About the connector
AlienVault Unified Security Management (USM) Anywhere is a cloud-based security management solution that helps you secure all your operations with an effective solution for threat detection, incident response, and compliance management.
This document provides information about the AlienVault USM Anywhere connector, which facilitates automated interactions with the AlienVault USM Anywhere server using FortiSOAR™ playbooks. Add the AlienVault USM Anywhere connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts or events from the AlienVault USM Anywhere server, or adding or deleting alerts or events from the AlienVault USM Anywhere server.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 4.12.0-746
Authored By: Fortinet
Certified: Yes
Installing the connector
All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:
yum install cyops-connector-alienvault-usm-anywhere
For the detailed procedure to install a connector, click here
Prerequisites to configuring the connector
- You must have the server address of the AlienVault USM Anywhere server to which you will connect and perform automated operations and credentials (Client ID and Secret pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the connectors page, select the AlienVault USM Anywhere connector row, and in the Configure tab enter the required configuration details.
| Parameter |
Description |
| Server URL |
Server address of the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
| Client ID |
Client ID to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
| Client Secret |
Client Secret token to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Alarms |
Retrieves a list of all alarms from the AlienVault USM Anywhere server or a list of alarms, based on the input parameters you have specified. |
get_alarms
Investigation |
| Get Alarm Details |
Retrieves details for an alarm from the AlienVault USM Anywhere server, based on the alarm ID(s) you have specified. |
get_alarm_details
Investigation |
| Get Alarm Labels |
Retrieves a list of label IDs for a specific alarm from the AlienVault USM Anywhere server, based on the alarm ID you have specified. |
get_alarm_labels
Investigation |
| Add Alarm Label |
Adds a label to a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. |
add_alarm_label
Investigation |
| Delete Alarm Label |
Deletes a label from a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. |
delete_alarm_label
Investigation |
| Get Events |
Retrieves all events from the AlienVault USM Anywhere server or specific events, based on the input parameters you have specified. |
get_events
Investigation |
| Get Event Details |
Retrieves details for a specific event from the AlienVault USM Anywhere server, based on the event ID (UUID) you have specified. |
get_event_details
Investigation |
operation: Get Alarms
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Page |
Page number (zero-based) from which you want to retrieve results. |
| Size |
Number of results that the operation should include per page. |
| Sort |
Parameter based on which you want the operation to sort results.
For example, Time Created. |
| Sort Order |
Direction based on which you want the operation to sort results.
For example, Ascending or Descending. |
| Status |
Status of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Suppressed |
Select this checkbox, i.e., set it to True, to filter alarms retrieved from the AlienVault USM Anywhere server by the suppressed flag.
By default, this is set as False. |
| Rule Intent |
Intent of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Rule Method |
Method of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Rule Strategy |
Strategy of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Priority Label |
Priority of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| After Time |
Time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred after this specified timestamp.
By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z. |
| Alarm Sensor Sources |
UUID of the sensor based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Before Time |
Time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred before this specified timestamp.
By default, this is set as 24 hours. For example 2018-12-27T04:48:08.702Z. |
Output
The output contains the following populated JSON schema:
{
"page": {
"size": "",
"totalElements": "",
"number": "",
"totalPages": ""
},
"_links": {
"self": {
"href": ""
},
"next": {
"href": ""
},
"last": {
"href": ""
},
"first": {
"href": ""
}
},
"_embedded": {
"alarms": [
{
"alarm_destination_zones": [],
"timestamp_occured": "",
"event_type": "",
"rule_id": "",
"events": [
{
"enriched": "",
"message": {
"source_registered_country": "",
"timestamp_occured": "",
"customheader_10": "",
"customheader_1": "",
"source_instance_id": "",
"needs_enrichment": "",
