AlienVault® USM Anywhere™

AlienVault® USM Anywhere™ provides centralized security monitoring for your cloud, on-premises, and hybrid IT environments, including your endpoints and cloud apps like Office 365 and G Suite. With multiple essential security capabilities in one unified platform, USM Anywhere simplifies and accelerates threat detection, incident response, and compliance management for today’s resource-constrained IT security teams. Click here for more information.

To integrate with AlienVault download the AlienApp here: https://cybersecurity.att.com/app/ddi-frontline-vm

Installation

Place both script files (together in the same directory) on a machine that is network accessible to the AlienVault USM Anywhere sensor.

Set Up

After the script files are placed on an appropriate machine, you are ready for set up.

  1. Open the config.py file to update the following variable.
    2. NOTE: All variables should be saved as string variables.
  2. FortraAPI_token

    This field is required for the script to successfully reach your Fortra VM account data. Enter the previously generated Fortra VM API Key.

  3. AlienVault_sensor IP

    This field is required for the script to reach and send event data to the AlienVault USM Anywhere sensor correctly. Enter the host IP address in which the AlienVault USM Anywhere sensor is located. If you are unsure of the IP address of the sensor, you may find it within the USM Anywhere portal as follows:

    • Navigate to the Data Sources tab and select Sensors.
    • Select the sensor you will be using for this integration.
    • The IP address should now be displayed on the top left corner of the page.

  4. client_id

    This field is used in the O Auth process to generate an access token in order to gather AlienVault data through their API.

  5. secret_key

    Similar to client_id, this field is used to generate an access token.

  6. subdomain

    This is the subdomain in which your AlienVault USM Anywhere is located. This is used to send requests through the AlienVault API.

  7. Save and close the config.py file.

Type of Data Pulled

This table describes the type of data being pulled from both AlienVault USM Anywhere and Fortra VM.

Data Type Data Description
AlienVault (Name) Events Events, using the Fortra, Inc. plug-in, from AlienVault USM Anywhere are pulled for correlation with Fortra VM data to prevent any duplicate events from being sent.
Host Discovery The Active View Host client data within Fortra VM for all of the user’s host assets.
Vulnerability Found

The Active View Host vulnerability data within Fortra VM for all of the Vulnerabilities associated with the user’s account.

The vulnerability dictionary information for all vulnerabilities pertaining to the user.

Usage

The script will first pull any events parsed using the Fortra plug-in from AlienVault USM Anywhere.

Fortra VM’s API, data from the user’s account will be pulled and converted into a Common Event Format (CEF) syslog message. Each message will be sent as an event to the AlienVault USM Anywhere sensor. Correlating Fortra VM data with AlienVault USM Anywhere events, if a host or vulnerability is found to already be an event, will not convert it into a syslog message and will not be sent to the sensor.

Pulling Fortra VM Data

To pull and send all available data described above, simply execute the FrontlineConnector script (with the config.py file in the same directory) using python: python FrontlineConnector.py