AlienVault USM Appliance

Integration version: 19.0

Configure AlienVault USM Appliance integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Api Root String https://<instance>.alienvault.com Yes Address of the AT&T Cybersecurity USM Appliance instance.
Username String N/A Yes The email address of the user which should be used to connect to AT&T Cybersecurity USM Appliance.
Password Password N/A Yes The password of the user account.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Enrich Assets

Description

Retrieve AT&T Cybersecurity USM Appliance asset details. Within USM Appliance, an asset operates on the network of the organization as an integrated piece of equipment, which includes an exclusive IP address. An asset can be a PC, printer, firewall, router, server, or multiple devices that are allowed by the network. An asset is supervised by at least one USM Appliance Sensor.

Parameters

N/A

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action results

Entity enrichment
Enrichment field name Logic - When to apply
model Returns if it exists in JSON result
descr Returns if it exists in JSON result
hostname Returns if it exists in JSON result
asset_type Returns if it exists in JSON result
fqdn Returns if it exists in JSON result
devices Returns if it exists in JSON result
asset_value Returns if it exists in JSON result
ips Returns if it exists in JSON result
id Returns if it exists in JSON result
sensors Returns if it exists in JSON result
os Returns if it exists in JSON result
networks Returns if it exists in JSON result
icon Returns if it exists in JSON result
Script result
Script result name Value options Example
success True or False success:False
JSON result
[
    {
        "EntityResult": {
            "model": null,
            "descr": " ",
            "hostname": "Lanthanum",
            "asset_type": "Internal",
            "fqdn": " ",
            "devices": [],
            "asset_value": "2",
            "ips": {
                "3.3.3.3": {
                    "ip": "1.1.1.1",
                    "mac": "11:DE:B0:DD:54:54"
                }},
            "id": "123D37D595B800734550B9D9D6A958C6",
            "sensors": {
                "C221234962EA11E697DE0AF71A09DF3B": {
                    "ip": "1.1.1.1",
                    "ctxs": {
                        "C228355962EA11E697DE0AF71A09DF3B": "AlienVault"
                    },
                    "name": "DA"
                }},
            "os": "Linux",
            "networks": {
                "7E4B12EEFD06A21F898345C2AB46EB10": {
                    "ips": "1.1.1.1/16",
                    "ctx": "C228355962EA11E697DE0AF71A09DF3B",
                    "name": "Pvt_000"
                }},
            "icon": " "
        },
        "Entity": "domain.com"
    }
]

Enrich Vulnerabilities

Description

Recover AT&T Cybersecurity USM Appliance vulnerability information. The USM Appliance Sensor has an integrated vulnerability scanner that can be used in critical assets to catch vulnerabilities. Such uncovered vulnerabilities can then be used in cross-correlation rules and enforcement and audit reporting.

Parameters

N/A

Run on

This action runs on the following entities:

  • IP Address
  • Hostname

Action results

Entity enrichment
Enrichment field name Logic - When to apply
AlientVault_Severity Returns if it exists in JSON result
AlientVault_Service Returns if it exists in JSON result
AlientVault_Vulnerability Returns if it exists in JSON result
AlientVault_Scan Time Returns if it exists in JSON result
AlientVault_Asset Returns if it exists in JSON result
AlientVault_Id Returns if it exists in JSON result
Script result
Script result name Value options Example
success True or False success:False
JSON result
[
    {
        "EntityResult": [{
            "Severity": "High",
            "Service": "general (0/tcp))",
            "Vulnerability": "TCP Sequence Number Approximation Reset Denial of Service Vulnerability",
            "Scan Time": "2014-02-26 02:08:59",
            "Asset": "Lanthanum (1.1.1.1)",
            "Id": "123456"
        }, {
            "Severity": "High",
            "Service": "https (443/tcp)",
            "Vulnerability": "robot(s).txt exists on the Web Server",
            "Scan Time": "2014-02-26 02:08:59",
            "Asset": "Lanthanum (1.1.1.1)",
            "Id": "123457"
        }, {
            "Severity": "Medium",
            "Service": "general (0/tcp))",
            "Vulnerability": "TCP timestamps",
            "Scan Time": "2014-02-26 02:08:59",
            "Asset": "Lanthanum (1.1.1.1)",
            "Id": "123458"
        }],
        "Entity": "test"
    }
]

Fetch Last PCAP Files

Description

Fetch last PCAP files from AlienVault.

