Help
FortiDLP
FortiDLP is a cloud-native endpoint DLP and Insider Risk Solution which is aimed at monitoring and Preventing Data Theft on the endpoint, across Windows, macOS and Linux.
Anthony_E
Staff
Staff

Created on ‎11-05-2024 02:19 AM

Article Id 355570

Technical Tip: Integration of AlienVault USM Anywhere for SIEM

Description This article describes how to integrate AlienVault USM Anywhere for SIEM.
Scope FortiDLP.
Solution

Reveal’s Event Streaming functionality can be integrated with AlienVault’s USM Anywhere to receive SIEM events.

 

  1. Generate an access Token for the stream to integrate directly from the Event Streaming page:

 

Anthony_E_0-1730801559432.png

 

  1. Ensure the access token that is generated is copied; it will be necessary soon.
  2. Login to USM Anywhere and navigate to Data Sources -> Custom Apps -> Add Custom App.
  3. Enter App Information, such as a name and category:

 

Anthony_E_1-1730801559438.png

 

  1. For API Credentials, enter the following:

 

Type: API Key Auth

Event URL: <URL from event stream on Reveal>

Header Name: Authorization

Header Value: Bearer <API token from Reveal>

Request Method: GET

 

Where <API token from Reveal> is replaced with the Token copied in step 2, and <URL from event stream on Reveal> is the URL from the event stream to integrate.

Add a request parameter by selecting Params -Add Request Param and inputting:

 

Key: format

Value: json

 

Anthony_E_2-1730801559439.png

 

Anthony_E_3-1730801559444.png

 

Anthony_E_4-1730801559447.png

 

  1. For API Config, enter the following:

 

Pagination Type: Next Cursor

Next Cursor Response Path: x_ignore

Next Cursor Param Name: x_ignore

Events Response Path: events

Data Filter Condition: Next Cursor

Response Events Sort Order: Asc

Timestamp Filter Param Name: x_ignore

Timestamp Filter Param Value: 2024-06-03T14:04:45.799Z

Timestamp Filter Param Format: Date ISO8601 (YYYY-MM-DDTHH:mm:ss.SSSZ)

Is Timestamp Param Mandatory: No

Latest Event Timestamp Response Path: sensor.timestamp

Latest Event Timestamp Response Format: Date ISO8601 (YYYY-MM-DDTHH:mm:ss.SSSZ)

 

Ensure to select Params -Add From Credentials to pass the format:json request parameter.

 

Anthony_E_5-1730801559451.png

 

Ensure that the event stream is actively receiving events, or a No events found error in AlienVault will be received.



Note:

The value sensor.timestamp here is importTant as it points to the correct part of the JSON message that contains the timestamp. This example works for detections; to use the streaming service for any other kind of event (such as audit logs), it will be necessary to use a separate stream/custom app and adjust this path accordingly. See

 

  1. For the Mapping and Summary Fields stages, configure this in whichever format best integrates with the current AlienVault setup.
Labels:
477
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.