About the connector
AlienVault Unified Security Management (USM) Anywhere is a cloud-based security management solution that helps you secure all your operations with an effective solution for threat detection, incident response, and compliance management.
This document provides information about the AlienVault USM Anywhere connector, which facilitates automated interactions with the AlienVault USM Anywhere server using FortiSOAR™ playbooks. Add the AlienVault USM Anywhere connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving alerts or events from the AlienVault USM Anywhere server, or adding or deleting alerts or events from the AlienVault USM Anywhere server.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from AlienVault USM Anywhere. For more information, see the Data Ingestion Support section.
Version information
Connector Version: 1.2.0
Authored By: Fortinet
Certified: No
Release Notes for version 1.2.0
Following changes have been made to the AlienVault USM Anywhere Connector in version 1.2.0:
- Fixed an issue with data ingestion playbooks when ingesting alarms via AlienVault USM Anywhere connector with a time filter applied.
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-alienvault-usm-anywhere
Prerequisites to configuring the connector
- You must have the server address of the AlienVault USM Anywhere server to which you will connect and perform automated operations and credentials (Client ID and Secret pair) to access that server.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the AlienVault USM Anywhere server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the AlienVault USM Anywhere connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter |
Description |
| Server URL |
Server address of the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
| Client ID |
Client ID to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
| Client Secret |
Client Secret token to access the AlienVault USM Anywhere server to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function |
Description |
Annotation and Category |
| Get Alarms |
Retrieves a list of all alarms from the AlienVault USM Anywhere server or a list of alarms, based on the input parameters you have specified. |
get_alarms
Investigation |
| Get Alarm Details |
Retrieves details for an alarm from the AlienVault USM Anywhere server, based on the alarm ID(s) you have specified. |
get_alarm_details
Investigation |
| Get Alarm Labels |
Retrieves a list of label IDs for a specific alarm from the AlienVault USM Anywhere server, based on the alarm ID you have specified. |
get_alarm_labels
Investigation |
| Add Alarm Label |
Adds a label to a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. |
add_alarm_label
Investigation |
| Delete Alarm Label |
Deletes a label from a specific alarm on the AlienVault USM Anywhere server, based on the alarm ID and label ID you have specified. |
delete_alarm_label
Investigation |
| Get Events |
Retrieves all events from the AlienVault USM Anywhere server or specific events, based on the input parameters you have specified. |
get_events
Investigation |
| Get Event Details |
Retrieves details for a specific event from the AlienVault USM Anywhere server, based on the event ID (UUID) you have specified. |
get_event_details
Investigation |
operation: Get Alarms
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria are applied, and an unfiltered list is returned.
| Parameter |
Description |
| Page |
Specify the page number (zero-based) from which you want to retrieve results. |
| Size |
Specify the number of results that the operation should include per page. |
| Sort |
Specify the parameter based on which you want the operation to sort results.
For example, Time Created. |
| Sort Order |
Specify the direction based on which you want the operation to sort results.
For example, Ascending or Descending. |
| Status |
Specify the status of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Suppressed |
Select this checkbox, i.e., set it to True, to filter alarms retrieved from the AlienVault USM Anywhere server by the suppressed flag.
By default, this is set as False. |
| Rule Intent |
Specify the intent of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Rule Method |
Specify the method of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Rule Strategy |
Specify the strategy of the rule that triggered the alarm, based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Priority Label |
Specify the priority of the alarm based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| Alarm Sensor Sources |
Specify the UUID of the sensor based on which you want to filter alarms retrieved from the AlienVault USM Anywhere server. |
| After Time |
Specify the time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred after this specified timestamp.
By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z. |
| Before Time |
Specify the time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include alarms that occurred before this specified timestamp.
