AlienVault USM Appliance
Integration version: 18.0
Configure AlienVault USM Appliance integration in Google Security Operations SOAR
For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | https://<instance>.alienvault.com | Yes | Address of the AT&T Cybersecurity USM Appliance instance. |
| Username | String | N/A | Yes | The email address of the user which should be used to connect to AT&T Cybersecurity USM Appliance. |
| Password | Password | N/A | Yes | The password of the user account. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Enrich Assets
Description
Retrieve AT&T Cybersecurity USM Appliance asset details. Within USM Appliance, an asset operates on the network of the organization as an integrated piece of equipment, which includes an exclusive IP address. An asset can be a PC, printer, firewall, router, server, or multiple devices that are allowed by the network. An asset is supervised by at least one USM Appliance Sensor.
Parameters
N/A
Run on
This action runs on the following entities:
- IP Address
- Hostname
Action results
Entity enrichment
| Enrichment field name | Logic - When to apply |
|---|---|
| model | Returns if it exists in JSON result |
| descr | Returns if it exists in JSON result |
| hostname | Returns if it exists in JSON result |
| asset_type | Returns if it exists in JSON result |
| fqdn | Returns if it exists in JSON result |
| devices | Returns if it exists in JSON result |
| asset_value | Returns if it exists in JSON result |
| ips | Returns if it exists in JSON result |
| id | Returns if it exists in JSON result |
| sensors | Returns if it exists in JSON result |
| os | Returns if it exists in JSON result |
| networks | Returns if it exists in JSON result |
| icon | Returns if it exists in JSON result |
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True or False | success:False |
JSON result
[
{
"EntityResult": {
"model": null,
"descr": " ",
"hostname": "Lanthanum",
"asset_type": "Internal",
"fqdn": " ",
"devices": [],
"asset_value": "2",
"ips": {
"3.3.3.3": {
"ip": "1.1.1.1",
"mac": "11:DE:B0:DD:54:54"
}},
"id": "123D37D595B800734550B9D9D6A958C6",
"sensors": {
"C221234962EA11E697DE0AF71A09DF3B": {
"ip": "1.1.1.1",
"ctxs": {
"C228355962EA11E697DE0AF71A09DF3B": "AlienVault"
},
"name": "DA"
}},
"os": "Linux",
"networks": {
"7E4B12EEFD06A21F898345C2AB46EB10": {
"ips": "1.1.1.1/16",
"ctx": "C228355962EA11E697DE0AF71A09DF3B",
"name": "Pvt_000"
}},
"icon": " "
},
"Entity": "domain.com"
}
]
Enrich Vulnerabilities
Description
Recover AT&T Cybersecurity USM Appliance vulnerability information. The USM Appliance Sensor has an integrated vulnerability scanner that can be used in critical assets to catch vulnerabilities. Such uncovered vulnerabilities can then be used in cross-correlation rules and enforcement and audit reporting.
Parameters
N/A
Run on
This action runs on the following entities:
- IP Address
- Hostname
Action results
Entity enrichment
| Enrichment field name | Logic - When to apply |
|---|---|
| AlientVault_Severity | Returns if it exists in JSON result |
| AlientVault_Service | Returns if it exists in JSON result |
| AlientVault_Vulnerability | Returns if it exists in JSON result |
| AlientVault_Scan Time | Returns if it exists in JSON result |
| AlientVault_Asset | Returns if it exists in JSON result |
| AlientVault_Id | Returns if it exists in JSON result |
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True or False | success:False |
JSON result
[
{
"EntityResult": [{
"Severity": "High",
"Service": "general (0/tcp))",
"Vulnerability": "TCP Sequence Number Approximation Reset Denial of Service Vulnerability",
"Scan Time": "2014-02-26 02:08:59",
"Asset": "Lanthanum (1.1.1.1)",
"Id": "123456"
}, {
"Severity": "High",
"Service": "https (443/tcp)",
"Vulnerability": "robot(s).txt exists on the Web Server",
"Scan Time": "2014-02-26 02:08:59",
"Asset": "Lanthanum (1.1.1.1)",
"Id": "123457"
}, {
"Severity": "Medium",
"Service": "general (0/tcp))",
"Vulnerability": "TCP timestamps",
"Scan Time": "2014-02-26 02:08:59",
"Asset": "Lanthanum (1.1.1.1)",
"Id": "123458"
}],
"Entity": "test"
}
]
Fetch Last PCAP Files
Description
Fetch last PCAP files from AlienVault.