"rep_device_version": "",
"was_guessed": "",
"destination_hostname": "",
"highlight_fields": [],
"destination_zone": "",
"rep_device_rule_id": "",
"source_country": "",
"plugin": "",
"used_hint": "",
"event_type": "",
"source_region": "",
"event_name": "",
"authentication_mode": "",
"error_message": "",
"suppressed": "",
"destination_canonical": "",
"timestamp_occured_iso8601": "",
"sensor_uuid": "",
"timestamp_received_iso8601": "",
"source_username": "",
"customfield_10": "",
"source_infrastructure_name": "",
"packet_type": "",
"source_userid": "",
"customfield_1": "",
"was_fuzzied": "",
"plugin_version": "",
"authentication_type": "",
"destination_infrastructure_name": "",
"source_latitude": "",
"account_name": "",
"error_code": "",
"source_asset_id": "",
"destination_name": "",
"source_city": "",
"app_name": "",
"has_alarm": "",
"source_name": "",
"destination_infrastructure_type": "",
"plugin_device": "",
"plugin_device_type": "",
"source_service_name": "",
"received_from": "",
"access_key_id": "",
"source_canonical": "",
"account_id": "",
"source_address": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"source_infrastructure_type": "",
"request_user_agent": "",
"log": "",
"destination_userid": "",
"transient": "",
"source_organisation": "",
"source_longitude": "",
"app_type": "",
"app_id": ""
},
"timeStamp": "",
"_links": {
"self": {
"href": "",
"templated": ""
}
}
}
],
"needs_enrichment": "",
"rule_name": "",
"priority": "",
"highlight_fields": [],
"alarm_source_asset_ids": [],
"timestamp_received_iso8601": "",
"alarm_source_cities": [],
"destination_name": "",
"status": "",
"rule_intent": "",
"suppressed": "",
"source_asset_id": "",
"timestamp_occured_iso8601": "",
"alarm_destinations": [],
"sensor_uuid": "",
"alarm_source_countries": [],
"transient": "",
"packet_type": "",
"source_organisation": "",
"account_name": "",
"alarm_events_count": "",
"alarm_source_longitudes": [],
"alarm_destination_names": [],
"account_id": "",
"has_alarm": "",
"source_name": "",
"alarm_source_names": [],
"_links": {
"self": {
"href": ""
}
},
"alarm_sources": [],
"rule_strategy": "",
"access_key_id": "",
"alarm_source_latitudes": [],
"source_canonical": "",
"packet_data": [],
"app_name": "",
"alarm_sensor_sources": [],
"priority_label": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"alarm_source_organisations": [],
"rule_method": "",
"app_type": "",
"app_id": ""
}
]
}
}
operation: Get Alarm Details
Input parameters
| Parameter |
Description |
| Alarm IDs |
IDs of the alarm whose details you want to retrieve from the AlienVault USM Anywhere server.
You can specify multiple IDs using both a comma-seperator or in the list format.
For example, 1708bd82-30f3-1a24-d395-4cf5ca213a97, 1708bd82-30f3-1a24-d395-4cf5ca213a98
or
['1708bd82-30f3-1a24-d395-4cf5ca213a97', '1708bd82-30f3-1a24-d395-4cf5ca213a98'] |
Output
The output contains the following populated JSON schema:
{
"security_group_id": "",
"rule_id": "",
"status": "",
"source_name": "",
"event_name": "",
"timestamp_received_iso8601": "",
"rule_strategy": "",
"authentication_type": "",
"rule_method": "",
"priority_label": "",
"destination_name": "",
"uuid": "",
"suppressed": "",
"sensor_uuid": "",
"timestamp_received": "",
"has_alarm": "",
"timestamp_occured": "",
"app_type": "",
"request_user_agent": "",
"source_username": "",
"events": [
{
"uuid": ""
}
],
"event_type": "",
"rule_intent": "",
"priority": "",
"needs_enrichment": "",
"app_id": "",
"timestamp_occured_iso8601": "",
"transient": "",
"packet_type": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
}
}
operation: Get Alarm Labels
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm whose list of alarm labels you want to retrieve from the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
[{
"data": {
"alarm_labels": [],
"_links": {
"self": {
"href": ""
}
}
},
"operation": "",
"status": "",
"message": ""
}]
operation: Add Alarm Label
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm to which you want to add the specified label on the AlienVault USM Anywhere server. |
| Label ID |
ID of the label that you want to add to the specified alarm on the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
operation: Delete Alarm Label
Input parameters
| Parameter |
Description |
| Alarm ID |
ID of the alarm whose label you want to delete from the AlienVault USM Anywhere server. |
| Label ID |
ID of the label that you want to delete from the specified alarm on the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
operation: Get Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Account Name |
Account name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Page |
Page number (zero-based) from which you want to retrieve results. |
| Size |
Number of results that the operation should include per page. |
| Sort |
Parameter based on which you want the operation to sort results.
