You will need to create an E-mail ingestion template. Please find out the email address Alienvault is sending from, the attributes getting passed across from AlienVault, and create the incident template with the required attributes.
The example below has the notification template launched when the Priority attribute in the subject line is P1, P2, or P3. This is all configurable based upon client needs. Document and provide the unique url Alienvault needs to send these e-mails to. In this example, it is alienvault-453003085616634@integration.everbridge.us.
Make sure to properly configure the rest of the email ingestion form to pull out all required values and put them in the appropriate attributes.
Go to Configure > Threat Intelligence > Actions, select New.
Type the name of the action in the Name field. One example of an action could be “When an attack against IP 192.168.1.1 occurs, send email to an external notification system.”
From the Context list, select the context under which the action should occur.
In the Description field, click on any applicable keywords at the top of the page to automatically add them to the field.
For example, if you wanted to create an action to send an email to an administrator, you could include information from the normalized event in the email message, such as SRC_IP
, DST_IP
, PRIORITY
, and RISK
.
When the action is executed, USM Appliance substitutes the values from the event that triggered the action for the keywords.
Note: You can also use keywords when you want to execute an external program. One example might be an event that invokes a script that sends a shun command to a network firewall to prevent an attacker from making a connection through the firewall at the DST_IP
address.
5. From the Type list, select an action option. Options include:
6. In Conditions, indicate under what circumstances the action should occur:
Python Boolean expression — True or False expressions in Python.
Only on risk increase check box — This condition must be met for this policy consequence to go into effect. You can use the Boolean expression in combination with the provided keywords, such as “Date”, “Risk”, “Plugin_SID”, to define conditions for an action to trigger.
Important: When writing an expression, only the following characters are allowed: A-Z, a-z, 0-9, _, ‘, and “.
7. Fill in the fields that appeared after you selected the action type:
If you want to send an email message:
If you want to open a ticket in USM Appliance:
In the In Charge field, select either a particular User or an Entity.
If you want to execute an external program, using a script residing locally:
Type the path to the script in the Command field. Once the policy conditions have been met, the program or script will then run.
Important: The best practice is to use non-blocking scripts, as blocking scripts may create response issues or other undesired effects if there is any delay in the script’s completion, including the possibility of breaking backup and purging processes.
8. Click Save.