1. No category

USM Anywhere™ User Guide

USM Anywhere™
User Guide
Updated June 13, 2017
Copyright © 2017 AlienVault. All rights reserved.
AlienVault, Open Threat Exchange, OTX, Unified Security Management, USM Appliance, and USM
Anywhere are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their
respective owners.
2
USM Anywhere™User Guide
Contents
Introduction
6
Prerequisites and Requirements
8
USM Anywhere Network Security Concepts and Terminology
8
About USM Anywhere Components
9
About USM Anywhere Network Security Capabilities
10
USM Anywhere Web User Interface (UI)
12
Getting Started with USM Anywhere
15
USM Anywhere Network Security Best Practices
16
What Expectations Should I Have of Security Monitoring?
17
The USM Anywhere Event Processing Workflow
17
Verifying USM Anywhere Operation
18
Establishing Baseline Network Behavior
20
USM Anywhere Security Monitoring and Analysis
22
Viewing USM Anywhere Dashboards
23
Analyzing Alarms and Events
27
Asset Management
30
Asset Administration
31
Asset Groups Administration
54
Alarms Management
68
About Alarms
68
Alarms List View
69
Searching Alarms
71
Viewing Alarm Details
73
Suppressing/Unsuppressing Alarms Generating the Event
75
Exporting Alarms
76
USM Anywhere™ User Guide
3
Events Management
78
About Events
78
Events List View
79
Searching Events
82
Viewing Event Details
84
Suppressing/Unsuppressing Events
85
Exporting Events
86
Configuration Issues Management
Configuration Issues List View
89
Searching Configuration Issues
90
Viewing Configuration Issues Details
92
Exporting Configuration Issues
92
Rules Management
94
Suppression Rules
95
Orchestration Rules
98
Filtering Rules
113
Correlation Rules
115
Vulnerability Assessment
118
About Vulnerability Assessment
119
Creating Credentials for Vulnerability Scans
120
Performing Vulnerability Scans
123
Viewing Vulnerabilities Scan Results
124
Searching Vulnerabilities
125
Exporting Vulnerabilities
127
USM Anywhere Sensor Management
129
Adding a New Sensor
130
Configuring a Sensor
130
Editing a Sensor
131
Assigning a Sensor
131
Replacing a Sensor
132
Deleting a Sensor
133
Subscription Management
4
88
134
USM Anywhere™ User Guide
Raw Log Data
135
Reaching the Monthly Usage Limit Space
135
Receiving Email Notifications Concerning my License
136
USM Anywhere Reports
138
Data Export History
138
User Management
139
Creating Users
139
Editing Users
139
USM Anywhere™ User Guide
5
Introduction
This guide provides information for users of USM Anywhere that are responsible for monitoring
network security, and identifying and addressing security threats in their environment. The guide
also describes operations provided by the USM Anywhere web user interface (web UI), which is
used to perform most USM Anywhere network security tasks after initial USM Anywhere
deployment.
Topics covered in this guide include the following:
l
Introduction — this section, which includes the following topics:
l
l
l
l
l
l
l
l
Prerequisites and Requirements — target audience, recommended skills and background,
and supported browsers for using the USM Anywhere web user interface to perform network
security operations.
USM Anywhere Network Security Concepts and Terminology — description of key terms such
as assets, threats, and vulnerabilities, and how USM Anywhere uses correlation rules to
detect emerging threats.
About USM Anywhere Components — high-level description of key USM Anywhere two-tier
architecture.
About USM Anywhere Network Security Capabilities — description of essential
USM Anywhere security capabilities including asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring and security information, and event management.
USM Anywhere Web User Interface (UI) — description of key elements and navigation of the
USM Anywhere web UI used to access and perform USM Anywhere network security monitoring and analysis operations.
Getting Started with USM Anywhere — details typical security operations performed after initial
USM Anywhere installation and configuration, including security operation best practices and
workflow, verifying USM Anywhere operations, and establishing baseline network behavior.
USM Anywhere Security Monitoring and Analysis — provides an overview of USM Anywhere
web UI main menu and submenu options and operations used for display, monitoring, and analysis of network security activities and events.
Asset Management — describes operations to manage assets and asset groups. Covers topics
such as asset creation and discovery, vulnerability scans, and asset monitoring and analysis.
USM Anywhere™ User Guide
6
Introduction
l
l
l
l
l
l
l
l
l
7
Alarms Management — provides information about alarms generated from events and OTX
pulses, viewing and reviewing alarm information and field details, and suppressing alarms to
remove noise in the system.
Events Management — provides information on viewing, filtering, and sorting events, event and
OTX field details, and analyzing events that generate alarms.
Configuration Issues Management — provides information on viewing, filtering, and sorting configuration issues, and how to suppress them from the main view.
Rules Management — details creating suppression and orchestration rules, and describes how
USM Anywhere correlation rules work. This chapter also provides information about how
Amazon SNS is integrated into USM Anywhere and how to manage AlienApps™.
Vulnerability Assessment — provides information on performing vulnerability scans, viewing and
understanding scan results, and generating reports based on vulnerability scans.
USM Anywhere Sensor Management — provides information on managing sensors within
USM Anywhere.
Subscription Management — provides information on your license information, event data, and
raw log data.
USM Anywhere Reports — describes reports displayed in USM Anywhere.
User Management — describes USM Anywhere user authentication and role-based authorization, configuration of authorization for specific assets, and monitoring user activity.
USM Anywhere™ User Guide
Prerequisites and Requirements
Prerequisites and Requirements
The information in this guide is primarily targeted for security engineers, security analysts, and
operators, IT managers and professionals, and system administrators, using the USM Anywhere
product to provide network security within their own organization’s environment. We recommend
you have knowledge of your organization's network infrastructure and the networking technologies
you use.
Recommended skills for users include the following
l
l
Basic TCP/IP networking knowledge and skills including IP addressing, DNS, switching, and routing.
Basic familiarity with IT security concepts and associated skills, including threats, vulnerabilities,
risk management, and security devices/applications.
Information provided in this guide assumes a customer has completed installation and configuration
of AlienVault USM Anywhere as described in the AlienVault USM Anywhere Deployment Guide. In
addition, users of this guide need the appropriate credentials to access USM Anywhere, and a web
browser to access the USM Anywhere web UI through HTTPS.
Web Browsers Support
USM Anywhere works best in the latest version back of the following web browsers:
l
Mozilla Firefox
l
Google Chrome
USM Anywhere Network Security Concepts and Terminology
When working with USM Anywhere and using the USM Anywhere web UI to perform network
security operations, it is important to understand a few basic USM network security concepts. First, a
key principle of the USM system is that it monitors assets. Assets are all devices in an enterprise that
have some value to the enterprise and, generally, that it is possible to monitor or gather information
about, such as their status, health or availability, configuration, activity, or events. The value
comprises either the cost of the device itself, or the value of the data that is stored on the device or
travels through the device.
l
An asset is defined as a unique IP address
l
Assets are organized into networks based on IP addressing
l
Networks are organized into locations, based on their geographical location
Typically, at least one USM Anywhere Sensor is used to monitor one geographically self-contained
location. If several locations are used by an enterprise, each location is monitored with at least one
USM Anywhere Sensor, which sends information to USM Anywhere about assets that are in the
USM Anywhere™ User Guide
8
About USM Anywhere Components
same location. Plugins are used in the USM Anywhere Sensor to extract and normalize data from
different data sources into standard-format events. USM Anywhere provides a wide assortment of
plugins that can be used to collect events for most commonly encountered data sources.
USM Anywhere includes correlation rules for identifying important events or patterns of events
within large volumes of data. Alarms are generated by an explicit call within the rules, either
orchestration or correlation rules. Correlation rules detect threats and are continuously provided as
part of the AlienVault Labs Security Research Team. Information about specific threats is obtained
from sources such as those reported by AlienVault Labs Threat Intelligence Subscription and the
Open Threat Exchange™ (OTX™). For example, OTX provides indicators of compromise and
notifications of malicious hosts, which can link assets by their vulnerabilities to specific threats and
notification about events that involve known or suspect malicious hosts. USM Anywhere can also
perform scans which identify assets' vulnerabilities to specific and identified threats.
See Rules Management for further information.
About USM Anywhere Components
USM Anywhere is a modular and scalable two-tier architecture.
Tier 1 — USM Anywhere Sensors
USM Anywhere Sensors deploy natively into each environment and help you gain visibility into all of
your on-premises and cloud environments. USM Anywhere Sensors collect and normalize logs,
monitor networks and collect information about the environments and assets deployed in your hybrid
environments.
USM Anywhere Sensors are a key component of the USM Anywhere solution. They operate either
on-premises or in the cloud:
l
Discovering your assets.
l
Scanning assets for vulnerabilities.
l
Monitoring packets on your networks and collecting data.
l
Collecting log data and normalizing it before sending it securely to USM Anywhere.
Tier 2 — USM Anywhere Cloud
USM Anywhere receives the previously described data sent to it by the USM Anywhere Sensor and
uses it to provide essential security capabilities in a single SaaS platform:
9
l
Centralized system security management
l
Log data analysis and correlation
l
Detection
l
Alerting
USM Anywhere™ User Guide
About USM Anywhere Network Security Capabilities
l
Log management
l
Reporting
USM Anywhere also integrates log management and retains raw logs securely long-term for
forensic investigations and compliance mandates.
About USM Anywhere Network Security Capabilities
AlienVault USM Anywhere provides five essential security capabilities in a single SaaS platform,
giving you everything you need to detect and respond to threats and manage compliance. As a
cloud-based security solution, you can scale your threat detection and response capabilities as your
hybrid environment changes.
USM Anywhere™ User Guide
10
About USM Anywhere Network Security Capabilities
The USM Anywhere cloud security management platform receives continuous updates from the
AlienVault Labs Security Research Team. This team analyzes the different types of attacks,
emerging threats, suspicious behavior, vulnerabilities, and exploits that they uncover across the
entire threat landscape.
USM Anywhere supplements the Security Research Team with data from our Open Threat
Exchange (OTX). OTX is the largest and most authoritative crowd-sourced threat intelligence
exchange in the world.
Here is a brief description of the essential functions that USM Anywhere provides:
l
l
l
Asset Discovery is an essential security capability of USM Anywhere, which discovers assets in
your environment, detects changes in assets, and discovers malicious assets in the network.
Vulnerability Assessment, which is done in authenticated state, identifies vulnerabilities or compliance by comparing the installed software on assets with a database of known vulnerabilities.
Vulnerability scans can be performed manually or scheduled to be performed periodically.
Intrusion Detection monitors network traffic for malicious activity, monitors system log messages,
and monitors user activity. Intrusion detection for USM Anywhere consists of network-based intrusion detection (NIDS) components.
HIDS can be used to spot problems on host endpoints, and can include file integrity monitoring,
rootkit and registry checks. NIDS passive sniffing interfaces can analyze network payload data to
monitor for potentially malicious activity.
l
11
Behavioral Monitoring provides visibility into traffic patterns and network flows (NetFlow data),
which are used to detect anomalies that might indicate security policy violations. Data used for
behavioral monitoring and analysis is collected from network devices, flows based on mirrored
traffic, and asset availability monitoring. USM Anywhere has access to logs in the cloud
(Azure: Insights, AWS: CloudTrail, S3, ELB) and VMware logs.
USM Anywhere™ User Guide
USM Anywhere Web User Interface (UI)
l
SIEM security intelligence combines and correlates collected logs and other data to find malicious
patterns in network traffic and within host activity. USM Anywhere SIEM draws intelligence from
different sources including AlienVault Labs Threat Intelligence Subscription and OTX. Correlation rules, created by AlienVault Labs Security Research Team, are used to identify patterns
associated with malicious activity. OTX threat data provides IP reputation information and OTX
pulses, which consist of Indicators of Compromise (IOCs) that identify a specific threat.
All of USM Anywhere's various security operation features and functionality are accessible from the
USM Anywhere web UI.
USM Anywhere Web User Interface (UI)
The USM Anywhere web user interface (or web UI) provides access to all the tools and capabilities
that USM Anywhere makes available for managing the security of your organization’s network and
the devices in it. From the USM Anywhere web UI, you can view all essential information about
network devices, applications, user activity, and network traffic in your environment. You can begin
monitoring information coming from devices and then go about defining orchestration rules to fine
tune the behavior of your system. USM Anywhere includes by default correlation rules to alert you of
potential security issues and vulnerabilities.
The USM Anywhere web UI runs in a standard web browser. Your system administrator can
provide the web address and credentials to log in and access the features and functions appropriate
to your role in your organization’s security operation.
When you first log in, the USM Anywhere web UI displays the main window.
USM Anywhere™ User Guide
12
USM Anywhere Web User Interface (UI)
By default, the web UI displays a collection of high-level graphs and charts summarizing activity in
your organization’s network. From this main window, you can choose different menu options or click
other selectable links and buttons.
Callouts on the screen identify the main navigable elements and selections that are provided
consistently through the web UI.
Primary menu
Provides access to the main functions or operations of USM Anywhere. These include:
l
l
l
l
l
Dashboards. Display of all SIEM, Asset Discovery, Vulnerability Assessment, and Vulnerabilities
charts, tables, and graphs. There are dashboards that will be displayed depending on the sensor
you have installed; there are also dashboards related to the AlienApp you have configured and
that will be visible if you have data for them.
Activity. Display providing search, sorting, filtered selection, and visualization of Alarms and
Events.
Environment. Provides display and management of Assets, Asset Groups, Vulnerabilities, and
Configuration Issues.
Reports. Provides display and management of data export history reports selectable by categories such assets, asset groups, alarms, and events. You can also choose the format of the
report (HTML and CSV).
Settings. Provides options to view and manage deployed USM Anywhere sensors, credentials,
plugins, and AlienApp; Administration options let you manage users, asset fields; display the system status; schedule jobs; and manage suppression and orchestration rules. You can also display the data about your subscription.
Secondary Menu
Provides access to the system configuration, the user profile information, the help link, and the
bookmarked items:
l
l
l
13
Favorites icon ( ). This icon allows you to see and access alarms, events, or assets that you (or
another user) bookmarked for easy access. The number on the icon indicates the number of
items bookmarked.
Help icon (
). This icon includes the following options:
l
Documentation, which links to online documentation.
l
Support, which links to AlienVault Support page.
l
Forum, which links to USM Anywhere Forum.
l
About, which opens a popup window to inform you about your system.
Envelope icon ( ) provides USM Anywhere's notifications and messages such as maintenance
information and product update.
USM Anywhere™ User Guide
USM Anywhere Web User Interface (UI)
l
User icon ( ) menu shows the settings (email, full name, and the possibility of changing the
password) of the user who logged into the system, the configuration of receiving alarm notifications, and the ability to log out of the system.
The remainder of this guide describes best practices in performing common network security
operations and provides step-by-step instructions for performing specific tasks. Following sections
also describe the USM Anywhere web UI from which you can monitor network security and access
all of USM Anywhere’s security operation features and functionality.
USM Anywhere™ User Guide
14
Getting Started with USM Anywhere
This section details typical security operations performed after the system installation, initial
deployment, and configuration of USM Anywhere has been completed. In addition, this section
describes a best practice workflow for using USM Anywhere to perform operations during the entire
Security Monitoring and Management lifecycle.
Topics include the following:
l
USM Anywhere Network Security Best Practices
l
What Expectations Should I Have of Security Monitoring?
l
The USM Anywhere Event Processing Workflow
l
Verifying USM Anywhere Operation
l
Establishing Baseline Network Behavior
USM Anywhere™ User Guide
15
USM Anywhere Network Security Best Practices
USM Anywhere Network Security Best Practices
Providing strong and effective security for an organization's network, IT infrastructure, and
environment requires some forethought and planning. If you are now tasked with monitoring,
managing, or maintaining network security operations within your organization, after
USM Anywhere has already been deployed, many of the planning steps and decisions may have
already been made. In any case, it is worth reviewing some of the overall best practices that many
organizations follow in implementing and then maintaining network security operations in their
environments. The general process is the following:
l
l
l
l
l
l
l
16
Determine the scope of your network security operation, the range of networks and subnetworks
to be covered, and the network devices or assets (host servers, applications, firewalls, routers,
and switches) to be protected.
Assess risk, determine what is most important to protect, and determine the type of network
security you need to provide. Identify specific threats and vulnerabilities you need to address.
Also determine specific regulatory compliance and other business standard requirements you
need to meet.
Define and determine security team roles, permissions, tasks and responsibilities, and implement
authentication and authorization to support USM Anywhere security operations. Also determine
notification and escalation strategy for emails, ticket handling, incident response, and compliance
documentation requirements.
Develop a plan for initial implementation and rollout of network security operations, plus planned
updates and enhancements, based on priorities. Take into account the time and resources
required for monitoring, incident analysis and response, compliance reporting, and record-keeping, plus subsequent updates to address additions or changes in the environment, as well as new
threats and vulnerabilities.
Deploy and run USM Anywhere to monitor and analyze the behavior of the environment. Use
dashboards, reports, and other features of the USM Anywhere web UI to examine events, network traffic, alarms, and notifications. Establish baseline behavior, identify threats and vulnerabilities, and eliminate or reduce false positives and other noise from normal, benign behavior.