By default, this is set as 24 hours. For example 2018-12-27T04:48:08.702Z. |
Output
The output contains the following populated JSON schema:
{
"page": {
"totalPages": "",
"number": "",
"size": "",
"totalElements": ""
},
"_links": {
"next": {
"href": ""
},
"first": {
"href": ""
},
"self": {
"href": ""
},
"last": {
"href": ""
}
},
"_embedded": {
"alarms": [
{
"destination_name": "",
"timestamp_received": "",
"uuid": "",
"alarm_destinations": [],
"rule_method": "",
"alarm_destination_zones": [],
"app_type": "",
"transient": "",
"source_organisation": "",
"access_control_outcome": "",
"rule_name": "",
"priority": "",
"event_type": "",
"has_alarm": "",
"alarm_source_names": [],
"packet_data": [],
"packet_type": "",
"access_key_id": "",
"events": [
{
"message": {
"app_id": "",
"uuid": "",
"plugin_device": "",
"source_registered_country": "",
"destination_canonical": "",
"customheader_10": "",
"app_type": "",
"destination_hostname": "",
"source_organisation": "",
"suppressed": "",
"access_control_outcome": "",
"source_instance_id": "",
"source_canonical": "",
"source_service_name": "",
"event_type": "",
"has_alarm": "",
"app_name": "",
"error_code": "",
"was_guessed": "",
"destination_infrastructure_name": "",
"source_city": "",
"source_longitude": "",
"access_key_id": "",
"event_name": "",
"timestamp_received": "",
"rep_device_version": "",
"rep_device_rule_id": "",
"sensor_uuid": "",
"source_username": "",
"customheader_1": "",
"error_message": "",
"was_fuzzied": "",
"highlight_fields": [],
"log": "",
"request_user_agent": "",
"timestamp_occured": "",
"customfield_1": "",
"authentication_mode": "",
"customfield_10": "",
"received_from": "",
"source_country": "",
"plugin": "",
"source_name": "",
"destination_infrastructure_type": "",
"source_userid": "",
"account_name": "",
"needs_enrichment": "",
"source_infrastructure_name": "",
"source_latitude": "",
"account_id": "",
"packet_type": "",
"plugin_device_type": "",
"plugin_version": "",
"source_address": "",
"used_hint": "",
"destination_userid": "",
"transient": "",
"source_infrastructure_type": "",
"source_region": "",
"source_asset_id": "",
"destination_zone": "",
"timestamp_occured_iso8601": "",
"destination_name": "",
"timestamp_received_iso8601": "",
"authentication_type": ""
},
"timeStamp": "",
"enriched": "",
"_links": {
"self": {
"templated": "",
"href": ""
}
}
}
],
"app_id": "",
"sensor_uuid": "",
"alarm_source_latitudes": [],
"alarm_destination_names": [],
"app_name": "",
"alarm_source_countries": [],
"highlight_fields": [],
"rule_intent": "",
"timestamp_occured": "",
"alarm_sources": [],
"alarm_source_asset_ids": [],
"source_canonical": "",
"_links": {
"self": {
"href": ""
}
},
"source_name": "",
"alarm_events_count": "",
"alarm_source_longitudes": [],
"account_name": "",
"needs_enrichment": "",
"priority_label": "",
"timestamp_occured_iso8601": "",
"account_id": "",
"alarm_source_cities": [],
"status": "",
"suppressed": "",
"rule_id": "",
"source_asset_id": "",
"alarm_source_organisations": [],
"rule_strategy": "",
"alarm_sensor_sources": [],
"timestamp_received_iso8601": ""
}
]
}
}
operation: Get Alarm Details
Input parameters
| Parameter |
Description |
| Alarm IDs |
Specify the IDs of the alarm whose details you want to retrieve from the AlienVault USM Anywhere server.
You can specify multiple IDs using both a comma-separator or in the list format.
