AlienVault USM Anywhere

the alienvault usm anywhere connector allows for seamless integration with swimlane turbine, enabling automated security event and alarm management alienvault usm anywhere is a cloud based security management solution that provides comprehensive threat detection and incident response capabilities this connector enables swimlane turbine users to streamline their security operations by integrating alienvault's powerful alarm and event management features users can add or remove labels for enhanced alarm categorization, retrieve detailed alarm and event information for analysis, and manage security events for efficient incident response the integration with alienvault usm anywhere enhances swimlane turbine's automation capabilities, allowing users to quickly and effectively manage security threats within their environment prerequisites to effectively utilize the alienvault usm anywhere connector with swimlane turbine, ensure you have the following oauth 2 0 client credentials for secure authentication, which include url the endpoint url for the alienvault usm anywhere api client id your unique identifier issued when registering with alienvault client secret a confidential key provided by alienvault to authenticate your application capabilities the alienvault usm anywhere integration provides the following capabilities get event(s) get alarm(s) get label ids add/delete label id for alarm additional information about capabilities get alarms can be used for periodic ingest (x minutes ago) for get/put/delete label ids the api accepts any string as a label id, there is no check for validity of the id notes alienvault's api uses occured , misspelled from occurred for sort parameter in get events and get alarms https //cybersecurity att com/documentation/api/usm anywhere api ref htm?tocpath=api%7cusm%20anywhere%20apis%7c 1#usm anywhere%e2%84%a2 api configurations alienvault oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string optional client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions label alarm adds a user defined label to an alarm in alienvault usm anywhere using alarm and label ids for enhanced categorization endpoint url api/2 0/alarms/{{alarmid}}/labels/{{labelid}} method put input argument name type required description path parameters alarmid string required parameters for the label alarm action path parameters labelid string required parameters for the label alarm action input example {"path parameters" {"alarmid" "971918fd a569 548a 5a80 1ffcda2a8365","labelid" "971918fd a569 548a 5a80 1ffcda2a8365"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok"} delete alarm label removes a specified label from an alarm in alienvault usm anywhere, enhancing incident management endpoint url api/2 0/alarms/{{alarmid}}/labels/{{labelid}} method delete input argument name type required description path parameters alarmid string required parameters for the delete alarm label action path parameters labelid string required parameters for the delete alarm label action input example {"path parameters" {"alarmid" "971918fd a569 548a 5a80 1ffcda2a8365","labelid" "971918fd a569 548a 5a80 1ffcda2a8365"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok"} retrieve alarm retrieves detailed information for a specified alarm in alienvault usm anywhere using the provided alarm id endpoint url api/2 0/alarms/{{alarmid}} method get input argument name type required description path parameters alarmid string required parameters for the retrieve alarm action input example {"path parameters" {"alarmid" "971918fd a569 548a 5a80 1ffcda2a8365"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier has alarm boolean output field has alarm needs enrichment boolean output field needs enrichment priority number output field priority suppressed boolean output field suppressed events array output field events events uuid string unique identifier rule intent string output field rule intent app type string type of the resource source username string name of the resource security group id string unique identifier destination name string name of the resource timestamp occured string output field timestamp occured authentication type string type of the resource event type string type of the resource rule method string http method to use priority label string output field priority label app id string unique identifier source name string name of the resource timestamp received string output field timestamp received rule strategy string output field rule strategy request user agent string output field request user agent rule id string unique identifier output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok","json body" {"uuid" "971918fd a569 548a 5a80 1ffcda2a8365","has alarm"\ false,"needs enrichment"\ true,"priorit retrieve alarms retrieves a detailed list of alarms from alienvault usm anywhere, detailing severity, status, and associated rule names endpoint url api/2 0/alarms method get input argument name type required description parameters page number optional parameters for the retrieve alarms action parameters size number optional parameters for the retrieve alarms action parameters sort string optional parameters for the retrieve alarms action parameters status array optional parameters for the retrieve alarms action parameters suppressed boolean optional parameters for the retrieve alarms action parameters rule intent string optional parameters for the retrieve alarms action parameters rule method string optional parameters for the retrieve alarms action parameters rule strategy string optional parameters for the retrieve alarms action parameters priority label array optional parameters for the retrieve alarms action parameters alarm sensor sources string optional parameters for the retrieve alarms action parameters timestamp occured gte number optional parameters for the retrieve alarms action parameters timestamp occured lte number optional parameters for the retrieve alarms action input example {"parameters" {"page" 1,"size" 50,"sort" "timestamp occured,asc","status" \["open"],"suppressed"\ true,"rule intent" "environmental awareness","rule method" "aws ec2 security group modified","rule strategy" "network access control modification","priority label" \["medium"],"alarm sensor sources" "308ba880 2518 44bb 9ada 07b158d11713","timestamp occured gte" 1517933139670,"timestamp occured lte" 1517933149670}} output parameter type description status code number http status code of the response reason string response reason phrase links object output field links links first object output field links first links first href string output field links first href links first templated boolean output field links first templated links self object output field links self links self href string output field links self href links self templated boolean output field links self templated links next object output field