After establishing a baseline, you can use various tools provided within the USM Anywhere web
UI to investigate alarms and suspicious events, identify threats and vulnerabilities, and continue
monitoring your network for attacks, intrusions, or any other type of malicious and potentially damaging behavior.
Make continuous security lifecycle improvements and perform regular maintenance: new asset
discovery and risk assessments, new vulnerability and thread detection, compliance reporting,
backup and archival record-keeping.
Incident Response. Develop and implement processes and procedures for Incident Response
(IR) to provide special event and incident handling. Detect anomalies and suspect behavior;
investigate, identify, and isolate threats, intrusions, or attacks; eradicate, remediate, or mitigate
threats; conduct post-incident, post-mortem reviews to identify improvements to security processes and practices.
USM Anywhere™ User Guide
What Expectations Should I Have of Security Monitoring?
What Expectations Should I Have of Security Monitoring?
Security monitoring is often about monitoring often-overlooked things such as host, device, and
application vulnerabilities, because those are typically the same things that attackers will leverage
against you later in carrying out attacks or attempting unauthorized access to data or resources. A
good network security monitoring system discovers things every day that provide value to security
efforts. USM Anywhere can help to locate or identify:
l
Misconfigured systems
l
Hosts that have fallen off the radar of asset management
l
Systems compromised by opportunistic malware or other attacks by malicious software
l
Inappropriate or unauthorized access of sensitive data or resources from both internal and
external parties; for example, detecting web sites that should be blocked at the proxy server, but
were not.
USM Anywhere priorities for network security operations are determined primarily by correlation
rules. The rules link events together into meaningful bundles and turn data into useful information.
Correlation is a function of USM Anywhere, which configures automated analysis of correlated
events for identifying potential security threats and produces alerts to notify recipients of immediate
issues. You can also create orchestration and suppression rules to secure your network security
operations.
The USM Anywhere Event Processing Workflow
After USM Anywhere is installed in your environment, events start flowing through the system, so
you can start gaining visibility into the type of events that are occurring, what natural or nonthreatening activity is taking place, and what activity can be a possible attack. USM Anywhere also
begins collecting other information about your network and various network devices such as
firewalls, routers and switches, servers, and applications. In addition, it is discovering and
determining possible vulnerabilities and threats to your environment.
The following illustration details a high level view of events and other information from your network
environment as it is collected or generated by the USM Anywhere Sensor and delivered to the USM
Anywhere for processing.
USM Anywhere™ User Guide
17
Verifying USM Anywhere Operation
The USM Anywhere Sensor combines asset discovery, vulnerability assessment, threat detection,
and behavioral monitoring to provide full situational awareness. The USM Anywhere Sensor is the
front-line security module of the USM Anywhere platform and provides detailed visibility into your
environment, vulnerabilities, attack targets and vectors, and services.
The USM Anywhere Sensor receives data and other activity or status information from devices and
normalizes the information into a standardized event format. After the event is normalized, the
USM Anywhere Sensor sends the normalized event to USM Anywhere, which tries to match every
event with a plugin and saves it.
USM Anywhere provides a unified management interface through the web UI that combines
security automation, and OTX and threat intelligence from the AlienVault Labs Security Research
Team to correlate data, spot anomalies, reduce risk, and improve operational efficiency.
Correlation can be done logically, where events can be compared to patterns and multiple conditions
can be connected by using logical operators such as OR and AND. Correlation can also be
calculated using cross-correlation, where events are correlated with vulnerability data. After events
are processed and correlated, USM Anywhere performs risk analyses and triggers an alarm if the
risk of the event is high enough.
Verifying USM Anywhere Operation
After the basic installation and configuration of your USM Anywhere system is completed, you can
use the USM Anywhere web UI to verify that it is operating properly.
The following process describes tasks you can perform to verify basic operations, also walking you
through information available from the primary menu options.
18
USM Anywhere™ User Guide
Verifying USM Anywhere Operation
1. When you first launch the USM Anywhere web UI, it displays the main dashboards page.
This high-level view of summary information shows the overall state of your network, so you can
get an immediate indication of the levels of events and alarms occurring in your environment.
2. Confirm that security events are being collected, and populating the USM Anywhere correctly.
To see events, navigate to ACTIVITY > EVENTS.
On this page, any normalized log event, or any other event received or generated by any
USM Anywhere Sensor at the application, system, or network level, will show in the display,
unless a suppression event has filtered it out.
You can also search for and filter out specific events using time ranges and other search criteria.
Click on a specific event row to display additional information for the selected event, in a popup
window. You can view and examine full details about an event, in a full browser window, by
clicking the event, and then the Full Detail link. Use this link to see all the information about the
event such as the details of the events, the related assets, the source and destination
IP addresses, and the log of the event.
3. Confirm that USM Anywhere is creating alarms and the alarms are displaying correctly. The
USM Anywhere generates alarms from correlation rules. To see alarms in your system,
navigate to ACTIVITY > ALARMS.
By default, the middle portion of the page provides a graphical representation of current alarms
being generated in your environment. Blue circles indicate the number of alarms in a category
that are displaying at a particular time. A bigger circle indicates a higher number of alarms.
Alarms are prioritized by categories that reflect typical methods used by attackers. See The
Alarms Page Display for more information on alarm categorization.
You can also search for and filter out specific alarms using time ranges and other search criteria.
Click on a specific alarm row to display additional information for the selected alarm, in a popup
window. You can view and examine full details about an alarm, in a full browser window, by
clicking the alarm, and then the Full Detail link. Use this link to see all the information about the
alarm such as the events that triggered the alarms, source and destination IP addresses, and
the recommended actions to be done.
USM Anywhere™ User Guide
19
Establishing Baseline Network Behavior
Establishing Baseline Network Behavior
When you first start using USM Anywhere, it is a good idea to let it run for a few days to determine
which events and alarms you can consider 'noise' and which ones to investigate further. By noise,
we mean false positives that obscure true positives.
Because no system is perfect, you must ensure that you have actionable alarms and useful reports,
not hundreds of things to review. What you learn from the baseline collection and the evaluation of
those events helps you create orchestration and suppression rules that tell USM Anywhere what is
important or not. Alarms are also created from correlation rules, which are created by AlienVault
Labs Security Research Team.
See Rules Management for further information.
Baselining
To be able to tune the system, you need to create a baseline for what constitutes normal behavior in
your network. This is called baselining. The alarms and events generated during this initial period
represent currently normal behavior, in other words, a snapshot in time. Of course, there may be
things you want to filter out right away. But in general, you should resist the temptation and wait until
you have had a chance to observe any patterns in your network.
Evaluating Results
After you collect these data points, you need to start making decisions about them, based on the
following criteria:
l
Which events have value and applicability to my system?
l
Which events have to do with network policy and therefore are not potential threats?
l
Was the rule properly assessed?
l
Which events have value for reporting?
l
Who should receive notification when this event occurs?
Answering these questions for the first time is best done in a group setting with the relevant
stakeholders. In subsequent iterations of this process, usually only the analysts participate, because
the fundamental questions for each event can be applied through taxonomy. Because AlienVault
releases new signatures frequently, this decision making process will be a recurring event.
Filtering Out the Noise
You may want to identify and filter out right away some false positives. One example might be an
alarm indicating scanning of hosts in the network. Such activity can be completely legitimate if
performed by an internal network mapper. On the other hand, it may be currently benign, but may
20
USM Anywhere™ User Guide
Establishing Baseline Network Behavior
also be a precursor to a real attack. USM Anywhere treats both events equally.
If you examine an alarm and you determine that the event that triggered it was noise, not a real
threat, consider taking the following steps:
1. Create an orchestration rule that prevents USM Anywhere from processing new events from
the source. For example, let's say that USM Anywhere properly detected vulnerability scanning
coming from an internal scanner but such events do not interest you, because the internal
vulnerability scanner is controlled by your environment. See Orchestration Rules for more
information.
2. If not interested in specific alarms, you can do the following:
l
Reconfigure the external data source to not send such events.
l
Use a rule to discard such events.
l
Modify or remove the rule.
3. Suppress all occurrences of the alarm from USM Anywhere. For information on how to do this,
see Suppressing/Unsuppressing Alarms Generating the Event.
USM Anywhere™ User Guide
21
USM Anywhere Security Monitoring and Analysis
This section provides an overview of the USM Anywhere web UI primary menu options used
primarily for displaying, monitoring, and analyzing of network security activities and events.
Topics include the following:
l
Viewing USM Anywhere Dashboards
l
Analyzing Alarms and Events
USM Anywhere™ User Guide
22
Viewing USM Anywhere Dashboards
Viewing USM Anywhere Dashboards
The first view of the USM Anywhere web UI is a set of dashboards. These dashboards provide
overall visibility into the activity on your network and display various network security metrics.
USM Anywhere also makes available several reports that you can display. These
reports provide detail on various aspects of USM Anywhere network security. For
more information on reports, see USM Anywhere Reports.
When you launch the USM Anywhere web UI, it opens a page displaying the overview dashboard.
In the Primary Menu, under DASHBOARDS, you can find these options:
Overview
This dashboard includes three separate sections.
l
SIEM Section
SIEM security intelligence combines and correlates collected logs and other data to find malicious
patterns in network traffic and within host activity.
Widgets in the SIEM Section1
l
Widgets
Description
Alarms
Total number of alarms for the current day and for the current week.
Alarms by Intent
Alarms correlated by intent and related to a range of dates. The size of the
bubbles depends on the number of issues.
Top Alarms by
Method
List of the top 5 alarms ordered by the method of attack or infiltration and
including the total number of alarms.
Event Data
Sources
Top plugins to normalize the event.
Events per Hour
Graph that displays the total number of events produced every hour.
Asset Discovery Section
Asset Discovery discovers assets in your environment, detects changes in assets, and discovers
malicious assets in the network.
1Some widgets include a filter. You can hover over it to see the details.
23
USM Anywhere™ User Guide
Viewing USM Anywhere Dashboards
Widgets in the Asset Discovery Section
l
Widgets
Description
Top Operating
Systems
List of the top operating systems on assets.
Asset
Information
Software Inventory refers to the total number of assets having software installed.
Top Assets
with Alarms
List of the top 5 assets having the most alarms.
Assets Discovered refers to the total number of assets discovered by the user.
Vulnerability Assessment Section
Vulnerability Assessment identify vulnerabilities or compliance by comparing the installed
software on assets with a database of known vulnerabilities.
Widgets in the Vulnerability Assessment Section
Widgets
Description
Assets with
Vulnerabilities
Total number of assets having vulnerabilities for the current day and for the
current week.
Vulnerabilities
Total number of vulnerabilities in your environment.
Vulnerabilities by
Severity
Top vulnerabilities ordered by severity. See About Vulnerability Severity.
Most Vulnerable
Hosts
List of most vulnerable hosts.
Vulnerabilities
If the dashboards do not contain information and there are not detected vulnerabilities, you can run a
scan to detect asset vulnerabilities. See Running Authenticated Scans from Assets.
Widgets in the Vulnerabilities Tab
Widgets
Description
Severity
Pie chart displaying, in percentages, the severity of vulnerabilities, which can be
Low, High, and Medium. See About Vulnerability Severity.
Most Vulnerable
Hosts
Name of the host most vulnerable in your environment.
USM Anywhere™ User Guide
24
Viewing USM Anywhere Dashboards
Widgets in the Vulnerabilities Tab (Continued)
Widgets
Description
Latest Scans
List of the 5 latest scans run in your environment. It includes the scan date and the
number of vulnerabilities found.
Top Active
Vulnerabilities by
Severity
List of the top active vulnerabilities by severity. You can see the CVE Identifier, its
severity, and the affected assets. See About Vulnerability Severity.
Vulnerability
Events
Graph that displays the total number of vulnerabilities produced in the current
month.
AWS. Depending on the sensor you have installed, this option will be visible
Widgets in the AWS Tab
Widgets
Description
Messages by
Source
List of the fifteen assets receiving the most messages.
Event Action:
Create
Total number of assets created for the current day and for the current week.
Event Action:
Update
Total number of assets updated for the current day and for the current week.
Event Action:
Delete
Total number of assets deleted for the current day and for the current week.
Event Action:
Read
Total number of assets read for the current day and for the current week.
Unauthorized
Activity
List of the unauthorized activity that has been made on events.
Asset Instances
by Type
List of asset instances ordered by type.
Messages by
Outcome
Pie chart displaying, in percentages, the outcome for access control, which can
be Allow or Deny.
Asset States
List of the state of the assets and the total number at each state.
Asset Information Total number of assets having vulnerabilities, configuration issues, and alarms.
Asset Instances
by Region
25
Total number of asset instances by region.
USM Anywhere™ User Guide
Viewing USM Anywhere Dashboards
Widgets in the AWS Tab (Continued)
Widgets
Description
Latest Console
Login
Date of the latest console login.
User Actions
Users related to the implied action of the event, which can be create, read,
update and delete. The size of the bubbles depends on the number of issues.
NIDS. Depending on the sensor you have installed, this option will be visible
Widgets in the NIDS Tab
Widgets
Description
Assets with
Malware Activity
Total number of assets with malware activity for the current day and for the
current week.
Top Categories
List of the top categories expressed in total numbers.
Top Categories
List of the top categories expressed in percentages.
Top Signatures
List of the top NIDS signatures having more events.
Top Malware
List of the top malware in your environment.
Top Malware
Families
List of the top malware families expressed in total numbers.
Top Malware
Destination
List of the top malware ordered by destination country.
Top Exploit
Activity
List of the top exploit activity in your environment.
Amazon DynamoDB. Depending on the sensor you have installed, this option will be visible
Widgets in the Amazon DynamoDB
Widgets
Description
Events By Name
List of events by name
Access Control
Pie chart displaying, in percentages, the authentication and access control for
Amazon DynamoDB
Top
Tables/Streams
List of the top DynamoDB streams
Actions
LIst of actions supported by Amazon DynamoDB
USM Anywhere™ User Guide
26
Analyzing Alarms and Events
Widgets in the Amazon DynamoDB (Continued)
Widgets
Description
Top Users
List of the Amazon DynamoDB top users
User Activity
Users related to their implied activity, which can be create, read, update and
delete. The size of the bubbles depends on the number of issues.
There are dashboards related to the AlienApp you have configured, which will be
visible if you have data for them.
Exporting Data from Dashboards
USM Anywhere allows you to export data from the dashboards as an HTML report.
To export data as a report
1. Display the dashboard you want to have a report.
2. Click the export as report icon (
) at the upper right-hand corner of the page.
3. Type a title for your report.
4. (Optional) Type a report description.
5. Click Export.
A new tab opens in your browser displaying the report.
6. Click Print in case you want to print your report or save it as PDF.
Analyzing Alarms and Events
You will likely spend the most time reviewing and analyzing the network security of your environment
using various options provided in the USM Anywhere web UI Activity menu. The Activity menu
provides the following submenu selections:
l
l
27
Alarms — Shows all the alarms generated in USM Anywhere. You can also search and filter the
displayed alarms as well as view details of specific alarms.
Events — Displays all events that were processed or generated by USM Anywhere. You can also
search and filter the displayed events as well as view details of specific events.
USM Anywhere™ User Guide
Analyzing Alarms and Events
The Alarms Page Display
When you select the ACTIVITY > ALARMS menu option, the alarms main page opens in List View,
which simply lists alarms in reverse chronological order (the latest issued alarm is displayed first).
The middle portion of the page includes a bubble graph that provides a graphical representation of
alarms by intent. Blue circles indicate the number of times that an alarm in an intent showed. A
bigger circle indicates a higher number of alarms were generated. You can mouse over each of the
circles to get the actual number of different types of intent. You can also change this representation
to a line graph of count/time and see the number of alarms by time the alarm was created.
Alarms are sorted into four different categories, which are represented by the graphic icons in the
display. These are
l
Delivery & Attack (
)
l
Environmental Awareness (
l
Exploitation & Installation (
l
Reconnaissance & Probing (
l
System Compromise (
)
)
)
)
These categories are also consistent with the sequence or stages of events that an attacker might
follow to successfully infiltrate a network, gain unauthorized access to data, or perform some
malicious act.
Below the visually categorized display of alarms, there is a tabular listing of individual alarms, which
is ordered by default in a reverse chronological order. In addition, if you click on any of the blue
circles, USM Anywhere will display only the alarms corresponding to the selected circle. From the list
of alarms, you can click on any individual alarm row to open the information about the alarm. You can
then click the Full Detail link to display more information on the selected alarm, including individual
events that actually triggered the alarm.
The left section of the Alarms page display lets you search for and filter alarms that are displayed on
the Alarms page. Use filters to delimit your search; see Searching Alarms for further information.
The Events Page Display
When you select the ACTIVITY > ALARMS option, the alarms main page opens in List View, which
simply lists alarms in reverse chronological order (the latest issued alarm is displayed first).
When you select the ACTIVITY > EVENTS menu option, the events main page opens in List View,
which simply lists events in reverse chronological order (the latest issued alarm is displayed first).
USM Anywhere™ User Guide
28
Analyzing Alarms and Events
The middle portion of the page includes a graph that provides a representation of events. You can
change this representation. The available options are Actions/User, Count/Time, Auth/User, or
Source Map.
