AlienVault Unified Security Management (USM) Anywhere is a cloud-based security management solution that helps you secure all your operations with an effective solution for threat detection, incident response, and compliance management.
This document provides information about the AlienVault USM Anywhere connector, which facilitates automated interactions with the AlienVault USM Anywhere server using FortiSOAR™ playbooks. Add the AlienVault USM Anywhere connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts or events from the AlienVault USM Anywhere server, or adding or deleting alerts or events from the AlienVault USM Anywhere server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from AlienVault USM Anywhere. For more information, see the Data Ingestion Support section.
Connector Version: 1.1.0
Authored By: Community
Certified: No
Following changes have been made to the AlienVault USM Anywhere Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-alienvault-usm-anywhere
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the AlienVault USM Anywhere connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Server address of the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
Client ID | Client ID to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
Client Secret | Client Secret token to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Alarms | Retrieves a list of all alarms from the AlienVault USM Anywhere server or a list of alarms, based on the input parameters you have specified. | get_alarms Investigation |
Get Alarm Details | Retrieves details for an alarm from the AlienVault USM Anywhere server, based on the alarm ID(s) you have specified. | get_alarm_details Investigation |
Get Alarm Labels | Retrieves a list of label IDs for a specific alarm from the AlienVault USM Anywhere server, based on the alarm ID you have specified. | get_alarm_labels Investigation |
Add Alarm Label | Adds a label to a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. | add_alarm_label Investigation |
Delete Alarm Label | Deletes a label from a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. | delete_alarm_label Investigation |
Get Events | Retrieves all events from the AlienVault USM Anywhere server or specific events, based on the input parameters you have specified. | get_events Investigation |
Get Event Details | Retrieves details for a specific event from the AlienVault USM Anywhere server, based on the event ID (UUID) you have specified. | get_event_details Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria are applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Page | Page number (zero-based) from which you want to retrieve results. |
Size | Number of results that the operation should include per page. |
Sort | Parameter based on which you want the operation to sort results. For example, Time Created. |
Sort Order | Direction based on which you want the operation to sort results. For example, Ascending or Descending. |
Status | Status of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Suppressed | Select this checkbox, i.e., set it to True , to filter alarms retrieved from the AlienVault USM Anywhere server by the suppressed flag.By default, this is set as False . |
Rule Intent | Intent of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Rule Method | Method of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Rule Strategy | Strategy of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Priority Label | Priority of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Alarm Sensor Sources | UUID of the sensor based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
After Time | Time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred after this specified timestamp. By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z . |
Before Time | Time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred before this specified timestamp. By default, this is set as 24 hours. For example 2018-12-27T04:48:08.702Z . |
The output contains the following populated JSON schema:
{
"page": {
"size": "",
"totalElements": "",
"number": "",
"totalPages": ""
},
"_links": {
"self": {
"href": ""
},
"next": {
"href": ""
},
"last": {
"href": ""
},
"first": {
"href": ""
}
},
"_embedded": {
"alarms": [
{
"alarm_destination_zones": [],
"timestamp_occured": "",
"event_type": "",
"rule_id": "",
"events": [
{
"enriched": "",
"message": {
"source_registered_country": "",
"timestamp_occured": "",
"customheader_10": "",
"customheader_1": "",
"source_instance_id": "",
"needs_enrichment": "",
"rep_device_version": "",
"was_guessed": "",
"destination_hostname": "",
"highlight_fields": [],
"destination_zone": "",
"rep_device_rule_id": "",
"source_country": "",
"plugin": "",
"used_hint": "",
"event_type": "",
"source_region": "",
"event_name": "",
"authentication_mode": "",
"error_message": "",
"suppressed": "",
"destination_canonical": "",
"timestamp_occured_iso8601": "",