For example, Time Created. |
| Sort Order |
Direction based on which you want the operation to sort results. |
| Suppressed |
Select this checkbox, i.e., set it to True, to filter events retrieved from the AlienVault USM Anywhere server by the suppressed flag.
By default, this is set as False. |
| Plugin |
Name of the plugin based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Event Name |
Name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Source Name |
Name of the source based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Sensor UUID |
UUID of the sensor based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Source Username |
Username of the person who triggered the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| After Time |
Time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred after this specified timestamp.
By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z. |
| Before Time |
Time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred before this specified timestamp.
By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z. |
Output
The output contains the following populated JSON schema:
{
"page": {
"size": "",
"totalElements": "",
"number": "",
"totalPages": ""
},
"_links": {
"self": {
"href": ""
},
"next": {
"href": ""
},
"last": {
"href": ""
},
"first": {
"href": ""
}
},
"_embedded": {
"eventResourceList": [
{
"source_latitude": "",
"source_registered_country": "",
"timestamp_occured": "",
"customfield_10": "",
"customheader_10": "",
"authentication_mode": "",
"needs_enrichment": "",
"rep_device_version": "",
"rep_device_rule_id": "",
"destination_hostname": "",
"highlight_fields": [],
"source_instance_id": "",
"was_guessed": "",
"source_country": "",
"plugin": "",
"used_hint": "",
"event_type": "",
"source_region": "",
"event_name": "",
"customheader_1": "",
"suppressed": "",
"destination_canonical": "",
"timestamp_occured_iso8601": "",
"sensor_uuid": "",
"timestamp_received_iso8601": "",
"source_username": "",
"transient": "",
"source_infrastructure_type": "",
"packet_type": "",
"source_userid": "",
"source_infrastructure_name": "",
"was_fuzzied": "",
"plugin_version": "",
"log": "",
"authentication_type": "",
"destination_infrastructure_name": "",
"event_action": "",
"account_name": "",
"source_asset_id": "",
"destination_name": "",
"source_city": "",
"account_id": "",
"has_alarm": "",
"source_name": "",
"_links": {
"self": {
"href": ""
}
},
"plugin_device": "",
"plugin_device_type": "",
"source_service_name": "",
"received_from": "",
"access_key_id": "",
"source_canonical": "",
"customfield_1": "",
"app_name": "",
"source_address": "",
"destination_infrastructure_type": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"destination_zone": "",
"request_user_agent": "",
"event_description_url": "",
"destination_userid": "",
"source_organisation": "",
"source_longitude": "",
"app_type": "",
"app_id": ""
}
]
}
}
operation: Get Event Details
Input parameters
| Parameter |
Description |
| Event ID |
ID (UUID) of the event whose details you want to retrieve from the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
{
"access_control_outcome": "",
"destination_infrastructure_name": "",
"has_alarm": "",
"event_name": "",
"timestamp_received_iso8601": "",
"packet_type": "",
"source_infrastructure_type": "",
"source_service_name": "",
"destination_hostname": "",
"source_canonical": "",
"plugin_version": "",
"uuid": "",
"plugin": "",
"plugin_device": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
},
"needs_enrichment": "",
"app_name": "",
"event_description": "",
"timestamp_received": "",
"destination_canonical": "",
"timestamp_occured": "",
"app_type": "",
"request_user_agent": "",
"event_action": "",
"app_id": "",
"event_type": "",
"plugin_family": "",
"destination_userid": "",
"timestamp_occured_iso8601": "",
"destination_name": "",
"suppressed": "",
"plugin_device_type": "",
"destination_zone": "",
"authentication_type": "",
"source_infrastructure_name": "",
"source_hostname": "",
"source_name": "",
"destination_infrastructure_type": "",
"received_from": "",
"account_name": ""
}
Included playbooks
The Sample - AlienVault USM Anywhere - 1.0.0 playbook collection comes bundled with the AlienVault USM Anywhere connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AlienVault USM Anywhere connector.
- Alarm: Add Alarm Label
- Alarm: Delete Alarm Label
- Alarm: Get Alarm Details
- Alarm: Get Alarm Labels
- Alarm: Get Alarms
- Event: Get Event Details
- Event: Get Events
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