For example, 1708bd82-30f3-1a24-d395-4cf5ca213a97, 1708bd82-30f3-1a24-d395-4cf5ca213a98
or
['1708bd82-30f3-1a24-d395-4cf5ca213a97', '1708bd82-30f3-1a24-d395-4cf5ca213a98'] |
Output
The output contains the following populated JSON schema:
[
{
"_links": {
"self": {
"href": "",
"templated": ""
}
},
"uuid": "",
"has_alarm": "",
"needs_enrichment": "",
"priority": "",
"suppressed": "",
"events": [
{
"uuid": ""
}
],
"rule_intent": "",
"app_type": "",
"source_username": "",
"security_group_id": "",
"destination_name": "",
"timestamp_occured": "",
"authentication_type": "",
"event_type": "",
"rule_method": "",
"priority_label": "",
"app_id": "",
"source_name": "",
"timestamp_received": "",
"rule_strategy": "",
"timestamp_received_iso8601": "",
"request_user_agent": "",
"rule_id": "",
"sensor_uuid": "",
"timestamp_occured_iso8601": "",
"transient": "",
"event_name": "",
"packet_type": "",
"status": ""
}
]
operation: Get Alarm Labels
Input parameters
| Parameter |
Description |
| Alarm ID |
Specify the ID of the alarm whose list of alarm labels you want to retrieve from the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
{
"data": {
"_links": {
"self": {
"href": ""
}
},
"alarm_labels": []
},
"status": "",
"operation": "",
"message": ""
}
operation: Add Alarm Label
Input parameters
| Parameter |
Description |
| Alarm ID |
Specify the ID of the alarm to which you want to add the specified label on the AlienVault USM Anywhere server. |
| Label ID |
Specify the ID of the label that you want to add to the specified alarm on the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
operation: Delete Alarm Label
Input parameters
| Parameter |
Description |
| Alarm ID |
Specify the ID of the alarm whose label you want to delete from the AlienVault USM Anywhere server. |
| Label ID |
Specify the ID of the label that you want to delete from the specified alarm on the AlienVault USM Anywhere server. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}
operation: Get Events
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Account Name |
Specify the Account name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Page |
Specify the page number (zero-based) from which you want to retrieve results. |
| Size |
Specify the number of results that the operation should include per page. |
| Sort |
Specify the parameter based on which you want the operation to sort results.
For example, Time Created. |
| Sort Order |
Specify the direction based on which you want the operation to sort results. |
| Suppressed |
Select this checkbox, i.e., set it to True, to filter events retrieved from the AlienVault USM Anywhere server by the suppressed flag.
By default, this is set as False. |
| Plugin |
Specify the name of the plugin based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Event Name |
Specify the name of the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Source Name |
Specify the name of the source based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Sensor UUID |
Specify the UUID of the sensor based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| Source Username |
Specify the username of the person who triggered the event based on which you want to filter events retrieved from the AlienVault USM Anywhere server. |
| After Time |
Specify the time after which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred after this specified timestamp.
By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z. |
| Before Time |
Specify the time before which the filtered results will be retrieved from the AlienVault USM Anywhere server, i.e., this operation will include events that occurred before this specified timestamp.
By default, this is set as 24 hours. For example, 2018-12-27T04:48:08.702Z. |
Output
The output contains the following populated JSON schema:
{
"page": {
"totalElements": "",
"totalPages": "",
"number": "",
"size": ""
},
"_links": {
"next": {
"href": ""
},
"self": {
"href": ""
},
"first": {
"href": ""
},
"last": {
"href": ""
}
},
"_embedded": {
"eventResourceList": [
{
"source_name": "",
"authentication_mode": "",
"timestamp_occured": "",
"timestamp_occured_iso8601": "",
"destination_canonical": "",
"access_key_id": "",
"_links": {
"self": {
"href": ""
}
},
"sensor_uuid": "",
"event_type": "",
"timestamp_received_iso8601": "",
"source_infrastructure_name": "",
"transient": "",
"rep_device_rule_id": "",
"needs_enrichment": "",
"log": "",
"access_control_outcome": "",
"customfield_1": "",
"destination_userid": "",
"timestamp_received": "",
"customheader_10": "",
"source_city": "",
"uuid": "",
"was_guessed": "",
"source_username": "",
"rep_device_version": "",
"source_region": "",
"app_type": "",
"app_id": "",
"request_user_agent": "",
"source_address": "",
"was_fuzzied": "",
"plugin_device": "",
"event_description_url": "",