"sensor_uuid": "",
"timestamp_received_iso8601": "",
"source_username": "",
"customfield_10": "",
"source_infrastructure_name": "",
"packet_type": "",
"source_userid": "",
"customfield_1": "",
"was_fuzzied": "",
"plugin_version": "",
"authentication_type": "",
"destination_infrastructure_name": "",
"source_latitude": "",
"account_name": "",
"error_code": "",
"source_asset_id": "",
"destination_name": "",
"source_city": "",
"app_name": "",
"has_alarm": "",
"source_name": "",
"destination_infrastructure_type": "",
"plugin_device": "",
"plugin_device_type": "",
"source_service_name": "",
"received_from": "",
"access_key_id": "",
"source_canonical": "",
"account_id": "",
"source_address": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"source_infrastructure_type": "",
"request_user_agent": "",
"log": "",
"destination_userid": "",
"transient": "",
"source_organisation": "",
"source_longitude": "",
"app_type": "",
"app_id": ""
},
"timeStamp": "",
"_links": {
"self": {
"href": "",
"templated": ""
}
}
}
],
"needs_enrichment": "",
"rule_name": "",
"priority": "",
"highlight_fields": [],
"alarm_source_asset_ids": [],
"timestamp_received_iso8601": "",
"alarm_source_cities": [],
"destination_name": "",
"status": "",
"rule_intent": "",
"suppressed": "",
"source_asset_id": "",
"timestamp_occured_iso8601": "",
"alarm_destinations": [],
"sensor_uuid": "",
"alarm_source_countries": [],
"transient": "",
"packet_type": "",
"source_organisation": "",
"account_name": "",
"alarm_events_count": "",
"alarm_source_longitudes": [],
"alarm_destination_names": [],
"account_id": "",
"has_alarm": "",
"source_name": "",
"alarm_source_names": [],
"_links": {
"self": {
"href": ""
}
},
"alarm_sources": [],
"rule_strategy": "",
"access_key_id": "",
"alarm_source_latitudes": [],
"source_canonical": "",
"packet_data": [],
"app_name": "",
"alarm_sensor_sources": [],
"priority_label": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"alarm_source_organisations": [],
"rule_method": "",
"app_type": "",
"app_id": ""
}
]
}
}
Parameter | Description |
---|---|
Alarm IDs | IDs of the alarm whose details you want to retrieve from the AlienVault USM Anywhere server. You can specify multiple IDs using both a comma-separator or in the list format. For example, 1708bd82-30f3-1a24-d395-4cf5ca213a97, 1708bd82-30f3-1a24-d395-4cf5ca213a98 or ['1708bd82-30f3-1a24-d395-4cf5ca213a97', '1708bd82-30f3-1a24-d395-4cf5ca213a98'] |
The output contains the following populated JSON schema:
{
"security_group_id": "",
"rule_id": "",
"status": "",
"source_name": "",
"event_name": "",
"timestamp_received_iso8601": "",
"rule_strategy": "",
"authentication_type": "",
"rule_method": "",
"priority_label": "",
"destination_name": "",
"uuid": "",
"suppressed": "",
"sensor_uuid": "",
"timestamp_received": "",
"has_alarm": "",
"timestamp_occured": "",
"app_type": "",
"request_user_agent": "",
"source_username": "",
"events": [
{
"uuid": ""
}
],
"event_type": "",
"rule_intent": "",
"priority": "",
"needs_enrichment": "",
"app_id": "",
"timestamp_occured_iso8601": "",
"transient": "",
"packet_type": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
}
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose list of alarm labels you want to retrieve from the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
[{
"data": {
"alarm_labels": [],
"_links": {
"self": {
"href": ""
}
}
},
"operation": "",
"status": "",
"message": ""
}]
Parameter | Description |
---|---|
Alarm ID | ID of the alarm to which you want to add the specified label on the AlienVault USM Anywhere server. |
Label ID | ID of the label that you want to add to the specified alarm on the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose label you want to delete from the AlienVault USM Anywhere server. |
Label ID | ID of the label that you want to delete from the specified alarm on the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Account Name | Account name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Page | Page number (zero-based) from which you want to retrieve results. |
Size | Number of results that the operation should include per page. |
Sort | Parameter based on which you want the operation to sort results. For example, Time Created. |
Sort Order | Direction based on which you want the operation to sort results. |
Suppressed | Select this checkbox, i.e., set it to True , to filter events retrieved from the AlienVault USM Anywhere server by the suppressed flag.By default, this is set as False . |
Plugin | Name of the plugin based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Event Name | Name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Source Name | Name of the source based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Sensor UUID | UUID of the sensor based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Source Username | Username of the person who triggered the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