The list view displays a table of individual events, by default, in reverse chronological order. From the
list of events, you can click on any individual event row to open the information about the event. You
can then click Full Detail link to display more information about the selected event.
The left section of the Events page display lets you search for and filter events that are displayed on
the Events page. Use filters to delimit your search; see Searching Events for further information.
29
USM Anywhere™ User Guide
Asset Management
This topic discusses the following subtopics:
Asset Administration
Asset Groups Administration
USM Anywhere™ User Guide
30
Asset Administration
Asset Administration
Through USM Anywhere you can configure asset management according to your needs. Proper
asset management is necessary in order to make the most of the whole AlienVault USM Anywhere
functionality.
In USM Anywhere, an asset is a piece of equipment on the company's network that bears a unique
IP address. An asset can be a server, a router, a firewall, a printer, a PC or any other networkenabled device.
This topic discusses the following subtopics:
31
l
Adding Assets
l
Asset List View
l
Searching for Assets
l
Selecting Assets in Asset List View
l
Running Asset Scans from Assets
l
Running Authenticated Scans from Assets
l
Scheduling Asset Scans
l
Viewing Assets Details
l
Managing Asset Fields
l
Deleting the Assets
l
Editing the Assets
l
Exporting Data from Assets
USM Anywhere™ User Guide
Asset Administration
Adding Assets
USM Anywhere provides different ways to add your assets:
l
Asset Discovery
l
Adding Assets by Using the Setup Wizard
l
Adding Assets Manually through the UI
Asset Discovery
USM Anywhere discovers assets automatically if you have a cloud provider (AWS or Azure) or a
hypervisor management API (VMware ESX). After deploying the sensor, and applying the API
credentials, USM Anywhere discovers assets in these environments.
Adding Assets by Using the Setup Wizard
The Setup Wizard is always available on USM Anywhere. This wizard includes the initial tasks for
getting AlienVault USM Anywhere ready for deployment. As a result, the wizard collects as much
data as possible to analyze and identify threats in your environment.
There are two ways you add assets to monitor: you can scan your network using network ranges or
you can add assets manually.
Adding Assets Manually
The asset discovery option in the Setup Wizard allows you to add assets manually.
To add assets manually through the Setup Wizard
1. Go to the ASSET DISCOVERY step inside the Setup Wizard.
2. Type an asset name and IP Address or FQDN.
3. Click Save.
Adding Assets Through Scan Networks
The asset discovery option in the Setup Wizard allows you to scan networks.
1. Go to the ASSET DISCOVERY step inside the Setup Wizard.
2. Click Scan Networks.
3. Type a network name and a CIDR block to specify the subnet's IP Address block that you want
to scan.
4. Click Scan.
Depending on the network range, this process can last more or less time.
USM Anywhere™ User Guide
32
Asset Administration
After the process finishes and the scan is completed, it displays the number of assets found.
These assets are added to USM Anywhere. In addition, a dynamic asset group is created with
these assets.
5. Click Scan Another to start a new scan or click Next to continue with the following step.
Adding Assets by scanning your network
1. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
2. Click the Wrench icon (
) of the sensor you want to scan the network.
3. When the Asset Discovery popup window displays, click Yes to scan the network. This step may
be different depending on the sensor you have installed.
In AWS sensors this option is not available because the instances are
automatically set.
After the process finishes and the scan is completed, you can see the number of assets found.
These assets are added to USM Anywhere. In addition, a dynamic asset group is created with
these assets.
4. Click Scan Another to start a new scan or click Next to continue with the following step.
Adding Assets Manually through the UI
This feature allows you to add an asset manually. You have to know the IP addresses of the assets.
There are two ways of adding assets manually through the UI
l
The quick way, just adding the asset name, an IP Address or FQDN, and selecting a sensor.
l
The advanced way, which requires more data related to the asset you are adding.
To add a new asset in a quick way
1. Navigate to ENVIRONMENT > ASSETS.
2. Click Actions > Quick at the upper right-hand.
3. Type the asset name and the IP or FQDN in the boxes displayed above the asset list.
4. If you have more than one sensor connected, select the sensor from the pull-down menu.
5. Click Save.
To add a new asset in an advanced way
1. Navigate to ENVIRONMENT > ASSETS.
2. Click Actions > Advanced at the upper right-hand.
33
USM Anywhere™ User Guide
Asset Administration
A popup window displays.
3. Type the information in each field.
Fields in the Create New Asset window
Field
Meaning
Name
Name identifying the asset
Description
A short description for the asset
Sensor
This field displays if you have more than one sensor connected
Select the sensor you want to associate with the asset
IP Address
IP address assigned to the asset
MAC Address
MAC Address assigned to the asset
FQDN
Fully Qualified Domain Name
Icon
Symbol that represents the asset
Asset Type
Device type that identifies the asset. Select an option from the list, see
USM Accepted Asset Types
Prevent Remote Scanning
Select this field to avoid remote scanning
Other Asset Fields
Asset fields the user has created
4. Click Save.
Asset List View
USM Anywhere provides a centralized view of your assets. Navigate to ENVIRONMENT >
ASSETS.
USM Anywhere™ User Guide
34
Asset Administration
The assets page displays asset inventory and information on those assets. On the left you can find
the search and filter options. Across the top, you can see any filters you have applied, and you have
the option to create and select different views of the assets. The main part of the page is the actual
list of assets. Each row describes an individual asset.
List of the default Asset List fields
35
Column / Field
Name
Description
Asset Name
Name of the asset
FQDN
Fully Qualified Domain Name
IP Addresses
IP address(es) for the asset
Sensor
Sensor associated with the asset
Jobs
Number of scheduled scans
Asset Type
Device type that identifies the asset. Select an option from the list, see
USM Accepted Asset Types
Alarms
Number of alarms detected on the asset
Events
Number of events related to the asset
USM Anywhere™ User Guide
Asset Administration
List of the default Asset List fields (Continued)
Column / Field
Name
Description
Vulnerabilities
Number of vulnerabilities detected on the asset
Config Issues
Number of configuration issues related to the asset. This option is only available
for AWS Sensors
Updated
Date on which the asset was updated. The displayed date depends on your
computer's time zone
The padlock you can see next to the asset indicates whether the asset has a credential assigned (
) or not (
).
Sort the asset information by ascending and descending order by clicking the arrows to the right side
of the heading, or select a menu option to the right of Sort.
Choose the view you want in layout. You can see the assets in a list view or in a grid view.
Click the export as report icon (
details.
) to export assets. See Exporting Data from Assets for further
Click Actions > Quick or Actions > Advanced to create a new asset. See Adding Assets Manually
through the UI for further details.
The Actions button includes more options. Select one or more assets (Selecting Assets in Asset List
View) to active these options:
l
Delete selected, see Deleting the Assets for further details.
l
Edit Fields, see To assign asset fields to a group of assets for further details.
l
Assign Credentials, see Creating Credentials for Vulnerability Scans for further details.
l
Set Sensor, see To assign a sensor to an asset or a set of assets for further details.
l
Add to Asset Group, see Creating an Asset Group for further details.
l
Manage Columns, see Configuring Columns for further details.
Check the box to the left of an asset to select that asset. You can select all assets at the same time by
checking the first box in the column.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
You can access to the following options by clicking on the Ellipsis icon (
l
Full Details, see Viewing Assets Details for more information.
l
Configure Asset, see Editing the Assets for more information.
USM Anywhere™ User Guide
) next to the asset:
36
Asset Administration
l
l
l
l
Delete Asset, see Deleting the Assets for more information.
Asset Scan. This option displays or not depending on the sensor associated with the asset. See
Running Asset Scans from Assets for more information.
Assign Credentials, see Creating Credentials for Vulnerability Scans for more information.
Authenticated Scan. This option displays or not depending on the sensor associated with the
asset. See Running Authenticated Scans from Assets for more information.
l
Configuration Issues, see Configuration Issues Management for more information.
l
Vulnerabilities, see Vulnerability Assessment for more information.
l
Alarms, see Alarms Management for more information.
l
Events, see Events Management for more information.
Configuring Columns
You can configure the columns/fields that display in the list and save your columns configuration to
get back to it whenever you need it.
To save a columns configuration
1. From the asset list view, click Actions > Manage Columns to open the Columns Configuration
popup window.
2. Use the icons ( ) and ( ) to pass the items from one column to the another one and select
the columns you want to see.
3. Click Apply.
Views
Create a view configuration for having your own configuration columns and selected filters.
To create a configuration view
1. From the Asset list view, click Actions > Manage Columns.
2. Use the icons ( ) and ( ) to pass the items from one column to the another one and select
the columns you want to see.
3. Click Apply.
4. If you want to delimit the search, select the filters you want to apply.
5. Click the pull-down menu Save > Save as.
6. Type a name for the view and click Save.
To select a configured view
1. From the asset list view, click the pull-down menu next to Saved Views.
2. Select the view you want to see.
37
USM Anywhere™ User Guide
Asset Administration
Selecting Assets in Asset List View
You can select several assets at the same time for export (see Exporting Data from Assets, on page
52), and/or you can use the options you find under the Actions button (see Asset List View, on page
34).
To select a single asset
l
Select the check box to the left of the asset.
To select multiple assets
l
l
Select the check box of each asset that you want to include.
You can navigate to the next page and select more assets. Keep in mind that USM Anywhere
does not preserve the selection on the previous page. If you want to select assets that are displayed in different pages, you can create an asset group, see Creating an Asset Group, on page
55 for further information.
To select all the assets on the same page
l
Select the check box in the first column of the header row.
To select all the assets returned from a search or all the assets in the system
1. Select all the assets on the page.
Text similar to the following example appears above the asset table
All 20 assets on this page are selected. Select all 210 assets related to
this filter
where
210 is the number of assets in the system.
2. To select all the assets, click 210 assets.
Searching for Assets
You can either filter your search or type what you are looking for in the search box, in the upper lefthand corner of the assets page.
Searching Assets by Using Filters
USM Anywhere includes several filters by default. You can use filters to delimit your search. You can
configure filters by clicking the Filter icon (
Filters area for further information.
USM Anywhere™ User Guide
). See To add or delete filters from the Search and
38
Asset Administration
Filters by default in the Assets page
Filter Name
Meaning
Stats
Filter assets having events, alarms, vulnerabilities or configuration issues
Sensor
Filter assets by the associated sensor
Asset Origin Type
Filter assets by who added the asset to the system
Instance Type
(Only for AWS Sensor). Filter assets by AWS instance type
Region
(Only for AWS Sensor). Filter assets by AWS region
Operating System
Filter assets by Operating System
Asset Type
Filter assets by asset type, see USM Accepted Asset Types
Service
Filter assets by service
Software
Filter assets by software
The displayed number close to each filter between brackets indicates the number of assets that
matches the filter. You can also use the filter controls to provide a method of organizing your search
and filtered results. The icons below each filter consist of the following:
Filters in the Assets page: icons below filters
Icon
Meaning
Toggle the ability to select multiple values as an OR statement
You can view and toggle between the currently filtered item, and other filtered
items. You do not have to reset the search
Toggle values with (0) matches
Sort the information alphabetically
Sort the filters by number of items that matches them
Reset
Resets to the default values
Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon (
) next to the filter. Or clear all filters by clicking the Clear All Filters link.
39
USM Anywhere™ User Guide
Asset Administration
When applying filters, the search uses the logical AND operator if the used filters are
different. However, when the filter is of the same type, the search uses the logical
OR.
To search assets using a filter
1. Navigate to ENVIRONMENT > ASSETS.
2. Click on a filter.
The result of your search displays with the assets identified.
Advanced Search on Assets
The advanced search option allows you to type a search value(s) on a selected field(s).
Advanced Search Fields (first pull-down menu)
Filter Name
Meaning
Name
Name of the asset
Description
Asset description
IP/CIDR
This is a method for allocating IP addresses and routing Internet Protocol
packets. It is the range of IP addresses that define the network
FQDN
Fully Qualified Domain Name
Device Type
Identify assets by device type
Operating Service
Identify assets by Operating System
Service
Identify assets by service
Software
Identify assets by software
Alarm Counter
Identify assets by number of alarms
Event Counter
Identify assets by number of events
Vulnerability Counter
Identify assets by number of vulnerabilities
Configuration Issue
Counter
Identify assets by number of configuration issues
Custom User Fields
Identify assets by the field(s) the user has created. If you have not created
fields, this filter will not display
USM Anywhere™ User Guide
40
Asset Administration
Advanced Search Fields (second pull-down menu)
Filter Name
Meaning
>
Greater than
>=
Greater than or equal to
<
Less than
<=
Less than or equal to
Equal
Equal to
IP Range
Range of IP address
Like
Search for the specified pattern
Not Equal
Not equal to
Not Like
Not true
To search assets using the advanced search
1. Navigate to ENVIRONMENT > ASSETS.
2. Click Add another filter below Advanced Search.
3. Select a field of the first choice.
4. Select an option of the second choice.
5. Type the search value.
6. Click Add another filter link if you want to add a new search.
7. Click the Plus icon (
).
8. Click the Apply icon (
).
The result of your search displays with the assets identified.
Managing Filters
There are many more filters available beyond those that are shown on the Assets page by default.
You can configure the filters you want to display.
To add or delete filters from the Search and Filters area
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Filter icon (
3. Use the icons (
click Apply.
41
).
) and (
) to pass the items from one column to the another one, and then
USM Anywhere™ User Guide
Asset Administration
To save a filter configuration
1. From the asset list view, select the filters you want to see.
2. Click the pull-down menu Save > Save as.
3. Type a name for the view and click Save.
If you have changed the configuration of the assets columns, this configuration
will be also saved together with the filter configuration. See Views.
Running Asset Scans from Assets
You can run scans on individual assets.
This option is available if the sensor associated with the asset allows it or not.
To run an asset scan from Assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon ( ) next to the asset you want to scan, select Full Details, and then click
Actions > Asset Scan.
3. Choose between DISCOVERY for known ports and services or COMPLETE for all TCP and
UDP ports.
4. Click Scan.
5. In the asset details page, click the Scan History tab in the table area to display the results of the
scan. You can see the status of each scan and the details.
Creating Scan Jobs
Use an asset scan to discover hosts and services in the deployed network. To accomplish this goal,
the scanner sends crafter packets to the target asset and analyzes the responses. This is not an
authenticated scan.
To create a scan job
1. Navigate to SETTINGS > SCHEDULER.
2. Click Asset Scans on the left navigation panel.
The job scheduler page displays.
3. Click Create Scan Job.
4. Type the name and the description.
USM Anywhere™ User Guide
42
Asset Administration
5. Select a sensor in case you have more than one installed.
6. In the Select App field, select Asset Scanner.
7. In the App Action field, the Scan option is the default.
8. In the Asset field, type in the asset you want to scan. The option Select from List is available to
search the assets you want to scan.
9. Select the Scan Profile you want to run. The options are Discovery or Complete.
10. In the Schedule field, schedule a scan to run at a set frequency. The options are Minute, Hour,
Day, Week, Month, and Year. Depending on your selection, you will have different options to
configure the frequency.
11. Click Save.
The job displays now in the list.
12. Click the Enabled icon (
) or the Disabled icon (
).
Running Authenticated Scans from Assets
An authenticated asset scan verifies scanned IPs and detects vulnerabilities. Log in as administrator
or root to perform an authenticated scan. See Creating Credentials for Vulnerability Scans for
further information.
Keep in mind that an authenticated scan may fail if the local mail exchanger, which
applies to Linux hosts, is enabled in the target asset.
Asset Scan Credentials and Escalation Options
Operating System
Method and Credentials
Escalation
Linux, BSD, Solaris, or Mac OS X
SSH password or public key
authentication
sudo or su
Cisco IOS
SSH password
enable password
Windows
Windows username and
password through Windows
Remote Management
None
To run an authenticated asset scan from Assets
1. Navigate to ENVIRONMENT > ASSETS.
l
43
Click the Ellipsis icon ( ) next to the asset you want to scan, select Full Details, and then
click Actions > Authenticated Scan.
USM Anywhere™ User Guide
Asset Administration
or
l
Click the Ellipsis icon ( ) next to the asset you want to scan and select Authenticated Scan
to directly start directly the asset scan. If the option is not enabled, you will need to add a credential, see To create a new credential.
2. In the asset details page, click the Scan History tab in the table area to display the results of the
scan. You can see the status of each scan and the details, which inform you if the scan is unsuccessful due to bad credentials or a connectivity issue between the sensor and the asset you are
attempting to scan.
You can see the vulnerabilities that the scan has found below the Vulnerabilities Events tab.
Scheduling Asset Scans
USM Anywhere provides a simple way to include both remote and authenticated scans for
scheduling using its web UI.
To schedule a job from the asset details window
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
select Full Details.
) located next to the asset you want to include in an asset scan and
3. Click Actions > Schedule Scan Job.
This option can display inactive if you have not assigned a credential to the
asset.
4. Type a name for the job and a description.
5. Select an App.
Keep in mind that depending on the App you select, the App Action will be
different.
6. In the Schedule field, schedule a scan to run at a set frequency. The options are Minute, Hour,
Day, Week, Month, and Year. Depending on your selection, you will have different options to
configure the frequency.