Parameters

Parameter name Type Default value Description
Number Of Files To Fetch String N/A Example: 10

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
[
    {
        "scan_name": "pcap_file_1545041396_10_1.1.1.1.pcap",
        "creation_time": "2018-12-17 10:09:56",
        "user": null,
        "download_link": "https://www.alienvault.com/ossim/pcap/download.php?scan_name=0000000_10_1.1.1.1.pcap&sensor_ip=1.1.1.1",
        "sensor_ip": "1.1.1.1",
        "duration": "10"
    }, {
        "scan_name": "pcap_file_1545041397_10_1.1.1.1.pcap",
        "creation_time": "2018-12-17 10:09:56",
        "user": null,
        "download_link": "https://www.alienvault.com/ossim/pcap/download.php?scan_name=0000000_10_1.1.1.1.pcap&sensor_ip=1.1.1.1",
        "sensor_ip": "1.1.1.1",
        "duration": "10"
    }, {
        "scan_name": "pcap_file_1545041398_10_1.1.1.1.pcap",
        "creation_time": "2018-12-17 10:09:56",
        "user": null,
        "download_link": "https://www.alienvault.com/ossim/pcap/download.php?scan_name=0000000_10_1.1.1.1.pcap&sensor_ip=1.1.1.1",
        "sensor_ip": "1.1.1.1",
        "duration": "10"
    }
]

Get PCAP Files for Events

Description

Get PCAP files for events in an alert.

Parameters

N/A

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
{
    "#0-1B09DN3B0D2011E985730AS799BFE5BC": "obLD1AACAAQAAAAAAAAAAAAABdwAAAABV+kUZQAHyFMAAAXqAAAF6gr3GgnfOwobLz7Y6wgARQAF3Dd3QABnBvvXVduqw6wfLg8MmgG7xmc2dMr3EdxQEAD+OgAAABcDAwdVAAAAAAAAAASEw70Ys0kQbz8wdaj1lsHAAA=="
}

Get Vulnerability Reports

Description

Get environment vulnerability report files.

Parameters

Parameter name Type Default value Description
Number of Files to Fetch string N/A Example: 10

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
[
    {
        "creation_time": "2014-02-26 02:08:59",
        "download_link": "https://www.alienvault.com/ossim/vulnmeter/lr_rescsv.php?treport=latest&ipl=1.1.1.1&ctx=C22835597DE0AF71A09DF3B&scantype=M",
        "Address": "Helium (1.1.1.1)"
    }, {
        "creation_time": "2014-02-26 02:08:59",
        "download_link":
        "https://www.alienvault.com/ossim/vulnmeter/lr_rescsv.php?treport=latest&ipl=1.1.1.1&ctx=C228351E697DE071A09DF3B&scantype=M",
        "Address": "Holmium (1.1.1.1)"
    }, {
        "creation_time": "2014-02-26 02:08:59",
        "download_link": "https://www.alienvault.com/ossim/vulnmeter/lr_rescsv.php?treport=latest&ipl=1.1.1.1&ctx=C22835597DE0AF71A09DF3B&scantype=M",
        "Address": "Indium (1.1.1.1)"
    }
]

Ping

Description

Test Connectivity.

Parameters

N/A

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
success True or False success:False

Connectors

AlienVault USM Appliance Connector

Configure AlienVault USM Appliance Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name Type Default value Is mandatory Description
Environment DDL N/A Yes

Select the required environment. For example, "Customer One".

In case that the alert's Environment field is empty, this alert will be injected to this environment.

Run Every Integer 0:0:0:10 No Select the time to run the connection.
Product Field Name String device_product Yes The field name used to determine the device product.
Event Field Name String event_name Yes The field name used to determine the event name (sub-type).
Script Timeout (Seconds) String 60 Yes The timeout limit (in seconds) for the python process running current script.
Api Root String N/A Yes Address of the AT&T Cybersecurity USM Appliance instance. Example: https://<instance>.alienvault.com
Username String N/A Yes Email of the user.
Password Password N/A Yes The password of the according user.
Max Events Per Alert Integer 10 Yes Limits the number of events per alert.
Max Days Backwards Integer 1 Yes This field is used in the connector's first running cycle and determines the start time. Example: 3. Fetches emails from X days backward each cycle.
Max Alerts Per Cycle Integer 10 Yes

The maximum number of alerts to fetch in each connector's cycle.

Limits the number of alerts in every cycle.

Server Timezone String UTC Yes The timezone configured in the AlienVault instance. Example: UTC, Asia/Jerusalem
Environment Field Name String N/A No The name of the environment's field. Example: AlienVault Sensor
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.
Proxy Server Address String N/A No The address of the proxy server to use.

Connector rules

Proxy support

The connector supports Proxy.