After Time | Time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred after this specified timestamp. By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z . |
Before Time | Time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred before this specified timestamp. By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z . |
The output contains the following populated JSON schema:
{
"page": {
"size": "",
"totalElements": "",
"number": "",
"totalPages": ""
},
"_links": {
"self": {
"href": ""
},
"next": {
"href": ""
},
"last": {
"href": ""
},
"first": {
"href": ""
}
},
"_embedded": {
"eventResourceList": [
{
"source_latitude": "",
"source_registered_country": "",
"timestamp_occured": "",
"customfield_10": "",
"customheader_10": "",
"authentication_mode": "",
"needs_enrichment": "",
"rep_device_version": "",
"rep_device_rule_id": "",
"destination_hostname": "",
"highlight_fields": [],
"source_instance_id": "",
"was_guessed": "",
"source_country": "",
"plugin": "",
"used_hint": "",
"event_type": "",
"source_region": "",
"event_name": "",
"customheader_1": "",
"suppressed": "",
"destination_canonical": "",
"timestamp_occured_iso8601": "",
"sensor_uuid": "",
"timestamp_received_iso8601": "",
"source_username": "",
"transient": "",
"source_infrastructure_type": "",
"packet_type": "",
"source_userid": "",
"source_infrastructure_name": "",
"was_fuzzied": "",
"plugin_version": "",
"log": "",
"authentication_type": "",
"destination_infrastructure_name": "",
"event_action": "",
"account_name": "",
"source_asset_id": "",
"destination_name": "",
"source_city": "",
"account_id": "",
"has_alarm": "",
"source_name": "",
"_links": {
"self": {
"href": ""
}
},
"plugin_device": "",
"plugin_device_type": "",
"source_service_name": "",
"received_from": "",
"access_key_id": "",
"source_canonical": "",
"customfield_1": "",
"app_name": "",
"source_address": "",
"destination_infrastructure_type": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"destination_zone": "",
"request_user_agent": "",
"event_description_url": "",
"destination_userid": "",
"source_organisation": "",
"source_longitude": "",
"app_type": "",
"app_id": ""
}
]
}
}
Parameter | Description |
---|---|
Event ID | ID (UUID) of the event whose details you want to retrieve from the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
{
"access_control_outcome": "",
"destination_infrastructure_name": "",
"has_alarm": "",
"event_name": "",
"timestamp_received_iso8601": "",
"packet_type": "",
"source_infrastructure_type": "",
"source_service_name": "",
"destination_hostname": "",
"source_canonical": "",
"plugin_version": "",
"uuid": "",
"plugin": "",
"plugin_device": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
},
"needs_enrichment": "",
"app_name": "",
"event_description": "",
"timestamp_received": "",
"destination_canonical": "",
"timestamp_occured": "",
"app_type": "",
"request_user_agent": "",
"event_action": "",
"app_id": "",
"event_type": "",
"plugin_family": "",
"destination_userid": "",
"timestamp_occured_iso8601": "",
"destination_name": "",
"suppressed": "",
"plugin_device_type": "",
"destination_zone": "",
"authentication_type": "",
"source_infrastructure_name": "",
"source_hostname": "",
"source_name": "",
"destination_infrastructure_type": "",
"received_from": "",
"account_name": ""
}
The Sample - AlienVault USM Anywhere - 1.1.0
playbook collection comes bundled with the AlienVault USM Anywhere connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AlienVault USM Anywhere connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from AlienVault USM Anywhere. Currently, "alarms" in AlienVault USM Anywhere are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming AlienVault USM Anywhere "alarms" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from AlienVault USM Anywhere into FortiSOAR™. It also lets you pull some sample data from AlienVault USM Anywhere using which you can define the mapping of data between AlienVault USM Anywhere and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the AlienVault USM Anywhere alarm.
On the Field Mapping screen, map the fields of an AlienVault USM Anywhere alarm to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the alarmName parameter of an AlienVault USM Anywhere alarm to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the alarmName field to populate its keys.
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to AlienVault USM Anywhere, so that the content gets pulled from the AlienVault USM Anywhere integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from AlienVault USM Anywhere every morning at 5 am, click Daily, and in the hour box enter 5
and in the minute box enter 0
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
AlienVault Unified Security Management (USM) Anywhere is a cloud-based security management solution that helps you secure all your operations with an effective solution for threat detection, incident response, and compliance management.