7. Click Save.
The job displays now in the list.
8. Click the Enabled icon (
USM Anywhere™ User Guide
) or the Disabled icon (
).
44
Asset Administration
Viewing Assets Details
To view the details of an asset
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
) located close to the asset whose details you want to review.
3. Select Full Details.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
On the upper left side of the page, you see the name and IP address, along with other fields that
describe the particular asset.
On the right, you see the status summary for your asset. It displays the total number of alarms,
events, vulnerabilities, and configuration issues. The circle can display in orange (for alarms and
configuration issues), blue for events, and red for vulnerabilities. The number inside each circle
indicates the number of alarms, events, vulnerabilities, and configuration issues for the asset. You
can click on each circle to explore the information of each one.
Configuration Issues are only available for AWS Sensors.
Below the status summary, you can see if the asset has an associated credential and the scheduled
job(s).
At the bottom, there is a table area with tabs, some of them correspond to the circles. Each tab
contains a table with records, if present, for your asset.
Asset Details view tab description
45
Tab
Information Shown
Asset Groups
Asset groups on which the asset is included
Software
Software installed on the asset
Services
Services available on the asset
Plugins
Plugins enabled for the asset
Alarms
Alarms related to the asset. Click View to go to the details of the
alarm
Events
Events related to the asset. Click View to go to the details of the
event
USM Anywhere™ User Guide
Asset Administration
Asset Details view tab description (Continued)
Tab
Information Shown
Vulnerabilities
Vulnerabilities related to the asset. You can filter the active or
inactive vulnerabilities by clicking the specific radio button. Click
View to go to the details of the vulnerability
Configuration Issues
Information about operational processes. You can filter the active or
inactive configuration issues by clicking the specific radio button.
Click View to go to the details of the configuration issue
Scan History
List of the asset scans already run. It includes a time-stamp of the
scan, the scan type, the status, and the details of each scan
On the upper right side of the page is the Actions button. Use this button to perform actions on the
asset. These consist of:
l
Configure Asset, see Editing the Assets for further details.
l
Delete Asset, see Deleting the Assets for further details.
l
Add to Asset Group, see Creating an Asset Group for further details.
l
Asset Scan. This option displays or not depending on the sensor associated with the asset. See
Running Asset Scans from Assets for further details.
l
Authenticated Scan, see Running Authenticated Scans from Assets for further details.
l
Assign credentials, see Creating Credentials for Vulnerability Scans for further details.
l
Schedule Scan Job, see Scheduling Asset Scans for further details.
Managing Asset Fields
All assets include several fields for identifying and classifying each asset. You can add all fields you
need, modify them or delete them when you do not need them.
It is not possible to modify or delete the fields that are system defaults.
Creating Asset Fields
To create an asset field
1. Navigate to SETTINGS > SYSTEM.
2. Click Asset Fields on the left navigation panel.
The asset fields page displays.
USM Anywhere™ User Guide
46
Asset Administration
3. Click New Asset Field.
4. Type a display name.
5. Optionally, type a description.
6. Select a display priority. You can choose Summary, Detail, or Hidden. Choose Hidden if you do
not want to see this field in the details of the assets. Use Hidden for correlation events or suppression of events, for instance.
7. Select a type. See the options in the table below:
Options in the Type field (Create an asset field)
Denomination
Description
Text
Text in the default field.
Select
Type the choices. You can add more than one by clicking the Plus icon (+).
Numeric
Type a numerical data to identify the field. You can use the icon to increase or
decrease the number ( ).
IP
Type an IP address.
Boolean
Select one of the options: No Default, True, or False.
8. Click Save.
Modifying Asset Fields
To modify an asset field
1. Navigate to SETTINGS > SYSTEM.
2. Click Asset Fields on the left navigation panel.
The asset fields page displays.
3. Search the asset field you want to modify. You can filter the search by name, user, priorities, and
type of field.
4. Click the Edit icon ( ) that displays in the line of the asset field you want to modify. This icon displays in the line of the editable fields that are not in the system by default.
5. Modify the information you need to.
6. Click Save.
47
USM Anywhere™ User Guide
Asset Administration
Deleting Asset Fields
To delete an asset field
1. Navigate to SETTINGS > SYSTEM.
2. Click Asset Fields on the left navigation panel.
The asset fields page displays.
3. Search the asset field you want to delete. You can filter the search by name, user, priorities, and
type of field.
4. Click the Delete icon (
).
A popup window displays to confirm the deletion.
5. Click Accept to confirm.
Assign Asset Fields to a Group of Assets
To assign asset fields to a group of assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Select the assets. For assistance, see Selecting Assets in Asset List View.
3. Select Actions > Edit Fields.
4. Select the asset fields you want to assign the selected assets.
5. Click Save.
Displaying Asset Fields from Assets
To display asset fields
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
select Full Details.
USM Anywhere™ User Guide
) located close to the asset whose asset fields you want to review and
48
Asset Administration
3. Click More... below the main data of the asset.
Deleting the Assets
To delete an asset from the list view
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
Asset.
) located close to the asset you want to delete and select Delete
A popup window displays to confirm the deletion.
3. Click Delete to delete the asset.
To delete an asset from the Configure Asset popup window
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
Asset.
) located close to the asset you want to delete and select Configure
3. Click Delete.
A popup window displays to confirm the deletion.
4. Click Delete to delete the asset.
To delete an asset from the asset details page
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
49
) located close to the asset you want to delete and select Full Details.
USM Anywhere™ User Guide
Asset Administration
3. Click Actions > Delete Asset.
A popup window displays to confirm the deletion.
4. Click Delete to delete the asset.
To bulk delete assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Select the assets you want to delete. For assistance, see Selecting Assets in Asset List View.
3. Click Actions > Delete Selected.
A popup window displays to confirm the deletion.
4. Click Delete.
Editing the Assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
figure Asset.
) located close to the asset you want to view its details and select Con-
3. Modify the data you need to.
Field descriptions for the Edit Asset Details page
Field Name
Description
Name
Name identifying the asset. This field is required
Description
A short description for the asset
Sensor
Sensor to associate with the asset
IP Address
IP address assigned to the asset
MAC Address
MAC Address assigned to the asset
FQDN
Fully Qualified Domain Name
Icon
Symbol that represents the asset
Asset Type
Device type that identifies the asset. Select an option from the list,
see USM Accepted Asset Types
Other Asset Fields
Asset fields created by the user
2. Click Save.
USM Anywhere™ User Guide
50
Asset Administration
USM Accepted Asset Types
51
Asset Type Name
Description
General purpose
General purpose operating systems like Linux and Windows.
Bridge
A bridge combines two or more subnetworks into one. With a bridge this
happens at a lower level than with a router. This category also includes
things like Ethernet-to-serial bridges.
Broadband router
Devices in this category connect a network to the Internet through cable,
ADSL, and fiber optics. Some of these devices provide network address
translation, a firewall, port forwarding, or other services.
Firewall
A firewall controls what traffic is allowed into or out of a network. Some also
have additional capabilities. This category does not include generalpurpose operating systems that happen to come with a firewall, but it does
include OS distributions purpose-built to work only as a firewall.
Game console
A video game console like the Xbox or PlayStation.
Hub
A hub joins network segments by re-broadcasting all traffic. Hubs are
distinct from switches, which selectively transmit packets only to relevant
destinations.
Load balancer
A device that distributes inbound traffic to multiple devices to ease the load
on those devices.
Media device
This category includes all kinds of audiovisual equipment, including
portable music players, home audio systems, TVs, and projectors.
PBX
A private branch exchange, or PBX, routes telephone calls within a private
organization and connects them to the public telephone network or VoIP.
PDA
A handheld computer. Devices that are also telephones go in the "phone"
category.
Phone
A network-capable telephone that is not a VoIP phone. Devices in this
category are typically mobile phones.
Power-device
Miscellaneous power devices like uninterruptable power supplies and
surge protectors.
Printer
Network-enabled printers, including printers with an embedded print server.
Print server
A print server connects a printer to a network. Printers that contain their own
print server go in the "printer" category instead.
Proxy server
Any kind of proxy, including web proxies and other servers that cache data
or understand high-level protocols.
Remote management
Devices that allow servers or other equipment to be monitored or managed
remotely.
USM Anywhere™ User Guide
Asset Administration
USM Accepted Asset Types (Continued)
Asset Type Name
Description
Router
Routers connect multiple networks. They are distinct from hubs and
switches because they route packets between different networks as
opposed to extending one network.
Security-misc
Any security device that doesn't fall into the “firewall” category belongs in
this category. This includes intrusion detection and prevention systems.
Specialized
The catch-all category. If a device doesn't fall into one of the other
categories, it is specialized. Examples in this category are diverse and
include such things as clocks, oscilloscopes, climate sensors, and more.
Storage-misc
Data storage devices like tape decks and network-attached storage
appliances.
Switch
A device that extends a network by selectively re-broadcasting packets.
Switches are distinct from hubs, which broadcast all packets.
Telecom-misc
Devices used by telephone systems that are not PBXs, like voicemail and
ISDN systems.
Terminal
A device with a keyboard and monitor with the primary purpose of
communicating directly with a terminal server or mainframe.
Terminal server
A device providing terminal facilities to clients over a network.
VoIP adapter
A device that converts between voice over IP (VoIP) protocols and normal
telephone traffic. Also may convert different VoIP protocols.
VoIP phone
A phone capable of a VoIP protocol.
WAP
Wireless access points offer a wireless connection to a network. Most work
with radio technology like 802.11b but some use infra-red or something else.
Devices that could also be put in another category, like wireless broadband
routers, are put in the WAP category because WAPs require special
network considerations.
Webcam
Any kind of camera that stores or transmits pictures or video. This includes
everything from consumer webcams to security system cameras.
Exporting Data from Assets
You can export assets to a CSV or HTML file for later analysis.
To export assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Select the asset(s) you want to export. For assistance, see Selecting Assets in Asset List View.
USM Anywhere™ User Guide
52
Asset Administration
3. Click the export as report icon (
) at the upper right-hand corner of the page.
4. Type a report name.
5. (Optional) Type a report description.
6. Choose the export format, CSV or HTML.
If you choose CSV, your browser downloads the exported file automatically.
If you choose HTML, a new tab in your browser opens, displaying the report. You can print it by
clicking Print or you can save it as PDF.
7. Choose the number of records to export.
8. If you have chosen the HTML format, you will see the Graphs section. Use this section to include
additional views. Select the graph you want to include in the report and click the right arrow icon
(
).
9. Click Save & Run.
You can see exportation reports again through the option REPORTS > DATA
EXPORT HISTORY. See Data Export History for further information.
53
USM Anywhere™ User Guide
Asset Groups Administration
Asset Groups Administration
Asset groups are administratively created objects that group similar assets for specific purposes.
Assets are grouped based on IP addresses, and USM Anywhere monitors these groups. Grouping
based on IP addresses allows for easier search and management of assets.
This topic discusses the following subtopics:
l
Creating an Asset Group
l
Asset Group List View
l
Searching for Asset Groups
l
Running Asset Scans from Asset Groups
l
Running Authenticated Scans from Asset Groups
l
Configuring an Asset Group
l
Viewing Asset Group Details
l
Deleting an Asset Group
USM Anywhere™ User Guide
54
Asset Groups Administration
Creating an Asset Group
USM Anywhere supports static and dynamic asset groups. A static group consists of assets that you
manually assign to the group. A dynamic group is defined using rules which automatically add or
remove assets from the group, based on the criteria you have defined.
By default, AlienVault creates the following dynamic asset groups:
l
Assets with Alarms — Asset group containing assets with alarms.
l
Assets with Vulnerabilities — Asset group containing assets with vulnerabilities.
l
Database Servers — Asset group containing database servers.
l
Linux Assets — Asset group containing Linux systems.
l
Web Servers — Asset group containing web servers.
l
Windows Assets — Asset group containing Windows systems.
USM Anywhere also creates a default asset group for each AWS Sensor Elastic Load Balancing
(ELB) instance in your environment. The AWS Sensor ELB group includes the ELB instance and
any AWS Sensor EC2 instance connected to the load balancer and registered with the ELB service.
USM Anywhere automatically discovers and enables you to collect ELB access logs if you have ELB
access logging enabled.
Add Assets to Group
To create a static asset group from the assets main window
1. Navigate to ENVIRONMENT > ASSETS.
2. Check the box to the left of the assets you want to group. You can select all assets at the same
time by checking the first box in the column.
3. Click Actions > Add to Asset Group.
4. Select a tab
l
l
Create new group. Type a name for identifying the asset group and optionally, type a description.
Add to existing group. Search the asset group in which you want to add the selected assets.
5. Click Save.
Creating a Static Asset Group
To create a static asset group from the asset groups main window
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click Actions > Static.
3. Type the name of the asset group. This field is required.
55
USM Anywhere™ User Guide
Asset Groups Administration
4. Optionally, type a description for identifying this group.
5. Search the assets you want to add to the group and click Add Asset or Scan Network.
If you click Scan Network, type the name for a network and the CIDR block to specify the
subnet's IP Address block that you want to scan.
6. You also can delete assets from the group by clicking the Delete icon (
cific asset by clicking the View icon (
). You can view a spe-
).
Use the Cancel button to discard the changes.
7. Click Save.
Creating a Dynamic Asset Group
To create a dynamic asset group from the asset groups main window
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click Actions > Dynamic.
3. Type the name of the asset group. This field is required.
4. Optionally, type a description for identifying this group.
5. Add the search criteria for the assets you want to be part of this group.
6. Click Apply Criteria.
7. Click Save.
You can also add a dynamic asset group from the Setup Wizard, by scanning a
network.
Asset Group List View
USM Anywhere provides a centralized view of managing your asset groups. This view is on
ENVIRONMENT > ASSET GROUPS. It has the same look and feel as the asset list view and the
functionalities are the same as well. The difference is that in this view, you are managing asset
groups instead of assets.
USM Anywhere™ User Guide
56
Asset Groups Administration
The asset groups page displays asset groups inventory and information on those asset groups. On
the left you can find the search and filter options. Across the top, you can see any filters you have
applied, and you have the option to create and select different views of the asset groups. The main
part of the page is the actual list of asset groups. Each row describes an individual asset group.
USM Anywhere creates by default static and dynamic asset groups (see Creating an Asset Group,
on page 55).
Asset Group List field descriptions
Column / Field
Name
Description
Group Name
Name of the group
Group Description
Text identifying the group
Assets
Number of assets in the group
Asset Grouping
Type of asset grouping: static or dynamic
Created
Exact date of creation of the asset group. The displayed date depends on
your computer's time zone
Sort the asset information by ascending and descending order by clicking the arrows to the right side
of the heading, or select a menu option to the right of Sort.
57
USM Anywhere™ User Guide
Asset Groups Administration
Click the export as report icon ( ) to export group of assets. The management of this feature is
similar to the one for assets, see Exporting Data from Assets, on page 52 for further details.
Click Actions > Static or Actions > Dynamic to create an asset group. See Creating a Static Asset
Group, on page 55 and Creating a Dynamic Asset Group, on page 56 for further details.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
Use the Ellipsis icon (
) next to each asset group to access these options:
l
Full Details, see Viewing Asset Group Details, on page 65 for more information.
l
Configure Asset Group, see Configuring an Asset Group, on page 64 for more information.
l
Delete Asset Group, see Deleting an Asset Group, on page 66 for more information.
l
l
Asset Group Scan, see Running Asset Scans from Asset Groups, on page 61 for more information.
Assign Credentials, see Creating Credentials for Vulnerability Scans, on page 120 for more
information.
l
Authenticated Scan, see Performing Vulnerability Scans, on page 123 for more information.
l
Configuration Issues, see Configuration Issues Management, on page 88 for more information.
l
Vulnerabilities, see Vulnerability Assessment, on page 118 for more information.
Views
You can configure the view you want for the list of asset groups. Create a view configuration for
having your own selected filters.
To create a configuration view
1. From the Asset Groups list view, select the filters you want to apply.
2. Click the pull-down menu Save > Save as.
3. Type a name for the view and click Save.
To select a configured view
1. From the asset groups list view, click the pull-down menu next to Saved Views.
2. Select the view you want to see.
Searching for Asset Groups
You can either filter your search, or type what you are looking for in the search box, in the upper lefthand corner of the asset groups page.
USM Anywhere™ User Guide
58
Asset Groups Administration
Searching Asset Groups by Using Filters
USM Anywhere includes several filters by default. You can use filters to delimit your search. You can
configure filters by clicking the Filter icon (
assets, see Managing Filters, on page 41.
). The management of filters is similar to the one for
Filters by default in the Asset Groups page
Filter Name
Meaning
Asset Grouping
Identify asset groups by 'Static' and 'Dynamic'
Advanced Search
Use this filter for searching a specific value of a field
Asset Origin Type
Identify asset groups by who added the asset group to the system
Instance Type
(Only for AWS Sensor). Filter asset groups by AWS instance type
Region
(Only for AWS Sensor). Filter asset groups by AWS region
Operating System
Identify asset groups by Operating System
Asset Type
Identify asset groups by asset type, see USM Accepted Asset Types, on page 51
Service
Identify asset groups by service
Software
Identify asset groups by software
Keep in mind that 'Enter search phrase' field and 'Asset Grouping' filter make the
search in the asset groups. The rest of the filters make the search in the members of
the asset group. So long as a member of the asset group matches the selected filter,
USM Anywhere will display the asset group, even if there is only a member
matching that filter.