Parameters
| Parameter name | Type | Default value | Description |
|---|---|---|---|
| Number Of Files To Fetch | String | N/A | Example: 10 |
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
[
{
"scan_name": "pcap_file_1545041396_10_1.1.1.1.pcap",
"creation_time": "2018-12-17 10:09:56",
"user": null,
"download_link": "https://www.alienvault.com/ossim/pcap/download.php?scan_name=0000000_10_1.1.1.1.pcap&sensor_ip=1.1.1.1",
"sensor_ip": "1.1.1.1",
"duration": "10"
}, {
"scan_name": "pcap_file_1545041397_10_1.1.1.1.pcap",
"creation_time": "2018-12-17 10:09:56",
"user": null,
"download_link": "https://www.alienvault.com/ossim/pcap/download.php?scan_name=0000000_10_1.1.1.1.pcap&sensor_ip=1.1.1.1",
"sensor_ip": "1.1.1.1",
"duration": "10"
}, {
"scan_name": "pcap_file_1545041398_10_1.1.1.1.pcap",
"creation_time": "2018-12-17 10:09:56",
"user": null,
"download_link": "https://www.alienvault.com/ossim/pcap/download.php?scan_name=0000000_10_1.1.1.1.pcap&sensor_ip=1.1.1.1",
"sensor_ip": "1.1.1.1",
"duration": "10"
}
]
Get PCAP Files for Events
Description
Get PCAP files for events in an alert.
Parameters
N/A
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
{
"#0-1B09DN3B0D2011E985730AS799BFE5BC": "obLD1AACAAQAAAAAAAAAAAAABdwAAAABV+kUZQAHyFMAAAXqAAAF6gr3GgnfOwobLz7Y6wgARQAF3Dd3QABnBvvXVduqw6wfLg8MmgG7xmc2dMr3EdxQEAD+OgAAABcDAwdVAAAAAAAAAASEw70Ys0kQbz8wdaj1lsHAAA=="
}
Get Vulnerability Reports
Description
Get environment vulnerability report files.
Parameters
| Parameter name | Type | Default value | Description |
|---|---|---|---|
| Number of Files to Fetch | string | N/A | Example: 10 |
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
[
{
"creation_time": "2014-02-26 02:08:59",
"download_link": "https://www.alienvault.com/ossim/vulnmeter/lr_rescsv.php?treport=latest&ipl=1.1.1.1&ctx=C22835597DE0AF71A09DF3B&scantype=M",
"Address": "Helium (1.1.1.1)"
}, {
"creation_time": "2014-02-26 02:08:59",
"download_link":
"https://www.alienvault.com/ossim/vulnmeter/lr_rescsv.php?treport=latest&ipl=1.1.1.1&ctx=C228351E697DE071A09DF3B&scantype=M",
"Address": "Holmium (1.1.1.1)"
}, {
"creation_time": "2014-02-26 02:08:59",
"download_link": "https://www.alienvault.com/ossim/vulnmeter/lr_rescsv.php?treport=latest&ipl=1.1.1.1&ctx=C22835597DE0AF71A09DF3B&scantype=M",
"Address": "Indium (1.1.1.1)"
}
]
Ping
Description
Test Connectivity.
Parameters
N/A
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| success | True or False | success:False |
Connectors
AlienVault USM Appliance Connector
Configure AlienVault USM Appliance Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Environment | DDL | N/A | Yes | Select the required environment. For example, "Customer One". In case that the alert's Environment field is empty, this alert will be injected to this environment. |
| Run Every | Integer | 0:0:0:10 | No | Select the time to run the connection. |
| Product Field Name | String | device_product | Yes | The field name used to determine the device product. |
| Event Field Name | String | event_name | Yes | The field name used to determine the event name (sub-type). |
| Script Timeout (Seconds) | String | 60 | Yes | The timeout limit (in seconds) for the python process running current script. |
| Api Root | String | N/A | Yes | Address of the AT&T Cybersecurity USM Appliance instance. Example: https://<instance>.alienvault.com |
| Username | String | N/A | Yes | Email of the user. |
| Password | Password | N/A | Yes | The password of the according user. |
| Max Events Per Alert | Integer | 10 | Yes | Limits the number of events per alert. |
| Max Days Backwards | Integer | 1 | Yes | This field is used in the connector's first running cycle and determines the start time. Example: 3. Fetches emails from X days backward each cycle. |
| Max Alerts Per Cycle | Integer | 10 | Yes | The maximum number of alerts to fetch in each connector's cycle. Limits the number of alerts in every cycle. |
| Server Timezone | String | UTC | Yes | The timezone configured in the AlienVault instance. Example: UTC, Asia/Jerusalem |
| Environment Field Name | String | N/A | No | The name of the environment's field. Example: AlienVault Sensor |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
Connector rules
Proxy support
The connector supports Proxy.