This document provides information about the AlienVault USM Anywhere connector, which facilitates automated interactions with the AlienVault USM Anywhere server using FortiSOAR™ playbooks. Add the AlienVault USM Anywhere connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts or events from the AlienVault USM Anywhere server, or adding or deleting alerts or events from the AlienVault USM Anywhere server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from AlienVault USM Anywhere. For more information, see the Data Ingestion Support section.
Connector Version: 1.1.0
Authored By: Community
Certified: No
Following changes have been made to the AlienVault USM Anywhere Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-alienvault-usm-anywhere
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the AlienVault USM Anywhere connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Server address of the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
Client ID | Client ID to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
Client Secret | Client Secret token to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Alarms | Retrieves a list of all alarms from the AlienVault USM Anywhere server or a list of alarms, based on the input parameters you have specified. | get_alarms Investigation |
Get Alarm Details | Retrieves details for an alarm from the AlienVault USM Anywhere server, based on the alarm ID(s) you have specified. | get_alarm_details Investigation |
Get Alarm Labels | Retrieves a list of label IDs for a specific alarm from the AlienVault USM Anywhere server, based on the alarm ID you have specified. | get_alarm_labels Investigation |
Add Alarm Label | Adds a label to a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. | add_alarm_label Investigation |
Delete Alarm Label | Deletes a label from a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. | delete_alarm_label Investigation |
Get Events | Retrieves all events from the AlienVault USM Anywhere server or specific events, based on the input parameters you have specified. | get_events Investigation |
Get Event Details | Retrieves details for a specific event from the AlienVault USM Anywhere server, based on the event ID (UUID) you have specified. | get_event_details Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria are applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Page | Page number (zero-based) from which you want to retrieve results. |
Size | Number of results that the operation should include per page. |
Sort | Parameter based on which you want the operation to sort results. For example, Time Created. |
Sort Order | Direction based on which you want the operation to sort results. For example, Ascending or Descending. |
Status | Status of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Suppressed | Select this checkbox, i.e., set it to True , to filter alarms retrieved from the AlienVault USM Anywhere server by the suppressed flag.By default, this is set as False . |
Rule Intent | Intent of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Rule Method | Method of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Rule Strategy | Strategy of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Priority Label | Priority of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
Alarm Sensor Sources | UUID of the sensor based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
After Time | Time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred after this specified timestamp. By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z . |
Before Time | Time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred before this specified timestamp. By default, this is set as 24 hours. For example 2018-12-27T04:48:08.702Z . |
The output contains the following populated JSON schema:
{
"page": {
"size": "",
"totalElements": "",
"number": "",
"totalPages": ""
},
"_links": {
"self": {
"href": ""
},
"next": {
"href": ""
},
"last": {
"href": ""
},
"first": {
"href": ""
}
},
"_embedded": {
"alarms": [
{
"alarm_destination_zones": [],
"timestamp_occured": "",
"event_type": "",
"rule_id": "",
"events": [
{
"enriched": "",
"message": {
"source_registered_country": "",
"timestamp_occured": "",
"customheader_10": "",
"customheader_1": "",
"source_instance_id": "",
"needs_enrichment": "",
"rep_device_version": "",
"was_guessed": "",
"destination_hostname": "",
"highlight_fields": [],
"destination_zone": "",
"rep_device_rule_id": "",
"source_country": "",
"plugin": "",
"used_hint": "",
"event_type": "",
"source_region": "",
"event_name": "",
"authentication_mode": "",
"error_message": "",
"suppressed": "",
"destination_canonical": "",
"timestamp_occured_iso8601": "",
"sensor_uuid": "",
"timestamp_received_iso8601": "",
"source_username": "",
"customfield_10": "",
"source_infrastructure_name": "",