The displayed number close to each filter between brackets indicates the number of asset groups
that match the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results. The icons below each filter consist of the following.
Filters in the Asset Groups page: Icons Below Filters
Icon
Meaning
Toggle the ability to select multiple values as an OR statement
You can view and toggle between the currently filtered item, and other filtered items.
You do not have to reset the search
59
USM Anywhere™ User Guide
Asset Groups Administration
Filters in the Asset Groups page: Icons Below Filters (Continued)
Icon
Meaning
Toggle values with (0) matches
Sort the information alphabetically
Sort the filters by number of items that matches them
Reset
Resets to the default values
Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon (
) next to the filter. Or clear all filters by clicking the Clear All Filters link.
When applying filters, the search uses the logical AND operator if the used filters are
different. However, when the filter is of the same type, the search uses the logical
OR.
To search asset groups using a filter
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click on a filter.
The result of your search displays with the asset groups identified.
The functionality of advanced search is similar to the one for assets. See Advanced Search on
Assets, on page 40 for more information.
Searching Asset Groups by Using the Search Box
To search asset groups using the search box
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Type your search.
3. Click the Magnifying Glass icon (
).
The result of your search displays with the asset groups identified.
USM Anywhere™ User Guide
60
Asset Groups Administration
Running Asset Scans from Asset Groups
To run an asset group scan from Asset Groups
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon (
) next to the asset group you want to scan, select Asset Group Scan.
3. Choose between DISCOVERY for known ports and services or COMPLETE for all TCP and
UDP ports.
4. Click Scan.
5. In the asset group details page, click the Scan History tab in the table area to display the results
of the scan. You can see the status of each scan and the details.
Creating Scan Jobs
Use an asset group scan to discover hosts and services in the deployed network. To accomplish this
goal, the scanner sends crafter packets to the target asset group and analyzes the responses. This
is not an authenticated scan.
To create a scan job
1. Navigate to SETTINGS > SCHEDULER.
2. Click Asset Group Scans on the left navigation panel.
The job scheduler page displays.
3. Click Create Scan Job.
4. Type the name and the description.
5. Select a sensor in case you have more than one installed.
6. In the Select App field, select Asset Scanner.
7. In the App Action field, the Asset Group Scan option is the default.
8. In the Asset Group field, type in the asset you want to scan. The option Select from List is available to search the assets you want to scan.
9. Select the Scan Profile you want to run. The options are Discovery or Complete.
10. In the Schedule field, schedule a scan to run at a set frequency. The options are Minute, Hour,
Day, Week, Month, and Year. Depending on your selection, you will have different options to
configure the frequency.
11. Click Save.
The job displays now in the list.
12. Click the Enabled icon (
61
) or the Disabled icon (
).
USM Anywhere™ User Guide
Asset Groups Administration
Running Authenticated Scans from Asset Groups
An authenticated asset scan verifies scanned IPs and detects vulnerabilities. Log in as administrator
or root to perform an authenticated scan. See Creating Credentials for Vulnerability Scans for
further information.
Keep in mind that an authenticated scan may fail if the local mail exchanger, which
applies to Linux hosts, is enabled in the target asset.
Asset Scan Credentials and Escalation Options
Operating System
Method and Credentials
Escalation
Linux, BSD, Solaris, or Mac OS X
SSH password or public key
authentication
sudo or su
Cisco IOS
SSH password
enable password
Windows
Windows username and
password through Windows
Remote Management
None
To run an authenticated asset scan from Asset Groups
1. Navigate to ENVIRONMENT > ASSET GROUPS.
l
Click the Ellipsis icon ( ) next to the asset you want to scan, select Full Details, and then
click Actions > Authenticated Scan.
or
l
Click the Ellipsis icon ( ) next to the asset group you want to scan and select Authenticated
Scan to directly start the asset group scan. If the option is not enabled, you will need to add a
credential, see To create a new credential.
2. In the asset group details page, click the Scan History tab in the table area to display the results
of the scan. You can see the status of each scan and its details, which inform you if the scan has
been successful or not. You can also click on a line to expand the asset group row to check the
individual asset results.
Click Debug Log to download the zip file
l
l
If you click the Debug Log button located in the asset group job row, the downloaded file will
include one file per scanned asset.
If you click the Debug Log button located in the individual asset results, the downloaded file
will include the information for just that asset.
USM Anywhere™ User Guide
62
Asset Groups Administration
You can see the vulnerabilities that the scan has found below the Vulnerabilities
Events tab.
63
USM Anywhere™ User Guide
Asset Groups Administration
Configuring an Asset Group
Configuring a Static Asset Group
To configure a static asset group
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon ( ) located close to the static asset group you want to configure and
select Configure Asset Group.
3. Modify the name of the asset group if you need to. This field is required.
4. Modify the description if you need to. This field is optional.
5. You can add search criteria to the group. Click Apply Criteria if you want to add the searched criteria.
6. You also can modify or delete assets from the group by clicking the Edit icon (
icon (
) or the Delete
).
Use the Delete button to delete the group.
Use the Cancel button to discard the changes.
7. Click Save.
Configuring a Dynamic Asset Group
To configure a dynamic asset group
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon ( ) located close to the dynamic asset group you want to configure and
select Configure Asset Group.
3. Modify the name of the asset group if you need to. This field is required.
4. Modify the description. This field is optional.
5. Search the assets you want to add to the group and click Add Asset or Scan Network.
If you click SCAN NETWORK, type the name of a network and the CIDR block to specify the
subnet's IP Address block that you want to scan.
6. You can also delete assets from the group by clicking the Delete icon (
cific asset by clicking the View icon (
). You can view a spe-
).
Use the Cancel button to discard the changes.
USM Anywhere™ User Guide
64
Asset Groups Administration
Use the Delete button to delete the group.
7. Click Save.
Viewing Asset Group Details
From the Asset Group List view, you can display the details of an asset group.
To view the details of an asset group
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon (
) close to the asset group you want to view its details.
3. Select Full Details.
In the asset groups details, on the upper left side of the page, you see the name, the description, the
type of grouping, the number of assets that are part of that group, and the criteria of grouping.
On the right, you see the status summary for your asset group. It displays the total number of
configuration issues, vulnerabilities, alarms, and events. The circle can display in orange (for alarms
and configuration issues), blue for events, and red for vulnerabilities. There is a number inside each
circle to indicate the number of alarms, events, vulnerabilities and configuration issues associated
with the members of the asset group. You can click on each circle to explore the information of each
one.
Configuration Issues are only available for AWS Sensors.
At the bottom, there is a table area with tabs, some of which correspond to the circles. Each tab
contains a table with records, if present, for your asset group.
Asset Groups Details view tab description
65
Tab
Information Shown
Assets
Assets that are part of the group. Click View to go to the details of
the asset
Software
Software installed on the assets of the group
Services
Services available on the assets of the group
Alarms
Alarms related to the assets of the group. Click View to go to the
details of the alarm
Events
Events related to the assets of the group. Click View to go to the
details of the event
USM Anywhere™ User Guide
Asset Groups Administration
Asset Groups Details view tab description (Continued)
Tab
Information Shown
Vulnerabilities
Vulnerabilities related to the assets of the group. You can filter the
active or inactive vulnerabilities by clicking the specific radio button.
Click View to go to the details of the vulnerability
Configuration Issues
Information about operational processes. You can filter the active or
inactive configuration issues by clicking the specific radio button.
Click View to go to the details of the configuration issue
History
Additions and removals to the group
Scan History
List of the asset scans already run. It includes a time-stamp of the
scan, the scan type, the status, and the details of each scan.
The button Actions, located on the upper right side of the page, allows you to access to the following
options:
l
Configure Asset Group, see Configuring an Asset Group, on page 64 for further details.
l
Delete Asset Group, see Deleting an Asset Group, on page 66 for further details.
l
l
l
l
l
l
l
Edit Fields. This option is similar to the one for Assets, see To assign asset fields to a group of
assets, on page 48 for further details.
Assign Credentials to Group Members. This option assigns credentials to the members of the
asset group. This option is similar to the one for Assets, see Creating Credentials for Vulnerability
Scans, on page 120 for further details.
Set Sensor, see To assign a sensor to an asset group, on page 132.
Asset Group Scan. This option is similar to the one for Assets, see Running Asset Scans from
Assets, on page 42.
Assign Credentials. This option assigns credentials to current members of the Asset Group and
Assets added to the group later.
Authenticated Scan. This option is similar to the one for Assets, see Running Authenticated
Scans from Assets, on page 43.
Schedule Scan Job. This option is similar to the one for Assets, see Scheduling Asset Scans, on
page 44 for further details.
Deleting an Asset Group
There are two ways to delete an asset group
l
From the asset groups list view
l
From the edit asset group details page
USM Anywhere™ User Guide
66
Asset Groups Administration
To delete an asset group from the list view
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon (
) located closest to the asset group you want to delete.
3. Select Delete Asset Group.
A popup window displays to confirm the deletion.
4. Click Delete.
To delete an asset group from the edit asset group details page
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon (
) located close to the asset you want to delete and select Full Details.
3. Click Actions > Delete Asset Group.
A popup window displays to confirm the deletion.
4. Click Delete.
67
USM Anywhere™ User Guide
Alarms Management
About Alarms
An alarm in USM Anywhere consists of one or more events, based on one of the following
l
l
One or more rules performed by the correlation engine of USM Anywhere, which analyzes these
events for behavioral patterns. These rules look at and connect events to assess their priority and
reliability. When the engine identifies a pattern, it generates an alarm, which requires attention
and investigation. See Correlation Rules, on page 115 for more information.
One orchestration rule, which is designed to raise an alarm when a particular type of event is
found. See Orchestration Rules, on page 98 for more information.
USM Anywhere allows you to drive actions in response to incoming alarms. Perhaps the most
common action is sending an email to administrators to provide real-time notification of a critical
security incident. You can set which users are going to receive the notification of the alarms in the
configuration of the user.
You can see The Alarms Page Display, on page 28 for further information.
This topic discusses the following subtopics:
l
Alarms List View, on page 69
l
Searching Alarms, on page 71
l
Viewing Alarm Details, on page 73
l
Suppressing/Unsuppressing Alarms Generating the Event, on page 75
l
Exporting Alarms, on page 76
USM Anywhere™ User Guide
68
Alarms List View
Alarms List View
AlienVault USM Anywhere provides a centralized view of your alarms. Navigate to ACTIVITY >
ALARMS.
The alarms page displays information on alarms. On the left you can find the search and filters
options. Across the top, you can see any filters you have applied, and you have the option to create
and select different views of the alarms. The main part of the page is the actual list of alarms. Each
row describes an individual alarm and includes a check box on the left side of each one for selecting
it. You can select all alarms on the same page by clicking the check box in the first column of the
header row.
List of the default columns in Alarms
Column / Field Name
Description
Intent
Describes the attack pattern of indicators intruding on your system
Strategy
Type of attack
Method
If known, the method of attack or infiltration associated with the indicator
that generated the alarm
Time Created
The date and time of the creation of the alarm. The displayed date
depends on your computer's time zone
OTX
Indicates if it is an OTX alarm or not. If the icon is active, click on it to go the
OTX site
Sources
Hostname or IP address of the source, with national flag if country is known,
for an event creating the alarm
Labels
Label(s) applied to the alarm
Destinations
Hostname or IP address of the destination, with national flag if country is
known, that received the events generating the alarm
Sensors
Sensor associated with the alarm
Priority
Impact of the detected attack. Can be Low, Medium, or High. See Priority
Field for Alarms for more information
You can configure the view you want for the list of alarms, see Views for more information.
Click the export as report icon (
) to export alarms. See Exporting Alarms for further details.
The graph above the alarms list displays the alarms by intent. You can change the displayed period
of time by clicking the Created during filter.
69
USM Anywhere™ User Guide
Alarms List View
Click this button
to change the graph to a Count/Time view, which provides a chart that shows
the number of issues over a period of time.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
You can also sort alarms by selecting either 20, 50, or 100 below the alarms result table. Sort the
alarm information by ascending and descending order by clicking the arrows to the right side of the
heading.
Configuring Columns
You can configure the columns/fields that display in the list and save your columns configuration to
get back to it whenever you need it.
To save a columns configuration
1. From the list view, click the Manage Columns icon (
popup window.
) to open the Columns Configuration
2. Use the icons ( ) and ( ) to pass the items from one column to the another one and select
the columns you want to see.
3. Click Apply.
Views
Create a view configuration for having your own configuration columns and selected filters.
To create a configuration view
1. From the alarms list view, click the Manage Columns icon (
).
2. Use the icons ( ) and ( ) to pass the items from one column to the another one and select
the columns you want to see.
3. Click Apply.
4. If you want to delimit the search, select the filters you want to apply.
5. Click the pull-down menu Save > Save as.
6. Type a name for the view and click Save.
To select a configured view
1. From the alarms list view, click the pull-down menu next to Saved Views.
2. Select the view you want to see.
USM Anywhere™ User Guide
70
Searching Alarms
Priority Field for Alarms
In USM Anywhere all alarms have a priority field, which indicates the importance of the alarm. This is
a measurement to determine the impact of the alarm in our network.
The priority field can display the text Low, Medium, or High. These texts come from correlation and
orchestration rules. When you create an orchestration rule, you will have to type a priority value
between 0 and 100. AlienVault creates the correlation rules and they already include a value. The
displayed text on the column of alarms depends on the value that the rule has according to the
following table:
Priority Field for Alarms
Displayed text
Value in the rule
Low
Between 0 and 33
Medium
Between 34 and 66
High
Between 67 and 100
Open the details of an alarm (see Viewing Alarm Details), to know the exact value of the priority
level. After you are in the alarm details page, hover over the priority text about 2 seconds and a
popup will show you the exact value.
See Correlation Rules and Orchestration Rules for further information.
Searching Alarms
You can either filter your search, or type what you are looking for in the search box, in the upper lefthand corner of the alarms page.
71
USM Anywhere™ User Guide
Searching Alarms
Searching Alarms by Using Filters
USM Anywhere includes several filters displayed by default. You can configure more filters than the
displayed ones by clicking the Filter Configuration icon ( ). The management of filters is similar to
that for assets. See Managing Filters for more information.
Filters displayed by default in the main Alarms page
Filter Name
Meaning
Created during
Identify alarms triggered in the last hour, last 24 hours, last 7 days, or last 30
days. You can also configure your own period of time by clicking the Custom
Range
option
Show suppressed
Display the suppressed alarms. See Suppressing/Unsuppressing Alarms
Generating the Event for more information
Labels
Labels applied
Intent
Purpose of the alarm. It can be Delivery & Attack, Environmental Awareness,
Exploitation & Installation, Reconnaissance & Probing, and System
Compromise
Strategy
Identify alarms by type of attack
Method
If known, the method of attack or infiltration associated with the indicator that
generated the alarm
Sensors
Identify alarms by the associated sensor
Asset Groups
Identify alarms by asset group
The displayed number close to each filter between brackets indicates the number of alarms that
matches the filter. You can also use the filter controls to provide a method of organizing your search
and filtered results. The icons below each filter consist of the following:
Filters in the Alarms page: icons below filters
Toggle the ability to select multiple values as an OR statement
You can view and toggle between the currently filtered item, and other filtered
items. You do not have to reset the search
Toggle values with (0) matches
Sort the information alphabetically
USM Anywhere™ User Guide
72
Viewing Alarm Details
Filters in the Alarms page: icons below filters(Continued)
Sort the filters by number of items that matches them
Reset
Resets to the default values
Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon (
) next to the filter. Or clear all filters by clicking the Clear All Filters link.
When applying filters, the search uses the logical AND operator if the used filters are
different. However, when the filter is of the same type, the search uses the logical
OR.
To search alarms using a filter
1. Navigate to ACTIVITY > ALARMS.
2. Click on a filter.
The result of your search displays with alarms identified.
Searching Alarms by Using the Search Box
To search alarms using the search box
1. Navigate to ACTIVITY > ALARMS.
2. Type your search.
3. Click the Magnifying Glass icon (
).
The result of your search displays with the alarms identified.
Viewing Alarm Details
The alarm details page provides in-depth information on an alarm, what caused it, and how to
resolve the situation.
To view the details of an alarm
1. Navigate to ACTIVITY > ALARMS.
2. Click the alarm to display its details.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the
Star icon (
73
) on the secondary menu shows the bookmarked items and a link to them.
USM Anywhere™ User Guide
Viewing Alarm Details
Not all alarms found during monitoring are necessary in managing your environment because
they do not pose a security threat. Frequently, there are alarms that create a noisy environment,
making it difficult to monitor other alarms that require more attention. You can identify these
alarms and suppress them before executing, by the correlation engine, any processing.
You have the following buttons
l
Select Action. Use this button to associate the alarm with an action. Depending on the
sensor(s) you have installed, you will see different actions:
l
l
l
l
l
l
Asset Scanner, see Running Asset Scans from Assets, on page 42 for further information.
