector
Description
This topic illustrates the mechanism and configuration by which Google Security Operations SOAR connects and integrates with AlienVault Anywhere along with supported working flows and actions taken within the platform.
AT&T Cybersecurity USM Anywhere case forwarding to Google Security Operations SOAR
Google Security Operations SOAR fetches alarms from AT&T Cybersecurity USM Anywhere in near real-time and forwards them as "alerts" for cases.
Configure AlienVault USM Anywhere Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Environment | DDL | N/A | Yes | Select the required environment. For example, "Customer One". In case that the alert's Environment field is empty, this alert will be injected to this environment. |
| Run Every | Integer | 0:0:0:10 | No | Select the time to run the connection. |
| Product Field Name | String | device_product | Yes | The field name used to determine the device product. |
| Event Field Name | String | event_name | Yes | The field name used to determine the event name (sub-type). |
| Max Days Backwards | Integer | 1 | Yes | This field is used in the connector's first running cycle and determines the start time. Example: 3. Fetches emails from X days backward each cycle. |
| Max Alerts Per Cycle | Integer | 10 | Yes | The maximum number of alerts to fetch in each connector's cycle. Limits the number of alerts in every cycle. |
| Verify SSL | Checkbox | Unchecked | No | Indicates whether to verify the SSL certificates of the AT&T Cybersecurity USM Anywhere server. |
| Product Version | String | V2 | Yes | AlienVault Anywhere version - V1, V2. |
| Secret | Password | N/A | Yes | The password of the according user. |
| ClientID | String | N/A | Yes | ID of the user. |
| Api Root | String | N/A | Yes | Example: https://<instance>.alienvault.com |
| Script Timeout (Seconds) | String | 60 | Yes | The timeout limit (in seconds) for the python process running current script. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Rule Method | String | N/A | No | Filter alarms by rule method. The method would provide additional detail on the target of the attack and the particular vulnerability. Example: Firefox - CVE-2008-4064 |
| Rule Strategy | String | N/A | No | The strategy of the rule that triggered the alarm. For example, use Client-Side Attack - Known Vulnerability when trying to exploit a known vulnerability in a web browser the attacker. |
| Rule Intent | String | N/A | No | Filter alarms by the purpose of the alarm. The intent describes the context of the behavior that is being observed. These are the threat categories: System Compromise, Exploitation & Installation, Delivery & Attack, Reconnaissance & Probing, Environmental Awareness. |
| Priority | String | N/A | No | Filter by alarm priority, comma-separated. Valid value: high/medium/low |
| Use Suppressed Filter | Checkbox | Unchecked | No | This parameter will be used to determine whether to filter the incoming alerts using the Show Suppressed filter or not. |
| Show Suppressed | Checkbox | Checked | No | Whether to include suppressed alarms in the search. |
| Padding Period | Integer | 0 | No | Padding period in hours for the connector execution. |
The Google Security Operations SOAR - AlienVault integration connector has two parameters, allowing smart filtering of the alerts being ingested into Google Security Operations SOAR, regarding the "Suppressed" attribute that those alerts have:
- Use Suppressed Filter: This parameter determines whether to filter the incoming alerts using the "Show Suppressed" filter or not.
Show Suppressed: This parameter determines whether to include suppressed alarms in the search or not. There are three options in this connector:
- Bring all the AV alerts in, suppressed and not suppressed - uncheck both boxes.
- Bring only the non-suppressed alarms from AV - check the "Use Suppressed Filter" box and uncheck the "Show Suppressed" box.
- Bring only the suppressed alarms from AV but nothing else - Check both the "Use Suppressed Filter" and "Show Suppressed" boxes. It's a default option.
For more information on alarm suppression in AlienVault, see Creating Suppression Rules from the Alarms Page.
Connector rules
Proxy support
The connector supports Proxy.