"packet_type": "",
"source_userid": "",
"customfield_1": "",
"was_fuzzied": "",
"plugin_version": "",
"authentication_type": "",
"destination_infrastructure_name": "",
"source_latitude": "",
"account_name": "",
"error_code": "",
"source_asset_id": "",
"destination_name": "",
"source_city": "",
"app_name": "",
"has_alarm": "",
"source_name": "",
"destination_infrastructure_type": "",
"plugin_device": "",
"plugin_device_type": "",
"source_service_name": "",
"received_from": "",
"access_key_id": "",
"source_canonical": "",
"account_id": "",
"source_address": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"source_infrastructure_type": "",
"request_user_agent": "",
"log": "",
"destination_userid": "",
"transient": "",
"source_organisation": "",
"source_longitude": "",
"app_type": "",
"app_id": ""
},
"timeStamp": "",
"_links": {
"self": {
"href": "",
"templated": ""
}
}
}
],
"needs_enrichment": "",
"rule_name": "",
"priority": "",
"highlight_fields": [],
"alarm_source_asset_ids": [],
"timestamp_received_iso8601": "",
"alarm_source_cities": [],
"destination_name": "",
"status": "",
"rule_intent": "",
"suppressed": "",
"source_asset_id": "",
"timestamp_occured_iso8601": "",
"alarm_destinations": [],
"sensor_uuid": "",
"alarm_source_countries": [],
"transient": "",
"packet_type": "",
"source_organisation": "",
"account_name": "",
"alarm_events_count": "",
"alarm_source_longitudes": [],
"alarm_destination_names": [],
"account_id": "",
"has_alarm": "",
"source_name": "",
"alarm_source_names": [],
"_links": {
"self": {
"href": ""
}
},
"alarm_sources": [],
"rule_strategy": "",
"access_key_id": "",
"alarm_source_latitudes": [],
"source_canonical": "",
"packet_data": [],
"app_name": "",
"alarm_sensor_sources": [],
"priority_label": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"alarm_source_organisations": [],
"rule_method": "",
"app_type": "",
"app_id": ""
}
]
}
}
Parameter | Description |
---|---|
Alarm IDs | IDs of the alarm whose details you want to retrieve from the AlienVault USM Anywhere server. You can specify multiple IDs using both a comma-separator or in the list format. For example, 1708bd82-30f3-1a24-d395-4cf5ca213a97, 1708bd82-30f3-1a24-d395-4cf5ca213a98 or ['1708bd82-30f3-1a24-d395-4cf5ca213a97', '1708bd82-30f3-1a24-d395-4cf5ca213a98'] |
The output contains the following populated JSON schema:
{
"security_group_id": "",
"rule_id": "",
"status": "",
"source_name": "",
"event_name": "",
"timestamp_received_iso8601": "",
"rule_strategy": "",
"authentication_type": "",
"rule_method": "",
"priority_label": "",
"destination_name": "",
"uuid": "",
"suppressed": "",
"sensor_uuid": "",
"timestamp_received": "",
"has_alarm": "",
"timestamp_occured": "",
"app_type": "",
"request_user_agent": "",
"source_username": "",
"events": [
{
"uuid": ""
}
],
"event_type": "",
"rule_intent": "",
"priority": "",
"needs_enrichment": "",
"app_id": "",
"timestamp_occured_iso8601": "",
"transient": "",
"packet_type": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
}
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose list of alarm labels you want to retrieve from the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
[{
"data": {
"alarm_labels": [],
"_links": {
"self": {
"href": ""
}
}
},
"operation": "",
"status": "",
"message": ""
}]
Parameter | Description |
---|---|
Alarm ID | ID of the alarm to which you want to add the specified label on the AlienVault USM Anywhere server. |
Label ID | ID of the label that you want to add to the specified alarm on the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Parameter | Description |
---|---|
Alarm ID | ID of the alarm whose label you want to delete from the AlienVault USM Anywhere server. |
Label ID | ID of the label that you want to delete from the specified alarm on the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Account Name | Account name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Page | Page number (zero-based) from which you want to retrieve results. |
Size | Number of results that the operation should include per page. |
Sort | Parameter based on which you want the operation to sort results. For example, Time Created. |
Sort Order | Direction based on which you want the operation to sort results. |
Suppressed | Select this checkbox, i.e., set it to True , to filter events retrieved from the AlienVault USM Anywhere server by the suppressed flag.By default, this is set as False . |
Plugin | Name of the plugin based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Event Name | Name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Source Name | Name of the source based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Sensor UUID | UUID of the sensor based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
Source Username | Username of the person who triggered the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