Authenticated Asset Scanner, see Running Authenticated Scans from Assets, on page
43 for further information.
Forensics and Response App. This option allows you to run pre-defined Linux and Windows scripts to get more info from the system. These scripts are already defined in
USM Anywhere. The Basic, Moderate, and Full Forensic Info options get elemental, limited, and complete forensic information from assets. Keep in mind that the Full Forensic
Info option will take more time for including all options.
Cisco Umbrella, see Creating an Orchestration Rule for AlienApp for Cisco Umbrella, on
page 101 for further information. When an orchestration rule is initiated, USM Anywhere
displays a message in the notifications banner.
Create Rule. Use this button to create a rule to suppress all alarms that match a particular
set of criteria. See Rules Management, on page 94 for more information.
Suppress alarm. Use this button to suppress only the specific alarm you are viewing. After
clicking this button, it changes to Unsuppress alarm. See Suppressing/Unsuppressing
Alarms Generating the Event, on page 75 for further information.
Click the Full Detail link to expand the alarm details.
The description tab describes the pattern of indicators the attack is leaving on your system.
The recommendations tab includes suggestions next steps.
Below the tabs, you can see the source, the destination, and the associated events, if that
information is known. You can click the View button of each event to open the details of the
event.
3. You can click the left long arrow icon (
) to see the details of the previous alarm or click the
right long arrow icon ( ) to see the details of the following alarm or click the close icon (
close this popup window.
USM Anywhere™ User Guide
) to
74
Suppressing/Unsuppressing Alarms Generating the Event
Suppressing/Unsuppressing Alarms Generating the Event
There are cases where generated alarms are false positives, and you may want to suppress this
kind of alarm to prevent those false positives from flooding your system. It is also possible that you
may not want to suppress the alarms as you might have to be aware of other impacted systems.
Suppressed alarms will always be in your network, but you will not see them. If you want to see
these alarms, click Show Suppressed in the Search & Filters area. The suppressed alarms will be
displayed in the table along with all alarms. If you want to display just the suppressed alarms, see To
only display the suppressed alarms.
Suppression rules are not retroactive. The rule will apply only to future alarms, even
if those alarms follow the rule.
The suppression rule you create will apply to future alarms. It also will apply to
alarms of the current day, up to 10K alarms.
To suppress an alarm
1. Navigate to ACTIVITY > ALARMS.
2. Click on the alarm to suppress.
3. Click Suppress Alarm.
To unsuppress an alarm
1. Navigate to ACTIVITY > ALARMS.
2. Search the suppressed alarms by using the filter Show suppressed. See Searching Alarms, on
page 71 for more information.
3. Click the alarm to unsuppress.
4. Click Unsuppress Alarm.
To only display the suppressed alarms
1. Navigate to ACTIVITY > ALARMS.
2. Click the Filter Configuration icon (
).
3. Write in the Search filters field 'Suppress'.
4. Select the Suppress Rule Name filter.
5. Click the right arrow icon (
).
The selected filter will pass from the available filters to the selected filters.
75
USM Anywhere™ User Guide
Exporting Alarms
6. Click Apply.
The dashboard view will reset and the Suppress Rule Name filter will be available.
7. Click Show Suppressed in the Search & Filters area.
8. Search the Suppress Rule Name filter and click on the rule.
If there are no rule names displayed it is because
l
there are no alarms suppressed by the rule
l
the Show Suppressed option is not enabled
See Searching Alarms for further information about the icons below the filters.
You can save the view for later use. See Views for further information about how to
create a configuration view.
Exporting Alarms
You can export alarms to a CSV or HTML file for later analysis.
To export alarms
1. Navigate to ACTIVITY > ALARMS.
2. Use filters if you want to limit the number of alarms to export. For assistance, see Searching
Alarms, on page 71.
3. Click the export as report icon (
) at the upper right-hand corner of the page.
4. Type a report name.
5. (Optional) Type a report description.
6. Choose a dynamic or static date range.
7. Choose the export format, CSV or HTML.
If you choose CSV, your browser downloads the exported file automatically.
If you choose HTML, a new tab opens in your browser, displaying the report. You can print it by
clicking Print or you can save it as PDF.
8. Choose the number of records to export.
9. If you have chosen the HTML format, you will see the Graphs section. Use this section to include
additional views. Select the graph you want to include in the report and click the right arrow icon
(
).
10. Click Save & Run.
USM Anywhere™ User Guide
76
Exporting Alarms
You can see the exportation reports through the option REPORTS > DATA
EXPORT HISTORY. See Data Export History, on page 138 for further information.
77
USM Anywhere™ User Guide
Events Management
About Events
An event is a record of activity, which contains information and that resides in a log file.
USM Anywhere collects, normalizes, and enriches logs with additional metadata, which are called
events.
After USM Anywhere is installed in your environment, events start flowing through your system, so
you can start gaining visibility into the type of events that are occurring, what natural or nonthreatening activity is taking place, and what activity can be a possible attack.
This topic discusses the following subtopics:
l
Events List View, on page 79
l
Searching Events, on page 82
l
Viewing Event Details, on page 84
l
Suppressing/Unsuppressing Events, on page 85
l
Exporting Events, on page 86
USM Anywhere™ User Guide
78
Events List View
Events List View
AlienVault USM Anywhere provides a centralized view of your events. Navigate to ACTIVITY >
EVENTS.
The events page displays information on events. On the left you can find the search and filters
options. Across the top, you can see any filters you have applied, and you have the option to create
and select different views of the events. The main part of the page is the actual list of events. Each
row describes an individual event and includes a check box on the left side of each one for selecting
it. You can select all the events on the same page by clicking the check box in the first column of the
header row.
List of the default columns in Events
Column / Field Name
Description
Event Name
Name of the event
Time Created
The date and time of the creation of the event. The displayed date
depends on your computer's time zone
OTX
Indicate if it is an OTX event or not. If the icon displays active, click on it to
go the OTX site
Source Asset
Hostname or IP address of the host, with national flag if country is known,
that initiates the event
Destination Asset
Hostname or IP address of the host, with national flag if country is known,
that receives the event
Sensor
Name of the USM Anywhere Sensor detecting the event
Username
Username associated with the event
You can configure the view you want for the list of events, see Views for more information.
Click the export as report icon (
) to export events. See Exporting Events for further details.
The graph above the events list displays the amount of events in a period of time. You can change
this period by clicking Created during filter.
Click this button
79
to access to the following options:
USM Anywhere™ User Guide
Events List View
Events Count/Time options
Option
Meaning
Actions / User
Reports USM Anywhere account activity based on specific account users and
summarized by Create, Read, Update, and Delete categories
Count / Time
Provides a chart that shows the number of issues over a period of time
Auth / User
Reports authorization actions
Source Map
Provides the number of events associated with each country on a global map
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
You can also sort events by selecting either 20, 50, or 100 in the events result area. Sort the event
information by ascending and descending order by clicking the arrows to the right side of the
heading.
Configuring Columns
You can configure the columns/fields that display in the list and save your columns configuration to
get back to it whenever you need it.
To save a columns configuration
1. From the list view, click the Manage Columns icon (
popup window.
) to open the Columns Configuration
2. Use the icons ( ) and ( ) to pass the items from one column to the another one and select
the columns you want to see.
3. Click Apply.
Views
Create a view configuration for having your own configuration columns and selected filters.
To create a configuration view
1. From the events list view, click the Manage Columns icon (
).
2. Use the icons ( ) and ( ) to pass the items from one column to the another one and select
the columns you want to see.
3. Click Apply.
USM Anywhere™ User Guide
80
Events List View
4. To delimit the search, select the filters you want to apply.
5. Click the pull-down menu Save > Save as.
6. Type a name for the view and click Save.
To select a configured view
1. From the events list view, click the pull-down menu next to Saved Views.
2. Select the view you want to see.
Predefined Views
USM Anywhere includes several predefined event views based on usual environments and
technologies. These views have pre-defined column headers that show the most relevant event
fields. You can see a summarized event view without having to spend the time creating a custom
view.
These predefined views operate the same way as the views you can create yourself. Some of these
views have also predefined filters.
These views are available under the ACTIVITY option of the primary menu.
Predefined Views for Events
81
View
Meaning
Azure Cloud
Activity
Displays the most relevant event fields for Azure environmental logs
AWS Cloud
Activity
Displays the most relevant event fields for AWS CloudTrail, AWS S3 Access, and ELB
Access
Firewall Events
Displays the most relevant fields for firewall events. For instance request URL, source
username, destination username, etc. depending on the set of fields that is most
common to the list of supported firewall plugins
Linux Events
Displays the most relevant fields for Linux Events generated by the Linux CRON, SSH,
and SUDO plugins
Network IDS
Displays the most relevant event fields for NIDS
Web Server
Events
Displays the most relevant fields for Web Server Events, which include Apache, NGinx,
and Windows IIS
Windows Events
Displays the most relevant fields for Windows Events forwarded by NxLog
USM Anywhere™ User Guide
Searching Events
Searching Events
You can either filter your search, or type what you are looking for in the search box, in the upper lefthand corner of the events page.
Searching Events by Using Filters
USM Anywhere includes several filters displayed by default. You can configure more filters than the
displayed ones by clicking the Filter Configuration icon ( ). The management of filters is similar to
the one for assets. See Managing Filters for more information.
Filters displayed by default in the main Events page
Filter Name
Meaning
Created during
Identify events triggered in the last hour, last 24 hours, last 7 days, or last 30
days. You can also configure your own period of time by clicking the Custom
Range
option
Show suppressed
Display the suppressed events. See Suppressing/Unsuppressing Events for
more information
Account Name
Account that has generated the event
Data Source Plugin
Plugin used to normalize the event
Event Name
The short, user-readable description of the event
Source Name
Name of the external application or device that produced the event
Sensor
Name of the USM Anywhere Sensor that received the event
Asset Groups
When the host for the event source/destination is an asset belonging to one or
more of your asset groups, this field lists the asset group name or names.
Username
Username associated with the asset that generated the event
See About the 'Was Fuzzied' Filter for further information about this filter.
The displayed number close to each filter between brackets indicates the number of events that
matches the filter. You can also use the filter controls to provide a method of organizing your search
and filtered results. The icons below each filter consist of the following:
USM Anywhere™ User Guide
82
Searching Events
Filters in the Events page: Icons Below Filters
Icon
Meaning
Toggle the ability to select multiple values as an OR statement
You can view and toggle between the currently filtered item, and other filtered items.
You do not have to reset the search
Toggle values with (0) matches
Sort the information alphabetically
Sort the filters by number of items that matches them
Reset
Resets to the default values
Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon (
) next to the filter. Or clear all filters by clicking the Clear All Filters link.
When applying filters, the search uses the logical AND operator if the used filters are
different. However, when the filter is of the same type, the search uses the logical
OR.
To search events using a filter
1. Navigate to ACTIVITY > EVENTS.
2. Click on a filter.
The result of your search displays with the events identified.
Searching Events by Using the Search Box
To search events using the search box
1. Navigate to ACTIVITY > EVENTS.
2. Type your search.
3. Click the Magnifying Glass icon (
).
The result of your search displays with the events identified.
83
USM Anywhere™ User Guide
Viewing Event Details
About the 'Was Fuzzied' Filter
USM Anywhere receives normalized events from the USM Anywhere Sensor, tries to match every
event with a plugin, and then saves it. Nevertheless, sometimes there are events that do not match
with a specific plugin and USM Anywhere includes the field 'Was Fuzzied' with the value 'true'.
To search events that do not have a specific plugin
1. Navigate to ACTIVITY > EVENTS.
2. Click the Filter Configuration icon (
).
3. Search the filter Was Fuzzied.
4. Click the Right Arrow icon (
) to select the filter.
5. Click Apply.
6. Search the Was Fuzzied plugin on the left panel.
7. Click 1 (n). The number between parentheses indicates the number of events that were created
with the built-in generic plugin.
[EMPTY] (n) displays the events that have an assigned plugin. The number
between parentheses indicates the number of events.
See Plugin Management for further information about plugins.
Viewing Event Details
The event details page provides in-depth information on events.
To view the details of an event
1. Navigate to ACTIVITY > EVENTS.
2. Click the event to display its details.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the
Star icon (
) on the secondary menu shows the bookmarked items and a link to them.
Click the Full Detail link to expand the event details in a whole page.
You first can see the main data of the event, then the source, the destination, the details of the
event, the create rule and suppress event buttons, the payload (Raw and Hex formats), and,
finally, the log.
USM Anywhere™ User Guide
84
Suppressing/Unsuppressing Events
Not all events found during monitoring are necessary in managing your environment.
Frequently, there are events that create a noisy environment where it is difficult to monitor other
events that require more attention. You can identify these events and suppress them before
executing, by the correlation engine, any processing.
You have the following buttons
l
l
Create Rule. Use this button to create a rule to suppress all events that match a particular set
of criteria. See Rules Management, on page 94 for more information.
Suppress event. Use this button to suppress only the specific event you are viewing. After
clicking this button, it changes to Unsuppress event. See Suppressing/Unsuppressing
Events, on page 85 for further information.
3. You can click the left long arrow icon (
) to see the details of the previous event or click the
right long arrow icon ( ) to see the details of the event alarm or click the close icon (
close this popup window.
) to
Suppressing/Unsuppressing Events
There are cases where you may want to suppress events to prevent noise in your system. It is also
possible that you may not want to suppress the events as you might have to be aware of other
impacted systems.
Suppressed events will always be in your network, but you will not see them. If you want to see these
events, you have to click Show Suppressed in the Search & Filters area. The suppressed events will
be displayed in the table along with all events. If you want to display just the suppressed events, see
To only display the suppressed events.
Keep in mind that suppressing events will not stop correlation engines based on
those events, so alarms are generated even though all of the events have been
suppressed.
The suppression rule you create will apply to future events. It also will apply to
events of the current day, up to 10K events.
To suppress an event
1. Navigate to ACTIVITY > EVENTS.
2. Click on the event to suppress.
3. Click Suppress Event.
85
USM Anywhere™ User Guide
Exporting Events
To unsuppress an event
1. Navigate to ACTIVITY > EVENTS.
2. Search the suppressed events by using the filter Show suppressed. See Searching Events, on
page 82 for more information.
3. Click the event to unsuppress.
4. Click Unsuppress Event.
To only display the suppressed events
1. Navigate to ACTIVITY > EVENTS.
2. Click the Filter Configuration icon (
).
3. Write in the Search filters field 'Suppress'.
4. Select the Suppress Rule Name filter.
5. Click the right arrow icon (
).
The selected filter will pass from the available filters to the selected filters.
6. Click Apply.
The dashboard view will reset and the Suppress Rule Name filter will be available.
7. Click Show Suppressed in the Search & Filters area.
8. Search the Suppress Rule Name filter and click on the rule.
If there are no rule names displayed is because
l
there are no events suppressed by the rule
l
the Show Suppressed option is not enabled
See Searching Events for further information about the icons below the filters.
You can save the view for later use. See Views for further information about how to
create a configuration view.
Exporting Events
You can export events to a CSV or HTML file for later analysis.
To export events
1. Navigate to ACTIVITY > EVENTS.
2. Use filters if you want to limit the number of events to export. For assistance, see Searching
Events, on page 82.
USM Anywhere™ User Guide
86
Exporting Events
3. Click the export as report icon (
) at the upper right-hand corner of the page.
4. Type a report name.
5. (Optional) Type a report description.
6. Choose a dynamic or static date range.
7. Choose the export format, CSV or HTML.
If you choose CSV, your browser downloads the exported file automatically.
If you choose HTML, a new tab in your browser opens displaying the report. You can print it by
clicking Print or save it as PDF.
8. Choose the number of records to export.
9. If you have chosen the HTML format, you will see the Graphs section. Use this section to include
additional views. Select the graph you want to include in the report and click the right arrow icon
(
).
10. Click Save & Run.
You can see the exportation reports through the option REPORTS > DATA
EXPORT HISTORY. See Data Export History, on page 138 for further information.
87
USM Anywhere™ User Guide
Configuration Issues Management
USM Anywhere assesses your configuration to identify the insecure use of security features, identify
detailed information about configuration issues, to understand operational processes, and to
remediate the root cause.
This topic discusses the following subtopics:
l
Configuration Issues List View, on page 89
l
Searching Configuration Issues, on page 90
l
Viewing Configuration Issues Details, on page 92
l
Exporting Configuration Issues, on page 92
USM Anywhere™ User Guide
88
Configuration Issues List View
Configuration Issues List View
AlienVault USM Anywhere provides a centralized view of your configuration issues. Navigate to
ENVIRONMENT > CONFIGURATION ISSUES.
The configuration issues page displays information on configuration issues. On the left you can find
the search and filters options. Across the top, you can see any filters you have applied, and you have
the option to create and select different views of the configuration issues. The main part of the page
is the actual list of configuration issues. Each row describes an individual configuration issue and
includes a check box on the left side of each one for selecting it. You can select all the configuration
issues on the same page by clicking the check box in the first column of the header row.
