AlienVault USM Central

the alienvault usm central connector enables streamlined integration with swimlane for enhanced security event management and automated response actions alienvault usm central is a comprehensive threat detection and incident response platform that centralizes security monitoring across distributed environments by integrating with swimlane turbine, users can automate the ingestion and analysis of alarms, streamline asset management, and access critical security dictionaries this connector empowers security teams to efficiently manage and respond to threats by leveraging usm central's rich alarm data and asset information within the turbine ecosystem, enhancing overall security posture and response capabilities prerequisites to effectively utilize the alienvault usm central connector with swimlane, ensure you have the following prerequisites custom authentication credentials with the following parameters url the endpoint url for the alienvault usm central api client id your unique identifier for alienvault usm central api access client secret a secret key provided by alienvault for authenticating api requests capabilities the alienvault usm central connector provides the following capabilities get alarms get assets get dictionaries get alarms id configurations usm central oauth authentication authenticates using client id and client secret configuration parameters parameter description type required url a url to the target host string required client id client id string required client secret client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions retrieve alarm retrieves detailed information for a specified alarm using its unique id (uuid) in alienvault usm central endpoint url api/1 1/alarms/{{alarmid}} method get input argument name type required description alarmid string required unique identifier output parameter type description status code number http status code of the response results object result of the operation alarm object output field alarm rule intent string output field rule intent app type string type of the resource alarm sensor sources array output field alarm sensor sources source username string name of the resource destination name string name of the resource rule dictionary string output field rule dictionary timestamp occured string output field timestamp occured uuid string unique identifier authentication type string type of the resource needs enrichment boolean output field needs enrichment event type string type of the resource rule method string http method to use priority label string output field priority label suppressed string output field suppressed app id string unique identifier has alarm string output field has alarm number of events number output field number of events source name string name of the resource timestamp received string output field timestamp received error message string response message source asset id string unique identifier alarm destination zones array output field alarm destination zones example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "transfer encoding" "chunked", "content type" "application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=f ", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "client request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"west us\n 2\\",\\"slice\\" \\"e\\",\\"ring\\" \\"1\\",\\"scaleu ", "odata version" "'4 0'", "date" "thu, 29 dec 2022 20 37 23 gmt", "reason" "created" }, "json body" { "results" {} } } ] retrieve alarms search for and retrieve alarm details from alienvault usm central using specified criteria in the request body endpoint url api/1 1/alarms/search method post input argument name type required description page number optional parameter for retrieve alarms size number optional parameter for retrieve alarms find object optional parameter for retrieve alarms alarm suppressed array optional parameter for retrieve alarms sort object optional parameter for retrieve alarms alarm timestamp occured string optional parameter for retrieve alarms range object optional parameter for retrieve alarms alarm timestamp occured object optional parameter for retrieve alarms gte string optional parameter for retrieve alarms lte string optional parameter for retrieve alarms timezone string optional parameter for retrieve alarms output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation alarm object output field alarm rule intent string output field rule intent app type string type of the resource alarm sensor sources array output field alarm sensor sources source username string name of the resource destination name string name of the resource rule dictionary string output field rule dictionary account id string unique identifier timestamp occured string output field timestamp occured uuid string unique identifier authentication type string type of the resource needs enrichment boolean output field needs enrichment event type string type of the resource rule method string http method to use priority label string output field priority label suppressed string output field suppressed app id string unique identifier has alarm string output field has alarm number of events number output field number of events source name string name of the resource timestamp received string output field timestamp received error message string response message example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "transfer encoding" "chunked", "content type" "application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=f ", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "client request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"west us 2\\",\\"slice\\" \\"e\\",\\"ring\\" \\"1\\",\\"scaleunit\\" \\"002\\" ", "odata version" "4 0", "date" "thu, 29 dec 2022 20 37 23 gmt" }, "reason" "created", "json body" { "results" \[], "total" 2 } } ] retrieve assets search for and retrieve asset information from alienvault usm central, utilizing a json body for input parameters endpoint url api/1 1/assets/search method post input argument name type required description page number optional parameter for retrieve assets size number optional parameter for retrieve assets find object optional parameter for retrieve assets asset hipaa array optional parameter for retrieve assets sort object optional parameter for retrieve assets asset datefound string optional parameter for retrieve assets range object optional parameter for retrieve assets asset datefound object optional parameter for retrieve assets gte string optional parameter for retrieve assets lte string optional parameter for retrieve assets timezone string optional parameter for retrieve assets output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation asset object output field asset hipaa string output field hipaa operatingsystem object output field operatingsystem hostname string name of the resource id string unique identifier devicetype object type of the resource assetoriginuuid string unique identifier nmapexcludefromscan object output field nmapexcludefromscan knownasset string output field knownasset configurationcount string count value assetoriginname string name of the resource operatingsystemsource object output field operatingsystemsource assetorigintype string type of the resource alarmcount string count value dateupdated string output field dateupdated vulnerabilitycount string count value eventcount string count value logo object output field logo rootdevicetype string type of the resource name string name of the resource datefound string output field datefound region string output field region example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "transfer encoding" "chunked", "content type" "application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=f ", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "client request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"west us 2\\",\\"slice\\" \\"e\\",\\"ring\\" \\"1\\",\\"scaleunit\\" \\"002\\" ", "odata version" "4 0", "date" "thu, 29 dec 2022 20 37 23 gmt" }, "reason" "created", "json body" { "results" \[], "total" 37 } } ] retrieve dictionaries obtain the dictionaries from alienvault usm central, which contain structured information for use in analysis and reporting endpoint url api/1 1/dictionaries method get output parameter type description status code number http status code of the response reason string response reason phrase barracudarules dict object output field barracudarules dict strategy object output field strategy configuration change array output field configuration change suspicious security critical event array output field suspicious security critical event intent object output field intent reconnaissance & probing array output field reconnaissance & probing environmental awareness array output field environmental awareness method object http method to use multiple cross site request forgery attempts array output field multiple cross site request forgery attempts suricatamalwarerules dict object output field suricatamalwarerules dict strategy object output field strategy phishing array output field phishing intent object output field intent reconnaissance & probing array output field reconnaissance & probing method object http method to use cylance multiple av detections array output field cylance multiple av detections example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "transfer encoding" "chunked", "content type" "application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=f ", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "client request id" "cccf20e1 f938 4314 a076 4bebaff51f34", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"west us 2\\",\\"slice\\" \\"e\\",\\"ring\\" \\"1\\",\\"scaleunit\\" \\"002\\" ", "odata version" "4 0", "date" "thu, 29 dec 2022 20 37 23 gmt" }, "reason" "created", "json body" { "barracudarules dict" {}, "suricatamalwarerules dict" {} } } ] response headers header description example cache control directives for caching mechanisms no store, no cache client request id http response header client request id cccf20e1 f938 4314 a076 4bebaff51f34 content encoding http response header content encoding gzip content type the media type of the resource application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=false;charset=utf 8 date the date and time at which the message was originated thu, 29 dec 2022 20 37 23 gmt odata version http response header odata version '4 0' reason http response header reason created request id http response header request id cccf20e1 f938 4314 a076 4bebaff51f34 strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x ms ags diagnostic http response header x ms ags diagnostic {"serverinfo" {"datacenter" "west us 2","slice" "e","ring" "1","scaleunit" "002","roleinstance" "mwh0epf00070f96"}} | notes alienvault apis https //www alienvault com/documentation/api/av apis htm