After Time | Time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred after this specified timestamp. By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z . |
Before Time | Time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred before this specified timestamp. By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z . |
The output contains the following populated JSON schema:
{
"page": {
"size": "",
"totalElements": "",
"number": "",
"totalPages": ""
},
"_links": {
"self": {
"href": ""
},
"next": {
"href": ""
},
"last": {
"href": ""
},
"first": {
"href": ""
}
},
"_embedded": {
"eventResourceList": [
{
"source_latitude": "",
"source_registered_country": "",
"timestamp_occured": "",
"customfield_10": "",
"customheader_10": "",
"authentication_mode": "",
"needs_enrichment": "",
"rep_device_version": "",
"rep_device_rule_id": "",
"destination_hostname": "",
"highlight_fields": [],
"source_instance_id": "",
"was_guessed": "",
"source_country": "",
"plugin": "",
"used_hint": "",
"event_type": "",
"source_region": "",
"event_name": "",
"customheader_1": "",
"suppressed": "",
"destination_canonical": "",
"timestamp_occured_iso8601": "",
"sensor_uuid": "",
"timestamp_received_iso8601": "",
"source_username": "",
"transient": "",
"source_infrastructure_type": "",
"packet_type": "",
"source_userid": "",
"source_infrastructure_name": "",
"was_fuzzied": "",
"plugin_version": "",
"log": "",
"authentication_type": "",
"destination_infrastructure_name": "",
"event_action": "",
"account_name": "",
"source_asset_id": "",
"destination_name": "",
"source_city": "",
"account_id": "",
"has_alarm": "",
"source_name": "",
"_links": {
"self": {
"href": ""
}
},
"plugin_device": "",
"plugin_device_type": "",
"source_service_name": "",
"received_from": "",
"access_key_id": "",
"source_canonical": "",
"customfield_1": "",
"app_name": "",
"source_address": "",
"destination_infrastructure_type": "",
"uuid": "",
"timestamp_received": "",
"access_control_outcome": "",
"destination_zone": "",
"request_user_agent": "",
"event_description_url": "",
"destination_userid": "",
"source_organisation": "",
"source_longitude": "",
"app_type": "",
"app_id": ""
}
]
}
}
Parameter | Description |
---|---|
Event ID | ID (UUID) of the event whose details you want to retrieve from the AlienVault USM Anywhere server. |
The output contains the following populated JSON schema:
{
"access_control_outcome": "",
"destination_infrastructure_name": "",
"has_alarm": "",
"event_name": "",
"timestamp_received_iso8601": "",
"packet_type": "",
"source_infrastructure_type": "",
"source_service_name": "",
"destination_hostname": "",
"source_canonical": "",
"plugin_version": "",
"uuid": "",
"plugin": "",
"plugin_device": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
},
"needs_enrichment": "",
"app_name": "",
"event_description": "",
"timestamp_received": "",
"destination_canonical": "",
"timestamp_occured": "",
"app_type": "",
"request_user_agent": "",
"event_action": "",
"app_id": "",
"event_type": "",
"plugin_family": "",
"destination_userid": "",
"timestamp_occured_iso8601": "",
"destination_name": "",
"suppressed": "",
"plugin_device_type": "",
"destination_zone": "",
"authentication_type": "",
"source_infrastructure_name": "",
"source_hostname": "",
"source_name": "",
"destination_infrastructure_type": "",
"received_from": "",
"account_name": ""
}
The Sample - AlienVault USM Anywhere - 1.1.0
playbook collection comes bundled with the AlienVault USM Anywhere connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AlienVault USM Anywhere connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from AlienVault USM Anywhere. Currently, "alarms" in AlienVault USM Anywhere are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming AlienVault USM Anywhere "alarms" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from AlienVault USM Anywhere into FortiSOAR™. It also lets you pull some sample data from AlienVault USM Anywhere using which you can define the mapping of data between AlienVault USM Anywhere and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the AlienVault USM Anywhere alarm.
On the Field Mapping screen, map the fields of an AlienVault USM Anywhere alarm to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the alarmName parameter of an AlienVault USM Anywhere alarm to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the alarmName field to populate its keys.
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to AlienVault USM Anywhere, so that the content gets pulled from the AlienVault USM Anywhere integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from AlienVault USM Anywhere every morning at 5 am, click Daily, and in the hour box enter 5
and in the minute box enter 0
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.