List of the default columns in Configuration Issues
Column / Field Name
Description
Last Seen
Last date on which the configuration issue was seen in the asset. The
displayed date depends on your computer's time zone
Category
Category of the configuration issue. Issues with similar impacts have the
same category
Subcategory
Sub-category of the configuration issue. The sub-category explains the
particular detail of the issue
Asset
Asset associated with the configuration issue
Severity
Severity of the issue. Values are Low, Medium, or High. See Priority Field for
Alarms, on page 71 for more information
Description
Text for identifying the configuration issue
First Seen
Date of detection of the configuration issue in the asset. The displayed
date depends on your computer's time zone
You can configure the view you want for the list of configuration issues, see Views for more
information.
Click the export as report icon ( ) to export configuration issues. See Exporting Configuration
Issues, on page 92 for further details.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
You can sort configuration issues by selecting either 20, 50, or 100 below the configuration issues
result area. Sort the configuration issue information by ascending and descending order by clicking
the arrows to the right side of the heading.
89
USM Anywhere™ User Guide
Searching Configuration Issues
Views
Create a view configuration for having your own configuration columns and selected filters.
To create a configuration view
1. From the configuration issues list view, configure the filters you want to apply.
2. Click the pull-down menu Save > Save as
3. Type a name for the view and click Save.
To select a configured view
1. From the configuration issues list view, click the pull-down menu next to Saved Views.
2. Select the view you want to see.
Configuration Issues from the Assets Main Page
To explore configuration issues from assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Filter the assets by clicking Has Configuration Issues. See Searching for Assets, on page 38
for more information.
3. Click the Ellipsis icon ( ) located close to the asset and select Configuration Issues. The asset
details page opens with the list of configuration issues.
Searching Configuration Issues
You can either filter your search, or type what you are looking for in the search box, in the upper lefthand corner of the configuration issues page.
Searching Configuration Issues by Using Filters
USM Anywhere includes several filters displayed by default.
Filters displayed by default in the main Configuration Issues page
Filter Name
Meaning
Created during
Identify configuration issues triggered in the last hour, the last 24 hours, last 7
days, or last 30 days. You can also configure your own period of time by
clicking the Custom Range option
Show Active
Display the active or inactive configuration issues
USM Anywhere™ User Guide
90
Searching Configuration Issues
Filters displayed by default in the main Configuration Issues page (Continued)
Filter Name
Meaning
Category
Category of the configuration issue. Issues with similar impacts have the same
category
Subcategory
Sub-category of the configuration issue. The sub-category explains the
particular detail of the issue
Severity
Severity of the issue. Values are Low, Medium, or High. See Priority Field for
Alarms, on page 71 for more information
Asset
Asset associated with the configuration issue
Asset Groups
Identify configuration issues by asset group
The displayed number close to each filter between brackets indicates the number of configuration
issues that matches the filter. You can also use the filter controls to provide a method of organizing
your search and filtered results. The icons below each filter consist of the following:
Filters in the Configuration Issues page: icons below filters
Toggle the ability to select multiple values as an OR statement
You can view and toggle between the currently filtered item, and other filtered
items. You do not have to reset the search
Toggle values with (0) matches
Sort the information alphabetically
Sort the filters by number of items that matches them
Reset
Resets to the default values
Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon (
) next to the filter. Or clear all filters by clicking the Clear All Filters link.
When applying filters, the search uses the logical AND operator if the used filters are
different. However, when the filter is of the same type, the search uses the logical
OR.
To search configuration issues using a filter
1. Navigate to ENVIRONMENT > CONFIGURATION ISSUES.
2. Click on a filter.
91
USM Anywhere™ User Guide
Viewing Configuration Issues Details
The result of your search displays with configuration issues identified.
Searching Configuration Issues by Using the Search Box
To search configuration issues using the search box
1. Navigate to ENVIRONMENT > CONFIGURATION ISSUES.
2. Type your search.
3. Click the Magnifying Glass icon (
).
The result of your search displays with the configuration issues identified.
Viewing Configuration Issues Details
The configuration issues details page provides in-depth information on configuration issues.
To view the details of a configuration issue
1. Navigate to ENVIRONMENT > CONFIGURATION ISSUE.
2. Click the configuration issue to display its details.
Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the
Star icon (
) on the secondary menu shows the bookmarked items and a link to them.
Click the Full Detail link to expand the configuration issue details.
3. Click the Close icon (
) to go back to the configuration issues main page.
4. You can click the left long arrow icon (
) to see the details of the previous item or click the right
long arrow icon ( ) to see the details of the following item or click the close icon (
this popup window.
) to close
Exporting Configuration Issues
You can export configuration issues to a CSV or HTML file for later analysis.
To export configuration issues
1. Navigate to ENVIRONMENT > CONFIGURATION ISSUES.
2. Use filters if you want to limit the number of configuration issues to export. For assistance, see
Searching Configuration Issues, on page 90.
3. Click the export as report icon (
) at the upper right-hand corner of the page.
4. Type a report name.
5. (Optional) Type a report description.
USM Anywhere™ User Guide
92
Exporting Configuration Issues
6. Choose a date range.
7. Choose the export format, CSV or HTML.
If you choose CSV, your browser downloads the exported file automatically.
If you choose HTML, a new tab opens in your browser, displaying the report. You can print it by
clicking Print or save it as PDF.
8. Choose the number of records to export.
9. If you have chosen the HTML format, you will see the Graphs section. Use this section to include
additional views. Select the graph you want to include in the report and click the right arrow icon
(
).
10. Click Save & Run.
You can see the exportation reports through the option REPORTS > DATA
EXPORT HISTORY. See Data Export History, on page 138 for further information.
93
USM Anywhere™ User Guide
Rules Management
Every networked environment generates thousands of logs from assorted systems. AlienVault
USM Anywhere allows you to manage those logs and, through the use of rules, allows you to
prevent and frustrate attacks. The management of the different USM Anywhere rules helps you to
make the most of your environment.
Keep in mind that setting up a rule base is an iterative process. That means it happens relatively
slowly and needs to be tuned over a period of time. There are always new attacks and new
indicators to monitor.
USM Anywhere includes the following rules
l
l
l
l
Correlation Rules. These are predefined rules, which are developed by AlienVault. See Correlation Rules, on page 115 for more information.
Orchestration Rules. You can create and customize these rules to add specific policies for a particular event. See Orchestration Rules, on page 98 for more information.
Suppression Rules. Use these rules to suppress events that create noise in your system. See
Suppression Rules, on page 95 for more information.
Filtering Rules. Use these rules to make the sensor drops future events that match the rule. See
Filtering Rules, on page 113 for more information.
USM Anywhere™ User Guide
94
Suppression Rules
Suppression Rules
About Suppression Rules
USM Anywhere includes suppression rules to allow you to manage false positive alarms and events.
After you have confirmed that these issues do not pose a security threat, create a suppression rule to
prevent them from displaying in the UI, and avoid noise in your system.
You can create a suppression rule from the details page of an alarm (Viewing Alarm Details) and an
event (Viewing Event Details, on page 84). This functionality works the same way, and the Create
Rule popup window is similar, when you are creating a rule either from a detail page or from the
system configuration window. If you want to see an example of a suppression rule, see Example:
Creating a Suppression Rule, on page 97.
Keep in mind that suppressing events will not stop correlation engine based on
those events, so alarms are generated even though all of the events have been
suppressed.
The suppression rule you create will apply to future items. It also will apply to items
of the current day, up to 10K events/alarms.
Managing Suppression Rules
To create a suppression rule from the System Configuration
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Click New Rule.
3. Type a name for the rule.
4. Select the property values you want to include in the rule to create a matching condition and click
Add Condition or Add Group.
5. Click Next.
6. Select Event Suppression to suppress the events matching the rule.
7. Click Save.
To edit a suppression rule
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
95
USM Anywhere™ User Guide
Suppression Rules
2. Click the Edit icon (
) of the suppression rule you want to edit.
3. Modify the data you need to.
4. Click Save.
To remove a suppression rule
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Click the Delete icon (
) of the suppression rule you want to remove.
A popup window displays to confirm the deletion.
3. Click Accept.
To enable a suppression rule
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Click the Enable icon (
) of the suppression rule you want to enable.
To disable a suppression rule
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Click the Disable icon (
) of the suppression rule you want to enable.
To enable all suppression rules
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Select the rules you want to enable.
3. Click Enable All Rules.
To disable all suppression rules
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Select the rules you want to disable.
3. Click Disable All Rules.
USM Anywhere™ User Guide
96
Suppression Rules
A warning pop-up window displays.
4. Click Accept.
Example: Creating a Suppression Rule
In this example, we are going to create a suppression rule to avoid having a lot of SUDO events. You
can create this rule whenever you trust the origin host, or because you need to do maintenance. This
way you will avoid noise in your list of events.
The following steps show the actions you need you create the suppression rule:
1. Navigate to SETTINGS > RULES.
The Suppression Rules page displays.
2. Click New Rule.
3. Type a name for the rule, for instance 'Suppress SUDO events'.
4. Select the following property values.
5. Click Next.
6. Select Event Suppression.
7. Click Save.
97
USM Anywhere™ User Guide
Orchestration Rules
Orchestration Rules
About Orchestration Rules
USM Anywhere includes orchestration rules, which allow you to create Custom Alarms, launch an
App Action, or manage Suppression Events based on the specific conditions you define in the rule.
Through orchestration rules, you can also adjust the priority of your events. USM Anywhere allows
you to create and manage your own orchestration rules. Keep in mind that these rules verify whether
they match with every new event coming into the system. If you want to see an example of an
orchestration rule, see Example: Creating an Orchestration Rule, on page 100.
Managing Orchestration Rules
To create an orchestration rule
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click New Rule.
4. Type a name for the rule.
5. Select the property values you want to include in the rule to create a matching condition and click
Add Condition or Add Group.
6. Click Next to select an action:
l
l
l
l
l
Select Event Suppression to suppress the current event. See Suppression Rules, on page
95 for further information.
Select Event Filtering to make the sensor drops future events that match the rule. The
events are neither correlated nor stored. See Filtering Rules, on page 113 for further information.
Select Launch App Action to execute an action on a Sensor App. Depending on the selected
app installed on the specific sensor, the actions can vary and you should select or type information.
Select Create an Alarm to invoke an alarm event to be created. You should select an intent,
a strategy, and type a method and a priority. See Priority Field for Alarms, on page 71 for
more information.
Select Send a Notification to send a notification request to an AlienApp. See Notifications,
on page 107 for more information.
To edit an orchestration rule
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
USM Anywhere™ User Guide
98
Orchestration Rules
3. Click the Edit icon (
) of the orchestration rule you want to edit.
4. Modify the data you need to.
5. Click Save.
To delete an orchestration rule
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click the Delete icon (
) of the orchestration rule you want to delete.
A popup window displays to confirm the deletion.
4. Click Accept.
To enable an orchestration rule
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click the Enable icon (
) of the orchestration rule you want to enable.
To disable an orchestration rule
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click the Disable icon (
) of the orchestration rule you want to enable.
To enable all orchestration rules
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Select the rules you want to enable.
4. Click Enable All Rules.
To disable all suppression rules
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Select the rules you want to disable.
4. Click Disable All Rules.
A warning pop-up window displays.
5. Click Accept.
99
USM Anywhere™ User Guide
Orchestration Rules
Example: Creating an Orchestration Rule
In this example, we are going to create an orchestration rule to generate an alarm when an access to
a specific path is detected in a web server.
The following steps show the actions you need you create the orchestration rule:
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click New Rule.
4. Type a name for the rule, for instance 'Secret Path Accessed.'
5. Select the following property values.
6. Click NEXT.
7. Select Create an Alarm.
8. Click Save.
USM Anywhere™ User Guide
100
Orchestration Rules
Creating an Orchestration Rule for AlienApp for Cisco Umbrella
The AlienApp™ for Cisco Umbrella allows you to create Orchestration Rules that automatically send
suspicious domains to Umbrella.
Before creating an orchestration rule, the AlienApp for Cisco Umbrella must be
enabled and configured. For more information, see Configuring the AlienApp for
Cisco Umbrella.
There are three actions that can be used with orchestration rules to report domains to Umbrella
when certain events or alarms occur, for example when USM Anywhere detects a phishing site:
l
Report names found on an alarm
l
Report by HTTP hostname
l
Report by URL
l
Report by DNS record
To send detected phishing sites to Cisco Umbrella
1. Navigate to ACTIVITY > EVENTS.
2. Click the Filter Configuration icon (
).
3. Search Category (taxonomy of the event) and Subcategory in the available filters.
4. Click the Right Arrow icon (
) to select the filter.
5. Click Apply.
6. Select AlienVault NIDS as Data Source Plugin.
7. Select Malware as Category.
8. Select Phishing as Subcategory.
9. Click on an event.
10. Click Create Rule.
11. Type a name for the rule and select the following conditions:
101
USM Anywhere™ User Guide
Orchestration Rules
12. Click Next.
13. Select Launch App Action in the Select an Action field.
14. If you have more than one sensor installed, select a sensor.
15. Select Cisco Umbrella in the Select App field.
16. Select Report by HTTP hostname in the App Action field.
17. Click Save.
Cisco Umbrella will report upcoming requests to the domain name we have just added through
the orchestration rule.
Creating an Orchestration Rule for the AlienApp for Palo Alto Networks
The AlienApp™ for Palo Alto Networks enhances the threat detection capabilities of USM Anywhere
by collecting and analyzing log data from the firewall and also provides orchestration actions to
streamline incident response activities.
Use the AlienApp for Palo Alto Networks to access to the following capabilities:
l
Plugin for Data Collection. The Palo Alto Pan-OS plugin automatically processes Palo Alto Networks logs that are sent to USM Anywhere through the syslog server.
USM Anywhere™ User Guide
102
Orchestration Rules
l
l
Dashboard, which is automatically available within USM Anywhere when data is being collected
from a Palo Alto Networks firewall.
Orchestration Actions, which enable customers to quickly send IP addresses to the firewall as a
response to threats identified by USM Anywhere. You can create orchestration rules and actions
in USM Anywhere that automatically trigger when events or alarms match the criteria you specify.
The AlienApp for Palo Alto Networks adds tags by default in the Palo Alto Networks Pan-OS
firewall. Each such tag contains the source address, destination address, or the FQDN of any event
or alarm meeting the previously configured orchestration rule criteria.
When an event or alarm matches the orchestration rule criteria, the AlienApp sends a request to the
Palo Alto Networks Pan-OS to add one of the following identifiers (depending on how you've
configured the rule) to its Object database and to tag it:
l
IPv4 address
l
IPv6 address
l
FQDN
Before creating an orchestration rule, the AlienApp for Palo Alto Networks must be
enabled and configured. For more information, see Configuring the AlienApp for
Palo Alto Networks .
USM Anywhere can only communicate with one Palo Alto Networks Pan-OS
instance per sensor. If you have multiple Palo Alto Networks Pan-OS instances in
your network, we recommend that you contact AlienVault Technical Support for
setup help.
After creating an orchestration rule, the events and/or alarms that match the rule will trigger the Palo
Alto Networks action. The following actions can be used with orchestration rules to block a source or
a destination event:
l
Tag alarm destinations
l
Tag event destination
l
Tag event source
l
Tag alarm sources
To create an orchestration rule from the Alarms page
1. Navigate to ACTIVITY > ALARMS.
2. Double click on the alarm from which you want to create the rule.
3. Click Create Rule.
4. Type a name for the rule and select the conditions you want for the rule.
103
USM Anywhere™ User Guide
Orchestration Rules
5. Click Next.
6. Select Launch App Action in the Select an Action field.
7. If you have more than one sensor installed, select a sensor.
8. Select Palo Alto Networks in the Select App field.
9. Select an action in the App Action field.
10. Type the name of the Palo Alto Networks tag for the action.
11. Click Save.
Example: Creating an Orchestration Rule to tag IP addresses coming from China
In this example, we are going to create an orchestration rule to tag an IP address in the Palo Alto
Networks firewall when an event comes from China.
The following steps show the actions you need you create the orchestration rule:
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click New Rule.
4. Type a name for the rule, for instance 'Events Coming from China'.
5. Select the following property values:
6. Click NEXT.
7. Select Launch App Action and Palo Alto Networks.
8. Select Tag event source to block those events.
9. Type the name of the Palo Alto Networks tag for the action.
10. Click Save.
USM Anywhere™ User Guide
104
Orchestration Rules
Creating an Orchestration Rule: AlienApp for ServiceNow
The AlienApp for ServiceNow provides a set of orchestration actions that enables customers to
quickly open incident tickets in ServiceNow as a response to threats that USM Anywhere detects.
In order to enable the app for orchestration actions, the customer must provide the ServiceNow
instance name, a username and password, and, if using OAuth, a Client ID and Client secret. See
Configuring the AlienApp for ServiceNow for further information.
Once configured, the AlienApp provides the following actions:
l
Create a new incident from an alarm
l
Create a new incident from an event
l
Create a new incident from a vulnerability
You can include actions as part of an orchestration rule or launched from the details page for a
specific alarm or vulnerability.
The basic use case for each of these actions is the same; a ServiceNow incident ticket is created
containing information about the alarm or vulnerability.
