/
AlienVault USM
Document toolboxDocument toolbox

AlienVault USM

Owned by Former user (Deleted)
Nov 29, 2024
5 min read

AlienVault USM is a SaaS security monitoring platform designed to centralize threat detection, incident response and compliance management of cloud, hybrid cloud, and on-premises environments from a cloud-based console.

Connect AlienVault USM with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for AlienVault USM.

  3. Click Details, then the + icon. Enter the required information in the following fields.

    • Label: Enter a connection name.

    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input.

    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

    • Remote Agent: Run this integration using the Devo SOAR Remote Agent.

    • URL: URL to your AlienVault USM instance. Example: https://subdomain.alienvault.cloud.

    • Client ID: Client id for AlienVault USM.

    • Secret Key: Secret key for AlienVault USM.

  4. After you've entered all the details, click Connect.

Actions for AlienVault USM

Search Alarms

Retrieves alarms from AlienVault (optionally filtered on various fields).

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Filter: Suppressed

Select True to show only those alarms that have suppressed flag set.

Optional

Filter: Rule Intent

Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}.

Optional

Filter: Rule Method

Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}.

Optional

Filter: Rule Strategy

Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}.

Optional

Filter: Sensor

Select column that contains uuid of the sensor to filter results for.

Optional

Filter: Start Time

Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Filter: End Time

Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Maximum Number Of Results To Return

The maximum number of results to return per call (Default is 100,000).

Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False

  • error: message/null

  • other keys containing information of Alarms

Search Alarms V2

Retrieves alarms from AlienVault (optionally filtered on various fields).

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Filter: Suppressed

Select True to show only those alarms that have suppressed flag set.

Optional

Filter: Rule Intent

Enter jinja-templated intent of the rule that triggered the alarm. Eg: Environmental Awareness or {{rule_intent_column}}.

Optional

Filter: Rule Method

Enter jinja-templated method of the rule that triggered the alarm. Eg: AWS EC2 Security Group Modified or {{rule_method_column}}.

Optional

Filter: Rule Strategy

Enter jinja-templated strategy of the rule that triggered the alarm. Eg: Network Access Control Modification or {{rule_strategy_column}}.

Optional

Filter: Sensor

Select column that contains uuid of the sensor to filter results for.

Optional

Filter: Start Time

Jinja-templated timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Example {{start_time}} (Default value will be flow start time)

Optional

Filter: End Time

Jinja-templated timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Example {{end_time}} (Default value will be flow end time)

Optional

Maximum Number Of Results To Return

The maximum number of results to return per call (Default is 100,000).

Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False

  • error: message/null

  • other keys containing information of Alarms

Get Alarm

Retrieve details for an alarm

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alarm ID

Select column that contains a value for an alarm id to fetch details.

Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False

  • error: message/null

  • other keys containing Alarm Details

Get Events by Alarm

Retrieve events associated with an alarm

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alarm ID

Select column that contains a value for an alarm id to fetch associated events.

Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False

  • error: message/null

  • other keys containing Event Details

Search Events

Retrieves events from AlienVault (optionally filtered on various fields)

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Filter: Account Name

Enter jinja-templated name of the account to filter on.
Example: account or {{account_column}}.

Optional

Filter: Suppressed

Select True to show only those alarms that have suppressed flag set.

Optional

Filter: Plugin

Enter jinja-templated name of the plugin to filter events on.
Example: plugin or {{plugin_column}}.

Optional

Filter: Event Name

Enter jinja-templated name of the event to filter events on.
Example: name or {{name_column}}.

Optional

Filter: Source Name

Enter jinja-templated name of the source to filter events on.
Example: name or {{name_column}}.

Optional

Filter: Source Username

Enter jinja-templated name of the user that triggered the event to filter events on.
Example: user@email.com or {{userid_column}}@email.com.

Optional

Filter: Sensor

Select column that contains uuid of the sensor to filter results for.

Optional

Filter: Start Time

Enter timestamp (in epoch millis) to only include alarms that occurred after this timestamp. Enter flow-start-time to use start-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Filter: End Time

Enter timestamp (in epoch millis) to only include alarms that occurred before this timestamp. Enter flow-end-time to use end-time of the time-range of the flow. Leaving it empty will not apply the filter.

Optional

Page

Enter page number (0 based) of results to return.

Optional

Size

Enter number of results to return on each page.

Optional

Output

A JSON object containing multiple rows of results:

  • has_error: True/False

  • error: message/null

  • other keys containing Event Details

Add Label To Alarm

Add a label to an alarm in AlienVault

To get "Label ID", update the label without made any changes using inspect element/network tab.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alarm ID

Jinja-templated text containing the id of the alarm. Example: {{alarm_id_column}}.

Required

Label ID

Jinja-templated text containing the id of the label. Example: {{label_id_column}}

Required

Output

A JSON object containing multiple rows of results:

  • has_error: True/False

  • error: message/null

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.3.3 - Updated search alarms action input of start and end time to jinja.

Related content