AlienApps and plug-ins combined into one framework

The heart of any detection and response solution is the ability to collect events from the environment, perform corrective response actions, and integrate with customer workflows. Today, we’re proud to announce the launch of a complete redesign of the user interface for these third party integrations.  We’ve updated our design to make it easier for customers to find the integrations they need, centralize the configuration of them, and identify any operational problems with the integrations.

What exactly have we done?

Previously, we’ve had two types of integrations with other security and IT products - plug-ins and AlienApps.  Plug-ins were basic data collection tools used to collect, normalize, and enhance event logs from your environment.  AlienApps performed a variety of functions including collection of event data via API polling, requesting third party response actions such as blocking dangerous internet destinations, and sending notifications to ticketing systems such as Jira or ServiceNow®.

Now, we’ve streamlined the entire process by combining plug-ins and AlienApps into one framework.  We have also simplified finding the right tool by combining redundant or overlapping ones.  For example, some products previously had different plugins for handling different log formats.  We’ve collapsed all these into one for the sake of simplicity, without any functional changes in event handling.

From a practical perspective, all AlienApps provide one or more of the following capabilities:

• Data Collection - capable of collecting events from your environment, including processing syslog messages, retrieving from log aggregation services (such as CloudWatch Logs, or an S3 bucket) and polling API’s.
• Response - will help your security team “do things” - or, as we say, orchestrate the response - by taking action to investigate or respond to threats.  Examples include things like querying an agent for additional host telemetry, adding an IP or domain to a block list, or disabling a cloud service account.
• Notification - help the SOC team be more productive by sending data to third party services and applications such as Jira, ServiceNow, or Box Notes.  The most common use case here is opening a case in your existing workflow.

Head over to “Data Sources>Alien Apps” for a look at the new GUI.  The apps currently in use will be shown on this page, along with some useful graphs about application use.  If any of the apps have configuration errors, you’ll see a red bar along with information about what needs to be fixed. See figure 1.

To add new integrations to a USM deployment, click “available apps” and search for the vendor.  This will reveal all the apps available for that vendor.  Note that there can be more than one app per vendor - there is one for every product or product line, depending on how that vendor organizes their products.  See figure 2 for an example.

Using Response and Notification Actions

Nothing has changed about how AlienApp response actions work.  If you haven’t tried them before, manual response actions can be taken in the event or alarm view by clicking on an individual event or alarm, then clicking “Select Action”.  This will bring up a series of dialogs asking you to select the AlienApp you’d like to use, along with other relevant information such as the IP address or host, and any fields needed such as the case name if you are opening a ticket.  Once everything is configured, simply click “run” and the response action will be initiated.

Whenever it makes sense to do so, response and notification apps support the ability to automatically perform one of the response actions.  For example, if someone uploaded a malicious file into a Box account, the security team could configure USM Anywhere to automatically disable the users’ account to stop the file from causing problems, or open a case in Box Notes, Service Now, or Jira to alert the staff to contact the user and fix the problem.  Automatic actions are configured under “Response Action Rules” on the Rules page. The example in figure 3 shows how to automatically disable the user if they share links.  This is probably an overly broad control, but it’s just an example.  Multiple conditions can be used to zero in on your needs.  Great care should be taken with automatically responding to alerts, as blocking resources could have unintended consequences.

To review, nothing has changed about how our third-party integrations work, but we have completely revamped the interface to make it easier to find the application you need, configure it, and provide that it is working correctly.  Please let us know what you think of the new interface, and good luck threat hunting!