links next links next href string output field links next href links next templated boolean output field links next templated links last object output field links last links last href string output field links last href links last templated boolean output field links last templated embedded object output field embedded embedded alarms array output field embedded alarms embedded alarms uuid string unique identifier embedded alarms has alarm boolean output field embedded alarms has alarm embedded alarms needs enrichment boolean output field embedded alarms needs enrichment embedded alarms priority number output field embedded alarms priority embedded alarms suppressed boolean output field embedded alarms suppressed embedded alarms destinations array output field embedded alarms destinations embedded alarms destinations file name string name of the resource embedded alarms destinations file string output field embedded alarms destinations file output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok","json body" {" links" {"first" {},"self" {},"next" {},"last" {}}," embedded" {"alarms" \[]},"page" {"size" 20, retrieve event retrieve detailed information for a specific event in alienvault usm anywhere using the event id endpoint url api/2 0/events/{{eventid}} method get input argument name type required description path parameters eventid string required parameters for the retrieve event action input example {"path parameters" {"eventid" "39a6918f 33f2 ec9b 0fcc 42bb90f10a1f"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier account name string name of the resource plugin device type string type of the resource destination canonical string output field destination canonical destination name string name of the resource has alarm boolean output field has alarm request user agent string output field request user agent packet type string type of the resource source canonical string output field source canonical event name string name of the resource timestamp occured string output field timestamp occured source service name string name of the resource event type string type of the resource app name string name of the resource timestamp received string output field timestamp received destination hostname string name of the resource source infrastructure name string name of the resource plugin string output field plugin app type string type of the resource authentication type string type of the resource access control outcome string output field access control outcome suppressed string output field suppressed plugin device string output field plugin device output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok","json body" {"uuid" "39a6918f 33f2 ec9b 0fcc 42bb90f10a1f","account name" "generic account","plugin device ty retrieve events fetches a list of security events from alienvault usm anywhere for analysis or reporting endpoint url api/2 0/events method get input argument name type required description parameters page number optional parameters for the retrieve events action parameters size number optional parameters for the retrieve events action parameters sort string optional parameters for the retrieve events action parameters account name string optional parameters for the retrieve events action parameters suppressed boolean optional parameters for the retrieve events action parameters plugin string optional parameters for the retrieve events action parameters event name string optional parameters for the retrieve events action parameters source name string optional parameters for the retrieve events action parameters sensor uuid string optional parameters for the retrieve events action parameters source username string optional parameters for the retrieve events action parameters timestamp occured gte number optional parameters for the retrieve events action parameters timestamp occured lte number optional parameters for the retrieve events action input example {"parameters" {"page" 1,"size" 50,"sort" "timestamp occured,asc","account name" "account","suppressed"\ true,"plugin" "plugin","event name" "name","source name" "name","sensor uuid" "308ba880 2518 44bb 9ada 07b158d11713","source username" "user\@email com","timestamp occured gte" 1517933139670,"timestamp occured lte" 1517933149670}} output parameter type description status code number http status code of the response reason string response reason phrase links object output field links links first object output field links first links first href string output field links first href links first templated boolean output field links first templated links self object output field links self links self href string output field links self href links self templated boolean output field links self templated links next object output field links next links next href string output field links next href links next templated boolean output field links next templated links last object output field links last links last href string output field links last href links last templated boolean output field links last templated embedded object output field embedded embedded events string output field embedded events page object output field page page size number output field page size page totalelements number output field page totalelements page totalpages number output field page totalpages page number number output field page number output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok","json body" {" links" {"first" {},"self" {},"next" {},"last" {}}," embedded" {"events" " content omitted f retrieve alarm labels retrieves labels associated with a specific alarm in alienvault usm anywhere using the alarm id endpoint url api/2 0/alarms/{{alarmid}}/labels method get input argument name type required description path parameters alarmid string required parameters for the retrieve alarm labels action input example {"path parameters" {"alarmid" "971918fd a569 548a 5a80 1ffcda2a8365"}} output parameter type description status code number http status code of the response reason string response reason phrase alarm labels array output field alarm labels output example {"status code" 200,"response headers" {"transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","vary" "accept encoding","strict transport security" "max age=31536000","request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e","x ms ags diagnostic" "","date" "tue, 27 dec 2022 21 12 51 gmt"},"reason" "ok","json body" {"alarm labels" \["971918fd a569 548a 5a80 1ffcda2a8365"]}} response headers header description example client request id http response header client request id 8beed643 f868 4fd0 9e15 e0db4c50383e content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated tue, 27 dec 2022 21 12 51 gmt request id http response header request id 8beed643 f868 4fd0 9e15 e0db4c50383e strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x ms ags diagnostic http response header x ms ags diagnostic