LevelBlue USM Anywhere
App Vendor: LevelBlue USM Anywhere
App Category: Analytics & SIEM
Connector Version: 2.0.0
API Version: 2.0
About App
AT&T Cybersecurity publishes REST APIs for USM Anywhere that provide a programmatic interface that will allow you to access your data directly from your own applications and extensions.
The LevelBlue USM Anywhere app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Label to Alarm | This action adds a label to an alarm. |
Get Alarm Details | This action retrieves details for a single alarm by the alarm ID. |
Get Alarm Labels | This action retrieves the list of label ids for an alarm. |
Get Alarms | This action can be retrieves the list of alarms, where the results can be filtered on the basis of multiple parameters. |
Get Event Details | This action retrieves the details of an event using the event ID. |
Get Events | This action retrieves the list of events, where the results can be filtered on the basis of multiple parameters. |
Remove Label from Alarm | This action removes a label from an alarm. |
Generic Action | This is a generic action used to make requests to any LevelBlue USM Anywhere endpoint. |
Configuration Parameters
The following configuration parameters are required for the LevelBlue USM Anywhere app to communicate with the LevelBlue USM Anywhere enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access LevelBlue USM Anywhere. Example: https://your-subdomain.alienvault.cloud | Text | Required | |
Client ID | Enter the client ID. | Text | Required | |
Secret Key | Enter the secret key. | Password | Required | |
API Version | Enter the API version. Example: 1.0 | Text | Optional | Allowed values: 1.0, 2.0 Default value: 2.0 |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with LevelBlue USM Anywhere | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Action: Add Label to Alarm
This action adds a label to an alarm.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alarm ID | Enter the alarm identification number. | Text | Required | You can retrieve this using the action Get Alarms. |
Label Name | Enter the label identification name. You can enter either the label name or label ID. If both are used, the label ID is prioritized. | Text | Optional | Allowed values: open, in progress, false positive, closed Additionally, you can also enter custom label names. |
Label ID | Enter the label ID. You can enter either the label name or label ID. If you use both, ensure that they match the same label. | Integer | Optional | You can retrieve this using the action Get Alarm Labels. |
Example Request
[
{
"alarm_id": "33ab5554-196c-457a-b035-379d0bb2fb6f",
"label_id": "0add9c47-0d0c-de27-5a07-b41cfbbf8404"
}
]Action: Get Alarm Details
This action retrieves the details for a single alarm by the alarm ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alarm ID | Enter the alarm identification number. | Text | Required | You can retrieve this using the action Get Alarms. |
Example Request
[
{
"alarm_id": "33ab5554-196c-457a-b035-379d0bb2fb6f"
}
]Action: Get Alarm Labels
This action retrieves the list of label IDs for an alarm.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alarm ID | Enter the alarm identification number to retrieve its labels. | Text | Required | You can retrieve this using the action Get Alarms. |
Example Request
[
{
"alarm_id": "33ab5554-196c-457a-b035-379d0bb2fb6f"
}
]Action: Get Alarms
This action retrieves the list of alarms, where the results can be filtered on the basis of multiple parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter the additional parameters to filter the response. | Key Value | Optional | |
Page | Enter the starting page number to retrieve response from. For example, 1 | Integer | Optional | |
Pagination | Enter true to retrieve response of all pages. | Boolean | Optional | By default, this is disabled. |
Example Request
[
{
"name": "events",
"displayName": "events",
"typePropertyKind": "TYPE_EXPRESSION",
"required": true
}
]Action: Get Event Details
This action retrieves the details of an event using the event ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Event ID | Enter the event identification number to retrieve its details. | Text | Required | You can retrieve this using the action Get Events. |
Example Request
[
{
"event_id": "fab00eac-fc35-f04b-1c54-1d6f8d683e02"
}
]Action: Get Events
This action retrieves the list of events, where the results can be filtered on the basis of multiple parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter the additional parameters to filter the response. | Key Value | Optional | |
Page | Enter the starting page number to retrieve response from. Example: 1 | Integer | Optional | |
Pagination | Enter true to retrieve response of all pages. | Boolean | Optional | By default, this is disabled. |
Example Request
[
{
"name": "events",
"displayName": "events",
"typePropertyKind": "TYPE_EXPRESSION",
"required": true
}
]Action: Remove Label from Alarm
This action removes a label from an alarm.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alarm ID | Enter the alarm identification number. | Text | Required | You can retrieve this using the action Get Alarms. |
Label Name | Enter the label identification name. You can enter either the label name or label ID. If both are used, the label ID is prioritized. | Text | Optional | Allowed values: open, in progress, false positive, closed Additionally, you can also enter custom label names. |
Label ID | Enter the label ID. You can enter either the label name or label ID. If both are used, ensure that they match the same label. | Integer | Optional | You can retrieve this using the action Get Alarm Labels. |
Example Request
[
{
"alarm_id": "33ab5554-196c-457a-b035-379d0bb2fb6f",
"label_id": "0add9c47-0d0c-de27-5a07-b41cfbbf8404"
}
]Action: Generic Action
This is a generic action used to make requests to any LevelBlue USM Anywhere endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. for example, get | Text | Required | Allowed values: GET, PUT, POST, PATCH, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: /devices/entities/devices/v1 | Text | Required | |
Payload | Enter the payload in JSON format. Example: $JSON[{"data": [{"reason": "test"}]}] | Any | Optional | |
Query Params | Enter the query parameters in JSON format to pass to the API. Example: {"limit": "10"} | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_data, custom_output, download, filename, files, retry_wait, retry_count, response_type |
Example Request
[
{
"method": "GET",
"endpoint": "/devices/entities/devices/v1",
"extra_fields": {},
"query_params": {}
}
]