One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1857245 |
| Date de publication | 2020-08-13 11:00:00 (vue: 2020-08-13 11:05:38) |
| Titre | AlienApps and plug-ins combined into one framework |
| Texte |
The heart of any detection and response solution is the ability to collect events from the environment, perform corrective response actions, and integrate with customer workflows. Today, we’re proud to announce the launch of a complete redesign of the user interface for these third party integrations. We’ve updated our design to make it easier for customers to find the integrations they need, centralize the configuration of them, and identify any operational problems with the integrations.
What exactly have we done?
Previously, we’ve had two types of integrations with other security and IT products - plug-ins and AlienApps. Plug-ins were basic data collection tools used to collect, normalize, and enhance event logs from your environment. AlienApps performed a variety of functions including collection of event data via API polling, requesting third party response actions such as blocking dangerous internet destinations, and sending notifications to ticketing systems such as Jira or ServiceNow®.
Now, we’ve streamlined the entire process by combining plug-ins and AlienApps into one framework. We have also simplified finding the right tool by combining redundant or overlapping ones. For example, some products previously had different plugins for handling different log formats. We’ve collapsed all these into one for the sake of simplicity, without any functional changes in event handling.
From a practical perspective, all AlienApps provide one or more of the following capabilities:
Data Collection - capable of collecting events from your environment, including processing syslog messages, retrieving from log aggregation services (such as CloudWatch Logs, or an S3 bucket) and polling API’s.
Response - will help your security team “do things” - or, as we say, orchestrate the response - by taking action to investigate or respond to threats. Examples include things like querying an agent for additional host telemetry, adding an IP or domain to a block list, or disabling a cloud service account.
Notification - help the SOC team be more productive by sending data to third party services and applications such as Jira, ServiceNow, or Box Notes. The most common use case here is opening a case in your existing workflow.
Head over to “Data Sources>Alien Apps” for a look at the new GUI. The apps currently in use will be shown on this page, along with some useful graphs about application use. If any of the apps have configuration errors, you’ll see a red bar along with information about what needs to be fixed. See figure 1.
To add new integrations to a USM deployment, click “available apps” and search for the vendor. This will reveal all the apps available for that vendor. Note that there can be more than one app per vendor - there is one for every product or product line, depending on how that vendor organizes their products. See figure 2 for an example.
Using Response and Notification Actions
Nothing has changed about how AlienApp response actions work. If you haven’t tried them before, manual response actions can be taken in the event or alarm view by clicking on an individual event or alarm, then clicking “Select Action”. This will bring up a series of dialogs asking you to select the AlienApp you’d like to use, along with other relevant information such as the IP address or host, and any fields needed such as the case name if you are opening a ticket. Once everything is configured, simply click “run” and the response action will be initiated |
| Envoyé | Oui |
| Condensat | “available “data “do “response “select ability about account action action” actions add adding additional address agent aggregation alarm alert alerts alienapp alienapps all along also announce any anywhere api api’s app application applications apps apps” are asking automatic automatically available bar basic before block blocking box bring broad bucket but can capabilities: capable care case causing centralize changed changes click clicking cloud cloudwatch collapsed collect collecting collection combined combining common complete completely conditions configuration configure configured consequences contact control corrective correctly could currently customer customers dangerous data depending deployment design destinations detection dialogs different disable disabling domain done easier endif enhance entire environment errors event events every everything exactly example examples existing fields figure file find finding fix fixed following formats framework from functional functions good graphs great gui had handling has have haven’t head heart help here host how hunting identify include including individual information initiated ins integrate integrations interface internet investigate it’s jira just know launch let like line links list log logs look luck make makes malicious manual messages more most multiple name need needed needs new normalize note notes nothing notification notifications now once one ones open opening operational orchestrate organizes other over overlapping overly page party per perform performed perspective please plug plugins polling practical previously probably problem problems process processing product productive products proud provide querying red redesign redundant relevant requesting resources respond responding response retrieving revamped reveal review right rules rules” sake say search security see select sending sense series service servicenow servicenow® services share should shown shows simplicity simplified simply soc solution some someone sources>alien staff stop streamlined such support syslog systems taken taking team telemetry than them then these things things” think third threat threats ticket ticketing today tool tools tried two types under unintended updated uploaded use used useful user users’ using usm variety vendor view we’re we’ve what whenever will without work workflow workflows working you’d you’ll your zero |
| Tags | Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.