AlienVault USM Anywhere

the alienvault usm anywhere connector allows for seamless integration with swimlane turbine, enabling automated security event and alarm management alienvault usm anywhere is a cloud based security management solution that provides comprehensive threat detection and incident response capabilities this connector enables swimlane turbine users to streamline their security operations by integrating alienvault's powerful alarm and event management features users can add or remove labels for enhanced alarm categorization, retrieve detailed alarm and event information for analysis, and manage security events for efficient incident response the integration with alienvault usm anywhere enhances swimlane turbine's automation capabilities, allowing users to quickly and effectively manage security threats within their environment prerequisites to effectively utilize the alienvault usm anywhere connector with swimlane turbine, ensure you have the following oauth 2 0 client credentials for secure authentication, which include url the endpoint url for the alienvault usm anywhere api client id your unique identifier issued when registering with alienvault client secret a confidential key provided by alienvault to authenticate your application capabilities the alienvault usm anywhere integration provides the following capabilities get event(s) get alarm(s) get label ids add/delete label id for alarm additional information about capabilities get alarms can be used for periodic ingest (x minutes ago) for get/put/delete label ids the api accepts any string as a label id, there is no check for validity of the id configurations alienvault oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string optional client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions label alarm adds a user defined label to an alarm in alienvault usm anywhere using alarm and label ids for enhanced categorization endpoint url api/2 0/alarms/{{alarmid}}/labels/{{labelid}} method put input argument name type required description alarmid string required unique identifier labelid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok" } ] delete alarm label removes a specified label from an alarm in alienvault usm anywhere, enhancing incident management endpoint url api/2 0/alarms/{{alarmid}}/labels/{{labelid}} method delete input argument name type required description alarmid string required unique identifier labelid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok" } ] retrieve alarm retrieves detailed information for a specified alarm in alienvault usm anywhere using the provided alarm id endpoint url api/2 0/alarms/{{alarmid}} method get input argument name type required description alarmid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier has alarm boolean output field has alarm needs enrichment boolean output field needs enrichment priority number output field priority suppressed boolean output field suppressed events array output field events uuid string unique identifier rule intent string output field rule intent app type string type of the resource source username string name of the resource security group id string unique identifier destination name string name of the resource timestamp occured string output field timestamp occured authentication type string type of the resource event type string type of the resource rule method string http method to use priority label string output field priority label app id string unique identifier source name string name of the resource timestamp received string output field timestamp received rule strategy string output field rule strategy request user agent string output field request user agent rule id string unique identifier example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok", "json body" { "uuid" "971918fd a569 548a 5a80 1ffcda2a8365", "has alarm" false, "needs enrichment" true, "priority" 20, "suppressed" false, "events" \[], "rule intent" "environmental awareness", "app type" "amazon aws", "source username" "user\@alienvault com", "security group id" "sg xxxxx", "destination name" "ec2 amazonaws com", "timestamp occured" "1517932134000", "authentication type" "iamuser", "event type" "alarm", "rule method" "aws ec2 security group modified" } } ] retrieve alarms retrieves a detailed list of alarms from alienvault usm anywhere, detailing severity, status, and associated rule names endpoint url api/2 0/alarms method get input argument name type required description page number optional parameter for retrieve alarms size number optional parameter for retrieve alarms sort string optional parameter for retrieve alarms status array optional status value suppressed boolean optional parameter for retrieve alarms rule intent string optional parameter for retrieve alarms rule method string optional http method to use rule strategy string optional parameter for retrieve alarms priority label array optional parameter for retrieve alarms alarm sensor sources string optional parameter for retrieve alarms timestamp occured gte number optional parameter for retrieve alarms timestamp occured lte number optional parameter for retrieve alarms output parameter type description status code number http status code of the response reason string response reason phrase links object output field links first object output field first href string output field href templated boolean output field templated self object output field self href string output field href templated boolean output field templated next object output field next href string output field href templated boolean output field templated last object output field last href string output field href templated boolean output field templated embedded object output field embedded alarms array output field alarms uuid string unique identifier has alarm boolean output field has alarm needs enrichment boolean output field needs enrichment priority number output field priority suppressed boolean output field suppressed destinations array output field destinations file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok", "json body" { " links" {}, " embedded" {}, "page" {} } } ] retrieve event retrieve detailed information for a specific event in alienvault usm anywhere using the event id endpoint url api/2 0/events/{{eventid}} method get input argument name type required description eventid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier account name string name of the resource plugin device type string type of the resource destination canonical string output field destination canonical destination name string name of the resource has alarm boolean output field has alarm request user agent string output field request user agent packet type string type of the resource source canonical string output field source canonical event name string name of the resource timestamp occured string output field timestamp occured source service name string name of the resource event type string type of the resource app name string name of the resource timestamp received string output field timestamp received destination hostname string name of the resource source infrastructure name string name of the resource plugin string output field plugin app type string type of the resource authentication type string type of the resource access control outcome string output field access control outcome suppressed string output field suppressed plugin device string output field plugin device example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok", "json body" { "uuid" "39a6918f 33f2 ec9b 0fcc 42bb90f10a1f", "account name" "generic account", "plugin device type" "cloud infrastructure", "destination canonical" "s3 amazonaws com", "destination name" "s3 amazonaws com", "has alarm" false, "request user agent" "s3 amazonaws com", "packet type" "log", "source canonical" "s3 amazonaws com", "event name" "putobject", "timestamp occured" "1528817037000", "source service name" "s3 amazonaws com", "event type" "awsapicall", "app name" "amazon aws", "timestamp received" "1528817107938" } } ] retrieve events fetches a list of security events from alienvault usm anywhere for analysis or reporting endpoint url api/2 0/events method get input argument name type required description page number optional parameter for retrieve events size number optional parameter for retrieve events sort string optional parameter for retrieve events account name string optional name of the resource suppressed boolean optional parameter for retrieve events plugin string optional parameter for retrieve events event name string optional name of the resource source name string optional name of the resource sensor uuid string optional unique identifier source username string optional name of the resource timestamp occured gte number optional parameter for retrieve events timestamp occured lte number optional parameter for retrieve events output parameter type description status code number http status code of the response reason string response reason phrase links object output field links first object output field first href string output field href templated boolean output field templated self object output field self href string output field href templated boolean output field templated next object output field next href string output field href templated boolean output field templated last object output field last href string output field href templated boolean output field templated embedded object output field embedded events string output field events page object output field page size number output field size totalelements number output field totalelements totalpages number output field totalpages number number output field number example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok", "json body" { " links" {}, " embedded" {}, "page" {} } } ] retrieve alarm labels retrieves labels associated with a specific alarm in alienvault usm anywhere using the alarm id endpoint url api/2 0/alarms/{{alarmid}}/labels method get input argument name type required description alarmid string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase alarm labels array output field alarm labels example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "client request id" "8beed643 f868 4fd0 9e15 e0db4c50383e", "x ms ags diagnostic" "", "date" "tue, 27 dec 2022 21 12 51 gmt" }, "reason" "ok", "json body" { "alarm labels" \[] } } ] response headers header description example client request id http response header client request id 8beed643 f868 4fd0 9e15 e0db4c50383e content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated tue, 27 dec 2022 21 12 51 gmt request id http response header request id 8beed643 f868 4fd0 9e15 e0db4c50383e strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x ms ags diagnostic http response header x ms ags diagnostic notes alienvault's api uses occured , misspelled from occurred for sort parameter in get events and get alarms alienvault apis https //cybersecurity att com/documentation/api/usm anywhere api ref htm?tocpath=api%7cusm%20anywhere%20apis%7c 1#usm anywhere%e2%84%a2 api