"received_from": "",
"source_canonical": "",
"source_infrastructure_type": "",
"packet_type": "",
"customheader_1": "",
"destination_name": "",
"source_country": "",
"plugin": "",
"event_name": "",
"used_hint": "",
"source_organisation": "",
"plugin_device_type": "",
"event_action": "",
"has_alarm": "",
"account_name": "",
"destination_hostname": "",
"source_longitude": "",
"source_instance_id": "",
"source_service_name": "",
"destination_infrastructure_name": "",
"source_userid": "",
"highlight_fields": [],
"destination_zone": "",
"account_id": "",
"authentication_type": "",
"suppressed": "",
"source_asset_id": "",
"customfield_10": "",
"source_latitude": "",
"destination_infrastructure_type": "",
"plugin_version": "",
"source_registered_country": "",
"app_name": ""
}
]
}
}
operation: Get Event Details
Input parameters
| Parameter |
Description |
| Event ID |
Specify the ID (UUID) of the event whose details you want to retrieve from the AlienVault USM Anywhere server. |
Output
{
"_links": {
"self": {
"href": "",
"templated": ""
}
},
"uuid": "",
"account_name": "",
"plugin_device_type": "",
"destination_canonical": "",
"destination_name": "",
"has_alarm": "",
"request_user_agent": "",
"packet_type": "",
"source_canonical": "",
"event_name": "",
"timestamp_occured": "",
"source_service_name": "",
"event_type": "",
"app_name": "",
"timestamp_received": "",
"destination_hostname": "",
"source_infrastructure_name": "",
"plugin": "",
"timestamp_occured_iso8601": "",
"timestamp_received_iso8601": "",
"app_type": "",
"authentication_type": "",
"access_control_outcome": "",
"suppressed": "",
"plugin_device": "",
"destination_infrastructure_type": "",
"source_infrastructure_type": "",
"destination_zone": "",
"needs_enrichment": "",
"source_hostname": "",
"app_id": "",
"plugin_family": "",
"plugin_version": "",
"destination_userid": "",
"event_action": "",
"destination_infrastructure_name": "",
"source_name": "",
"received_from": "",
"event_description": ""
}
Included playbooks
The Sample - AlienVault USM Anywhere - 1.2.0 playbook collection comes bundled with the AlienVault USM Anywhere connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the AlienVault USM Anywhere connector.
- AlienVaultUSM > Ingest
- > AlienVaultUSM > Fetch
- >>AlienVaultUSM > Init Macros
- Alarm: Add Alarm Label
- Alarm: Delete Alarm Label
- Alarm: Get Alarm Details
- Alarm: Get Alarm Labels
- Alarm: Get Alarms
- Event: Get Event Details
- Event: Get Events
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Data Ingestion Support
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alarms from AlienVault USM Anywhere. Currently, alarms ingested from AlienVault USM Anywhere is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
Configure Data Ingestion
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming AlienVault USM Anywhere alarms to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from AlienVault USM Anywhere into FortiSOAR™. It also lets you pull some sample data from AlienVault USM Anywhere using which you can define the mapping of data between AlienVault USM Anywhere and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the AlienVault USM Anywhere alarm.
-
To begin configuring data ingestion, click Configure Data Ingestion on the AlienVault USM Anywhere connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between AlienVault USM Anywhere data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
-
On the Fetch Data screen, provide the configurations required to fetch alarms from AlienVault USM Anywhere.
Users can pull alarms from AlienVault USM Anywhere by specifying parameters such as the status and priority of the alarms, the UUID of the sensor associated with the alarms, the intent, method, or strategy of the rule that triggered the alarms that you want to pull, or whether or not the suppressed flag is set for the alarm.
Once you have completed specifying the configurations, click Fetch Data.
-
On the Field Mapping screen, map the fields of the ingested alarm in AlienVault USM Anywhere to the fields of an Alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. rule_strategy,rule_method parameter of an AlienVault USM Anywhere alarm to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the rule_strategy,rule_method field to populate its keys.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
-
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to AlienVault USM Anywhere, so that the content gets pulled from the AlienVault USM Anywhere integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull data from AlienVault USM Anywhere every morning at 5 AM, click Daily, and in the minute and hour boxes enter 0 and 5 respectively.
Once you have completed scheduling, click Save Settings & Continue.
-
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