To create a new ServiceNow orchestration rule from the Alarms page
1. Navigate to ACTIVITY > ALARMS.
2. Click on the alarm from which you want to create the ServiceNow incident ticket.
3. Click Create Rule.
4. Type a name for the rule and select the conditions you want for the rule.
5. Click Next.
6. Select Launch App Action in the Select an Action field.
7. If you have more than one sensor installed, select a sensor.
8. Select ServiceNow in the Select App field.
9. The App Action field is Create a new incident from an event.
10. There are two ServiceNow fields:
l
l
Short description. This is the field used as the subject of the incident. The app pre-populates
this field with the name of the alarm or vulnerability. For an orchestration rule, the field cannot
be edited since the value is unknown at the time of rule creation.
Description. This field contains information specific to the alarm or vulnerability. By default,
the Destination Address, Source Address, and Source Hostname fields are included, but the
user has the option to de-select these when the orchestration rule is created. The user can
also provide additional comments which will be added to the Description field along with the
other included data.
11. Click Save.
105
USM Anywhere™ User Guide
Orchestration Rules
To display the ServiceNow incidents
1. Navigate to SETTINGS > ALIENAPPS.
2. Click ServiceNow.
3. Click Incidents.
4. Click View on the incident you want to display in the ServiceNow website.
USM Anywhere™ User Guide
106
Orchestration Rules
Notifications
Amazon Simple Notification Service (Amazon SNS) is integrated into USM Anywhere as a
notification method, which means that you can create a rule for sending notification requests to
Amazon SNS. Before creating the rule in your environment, USM Anywhere needs your Amazon
SNS credentials.
Setting Up a SNS Topic and a Lambda Function
To setup a SNS topic and a Lambda Function for USM Anywhere notifications
1. Sign in your AWS Account and go to the Amazon SNS console.
2. Create a new SNS topic. See the SNS dashboard page.
3. Click Create topic.
4. Type a topic name and a display name.
5. Click Create topic.
6. Create a new Lambda function. See the AWS Lambda page.
7. Click Blank Function.
8. Click the dotted square icon and add a new trigger by selecting SNS from the list.
9. Select the SNS topic you have just created in the previous step.
10. Select Enable trigger.
11. Click Next.
12. Create a hello world lambda function:
l
Type a name and a description.
l
Select Python 2.7 in the Runtime field.
l
In the Lambda function code, copy and paste the following code:
import json
def lambda_handler(event, context):
message = json.loads(event['Records'][0]['Sns']['Message'])
print("JSON: " + json.dumps(message))
return message
107
USM Anywhere™ User Guide
Orchestration Rules
l
In the Lambda function handler and role select a handler, a role, and an existing role.
l
Click Create Function.
Creating an AWS Access Key ID and Secret Access Key
To create an AWS Access Key ID
1. Sign in your AWS Account and go to the Amazon SNS console.
2. Create a new user. See the Add User page.
3. Select Programmatic access.
4. Click Next: Permissions.
USM Anywhere™ User Guide
108
Orchestration Rules
5. Click Attach existing policies directly.
6. Click Create policy.
7. Create a policy with the following code:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"sns:Publish",
"Resource":"arn:aws:sns:us-east-1:ACCOUNT_ID:USMA"
}
]
}
8. Replace ACCOUNT_ID and USMA with the ID of your AWS Account and the name of the SNS
Topic you have created in the previous steps.
9. Attach the new policy you have just created.
10. Attach also the AmazonSNSReadOnlyAccess policy or manually add permissions to list topics
("Resource": "*").
11. Click Next and Create User.
Copy the access key ID and secret access key that you will need to setup in
USM Anywhere.
Configuring USM Anywhere for SNS Notifications
To create an Amazon SNS Credential
1. Navigate to SETTINGS > NOTIFICATIONS.
The Amazon SNS credentials page displays.
2. Select a region name.
3. Type an access key and a secret key. See Creating an AWS Access Key ID and Secret Access
Key, on page 108.
4. Click Save Credentials.
To create a rule for sending a notification request to Amazon SNS
1. Navigate to SETTINGS > RULES.
2. Click Orchestration Rules on the left navigation panel.
3. Click New Rule.
4. Type a name for the rule.
5. Select the property values you want to include in the rule to create a matching condition.
109
USM Anywhere™ User Guide
Orchestration Rules
6. Click Next.
7. Select the Send a Notification action.
8. Select Amazon SNS as notification method.
9. Type the SNS topic name you have created. See Setting Up a SNS Topic and a Lambda Function, on page 107.
10. Click Save.
This orchestration rule will send a SNS notification for each alarm that is generated in your
USM Anywhere. When an alarm is generated, if you go to your AWS console and select the
Lambda function you created, you can see the function is being called.
Integrate with Slack
Before integrating with Slack, make sure you have the following requirements
l
Creating an AWS Access Key ID and Secret Access Key
l
Configuring USM Anywhere for SNS Notifications
To integrate USM Anywhere notifications with Slack
1. Go to the Slack API, see https://api.slack.com/incoming-webhooks.
2. Select the channel you want to post the alert to.
3. Click Add Incoming WebHooks integration.
4. Copy the Webhook URL.
5. Set up a SNS Topic and a Lambda Function, see Setting Up a SNS Topic and a Lambda Function, on page 107.
6. In the Lambda function code, replace [INSERT_WEBHOOK_URL] with the Slack Webhook
URL you have retrieved in the previous step and paste this code.
7. Set the Role to "Choose an existing Role" and "Existing role" to lambda_basic_execution. Also
change the timeout to 10 seconds:
USM Anywhere™ User Guide
110
Orchestration Rules
8. Click Next.
9. Click Create function.
To check the integration with Slack
1. Go to your Lambda function, click Monitoring and check the Invocation Count graph show some
data.
2. Check in your Slack channel the notifications you have.
Integrate with Datadog Events
Before integrating with Datadog Events, check to make sure you have the following requirements
l
Creating an AWS Access Key ID and Secret Access Key
l
Configuring USM Anywhere for SNS Notifications
To integrate USM Anywhere notifications with Datadog Events
1. Go to the Datadog API and log in with a Datadog Account, see https://app.datadoghq.com/account/settings#api
2. Generate an API Key and an Application Key.
3. Set up a SNS Topic and a Lambda Function, see Setting Up a SNS Topic and a Lambda Function.
4. In the Lambda function code, replace [INSERT_DATADOG_API_KEY] and [INSERT_
DATADOG_APPLICATION_KEY] with your Datadog keys and paste this code.
You can also modify the Datadog fields and adapt it to your environment:
alert_type = "info"
default_priority = "normal"
default_tags = ["environment:test", "security"]
send_payload = True
111
USM Anywhere™ User Guide
Orchestration Rules
5. Set the Role to "Choose an existing Role" and "Existing role" to lambda_basic_execution. Also
change the timeout to 10 seconds:
6. Click Next.
7. Click Create function.
To check the integration with Datadog
1. Go to your Lambda function, click Monitoring and check the Invocation Count graph show some
data.
2. Click View logs in CloudWatch and open the last entry. You should see entries similar to the following:
3. Navigate to the Datadog event URL and check you see the USM Anywhere alarm in the
Datadog console.
USM Anywhere™ User Guide
112
Filtering Rules
Filtering Rules
USM Anywhere allows you to make the sensor drops future events that match the rule. These
events will be neither correlated nor stored. Through these rules, you are able to define which event
data you are going to store in USM Anywhere. You will pay for the data you use.
Filtering rules are not retroactive. The rule will apply to future items and it does not
apply to previous items, even if those items follow the rule.
To create a rule for filtering events
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Click New Rule.
4. Type a name for the rule.
5. Select the property values you want to include in the rule to create a matching condition and click
Add Condition or Add Group.
6. Click Next.
7. Click Save.
To edit a filtering rule
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Click the Edit icon (
) of the filtering rule you want to edit.
4. Modify the data you need to.
5. Click Save.
To delete a filtering rule
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Click the Delete icon (
) of the filtering rule you want to delete.
A popup window displays to confirm the deletion.
4. Click Accept.
113
USM Anywhere™ User Guide
Filtering Rules
To enable a filtering rule
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Click the Enable icon (
) of the filtering rule you want to enable.
To disable a filtering rule
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Click the Disable icon (
) of the filtering rule you want to enable.
To enable all filtering rules
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Select the rules you want to enable.
4. Click Enable All Rules.
To disable all filtering rules
1. Navigate to SETTINGS > RULES.
2. Click Filtering Rules on the left navigation panel.
3. Select the rules you want to disable.
4. Click Disable All Rules.
A warning pop-up window displays.
5. Click Accept.
USM Anywhere™ User Guide
114
Correlation Rules
Correlation Rules
About Correlation
Correlation is the processing of the event stream in order to identify important events or patterns of
events within large volumes of data. The logic to identify these events is encapsulated in a
Correlation Rule. The AlienVault Labs Security Research Team creates correlation rules, which
associate multiple events from one or more data sources to identify potential security threats. These
rules identify patterns associated with malicious activity. Alarms are generated by an explicit call
within these rules.
These rules are created by the AlienVault Labs Security Research Team and you are not able to
modify correlation rules. However, you can use orchestration rules to modify the way
USM Anywhere treats events. See Orchestration Rules, on page 98 for more information.
What Is Correlation?
Correlation is a process performed by the correlation engine on USM Anywhere. It identifies
potential security threats by detecting behavior patterns across different types of assets, which
produce disparate yet related events. Correlation links different events, turning data into more useful
information.
The logs received and processed by USM Anywhere carry important information such as what your
users are doing, what data is being accessed, how your system and network are performing, and if
there are any security threats or attacks taking place. However, reading logs has the following
disadvantages:
l
Logs vary from system to system or even from version to version on the same system
l
Logs have limited perspective, because each system sees events from its own perspective
l
Logs are static, fixed points in time, without the full context or sequence of related events
The correlation process provides answers to these challenges, putting the events into full context.
For example, a network firewall sees packets and network sessions, while an application sees
users, data, and requests. While different systems report logs of similar activities, the way in which
they articulate these activities is quite different. With the help of correlation rules, USM Anywhere
can correlate the two types of events, generating an alarm if a threat exists.
Event correlation allows the security analysts and the incident responders to:
115
l
Make informed decisions on how to respond to security threats
l
Validate effectiveness of existing security controls
l
Measure and report compliance
l
Detect policy violations
USM Anywhere™ User Guide
Correlation Rules
Correlation Rules Structure
The structure of correlation rules is the following:
Intent – Strategy – Method
The categorization uses a three-tiered model for describing an observed behavior. The first tier is the
‘Intent’ of the behavior; this roughly maps to the ‘Intrusion Kill Chain’ to provide an understanding of
the context of the behavior. The second tier is the ‘strategy’ of the attacker took used to describe the
methodology employed. The third tier is the ‘method’ of the behavior used to describe the details of
the particular methodology.
Intent
The intent describes the context of the behavior that is being observed. These intents roughly map to
the stages of the ‘Intrusion Kill Chains’ but collapsed so as to ensure that each is discrete.
There are the following threat categories, from highest to lowest:
Threat Categories on Correlation Rules
intent
Description
System Compromise
Behavior indicating a compromised system
Exploitation & Installation
Behavior indicating a successful exploit of a vulnerability or backdoor or
remote access Trojan being installed the system
Delivery & Attack
Behavior indicating an attempted delivery of an exploit. This can include
detection of malicious email attachments, network-based detection of
known attack payloads or analysis-based detection of known attack
strategies such as SQL Injection
Reconnaissance & Probing
Behavior indicating a bad actor attempting to discover information about
your network. This is broad-based, including everything from port scans to
social engineering to open-source intelligence
Environmental Awareness
Behavior indicating policy violations, vulnerable software, or suspicious
communications
Strategy
The strategy describes the broad-based strategy or behavior that is detected. The intention is to
describe the strategy the malicious user is using to achieve their goal.
Method
The method describes the particular method employed by the actor.
USM Anywhere™ User Guide
116
Correlation Rules
USM Anywhere Correlation Rules
USM Anywhere provides built-in rules and adds more every week through the AlienVault Labs
Threat Intelligence Subscription.
To see correlation rules
1. Navigate to SETTINGS > RULES.
2. Click Correlation Rules on the left navigation panel.
3. You can search a rule by using the square box you can find above the table and then click the
Magnifying Glass icon (
).
4. Click on the rule to expand the details of the rule.
117
USM Anywhere™ User Guide
Vulnerability Assessment
Topics covered in this section include the following:
About Vulnerability Assessment
119
Creating Credentials for Vulnerability Scans
120
Performing Vulnerability Scans
123
Viewing Vulnerabilities Scan Results
124
Searching Vulnerabilities
125
Exporting Vulnerabilities
127
USM Anywhere™ User Guide
118
About Vulnerability Assessment
About Vulnerability Assessment
USM Anywhere delivers vulnerability assessment as part of a complete package of security
monitoring and management capabilities for efficient threat detection. Because in order to improve
security in your network, you first need to know what is vulnerable.
What Is Vulnerability Assessment
Vulnerability assessment is a functionality of USM Anywhere used for defining, identifying,
classifying, and prioritizing the vulnerabilities in your system. The universal open and standardized
method for rating IT vulnerabilities and determining the urgency of response is the Common
Vulnerability Scoring System (CVSS). This method assigns severity scores to vulnerabilities. Scores
range from 0 to 10, with 10 being the most severe.
About Vulnerability Assessment in USM Anywhere
USM Anywhere detects vulnerabilities in assets and controls the following scanning functions
l
Running and scheduling vulnerability scans, see Performing Vulnerability Scans
l
Generating and examining reports, see Viewing Vulnerabilities Scan Results
About Vulnerability Severity
Discovering a vulnerability by itself is important, but can be of little use without the ability to estimate
the associated severity to an asset. For this reason, USM Anywhere assigns a severity to each
vulnerability found in the system and according to the severity score of the Common Vulnerability
Scoring System (CVSS). This severity can be Low (severity score between 0 and 3), Medium
(severity score between 4 and 6), and High (severity score between 7 and 10).
About Active and Inactive Vulnerabilities
In USM Anywhere you can find active vulnerabilities and inactive vulnerabilities.
When you run a scan on an asset and USM Anywhere finds a vulnerability, this vulnerability is active.
If you later run a new scan over the same asset and USM Anywhere finds more vulnerabilities, but
the vulnerability found in the previous scan has not been found in this new scan, this vulnerability is
inactive and the new vulnerabilities are active. Inactive vulnerabilities are those who are not present
in the latest scan but were in a previous one.
A Practical Example
USM Anywhere finds 15 vulnerabilities when you run a scan over an asset, so you will see 'active:
15, inactive: 0'. Then you fix these vulnerabilities. A week later, you run a scan over the same asset.
This new scan finds 3 vulnerabilities, so you will have 3 vulnerabilities active out of 15 vulnerabilities
found and USM Anywhere will display active: 3, inactive: 12.
119
USM Anywhere™ User Guide
Creating Credentials for Vulnerability Scans
Searching Active or Inactive Vulnerabilities
When you navigate to ENVIRONMENT > VULNERABILITIES, USM Anywhere displays, by
default, all active vulnerabilities. The filter 'Show Active' is checked.
If you want to see the inactive vulnerabilities, click the filter 'Show Active' to remove the check mark.
USM Anywhere will display the list of your inactive vulnerabilities.
You can also see if a vulnerability is active or inactive from the full details screen of a vulnerability.
Creating Credentials for Vulnerability Scans
A credential is an identification that proves that you are who you claim to be, and you are therefore a
reliable source.
A vulnerability scan requires credentials to perform an authenticated scan of an
instance.
Keep in mind the following points
l
l
l
USM Anywhere uses the credentials available for a given asset, no matter what the privileges are
for those credentials.
When you run a scan for an asset, USM Anywhere uses the asset credential if the asset has
one; if the credential does not work or the asset does not have an assigned credential,
USM Anywhere will use the credential of the group which the asset is member of, if it is part of an
asset group. Credentials assigned directly to an Asset have higher priority than those assigned to
an Asset Group.
When you assign a credential to an asset group, USM Anywhere will assign the credential to the
asset group instead of assigning it to all of its members.
To create a new credential
1. Navigate to SETTINGS > CREDENTIALS.
2. Click New Credentials.
3. In the Add New Credential popup, type a name for this credential in the Name field and, if
desired, a description to clarify its use in the Description field.
4. In Credential Type, select the appropriate credential type based on your operating system:
l
SSH for Linux
l
Windows RM for Microsoft Windows
This pops up new fields applicable to Windows RM and to Linux SSH, shown in the following
tables.
USM Anywhere™ User Guide
120
Creating Credentials for Vulnerability Scans
Credential Type: Linux SSH Fields
Field
Description
Username
Username for authentication by the system and for user privileges
Authentication method
l
l
l
l
Private key
Password — Select if you want to use a password to
authenticate the user. (Mandatory if you do not use a private key.)
Private key (no pass-phrase) — Input the private key. The
private key must start with an appropriate header, such as "----BEGIN RSA PRIVATE KEY----" and "-----END RSA
PRIVATE KEY-----". Always copy the certificate in the form
with the header.
Private key (with pass-phrase) — Input the private key. The
private key must start with the appropriate header, such as "----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE
KEY-----". Always copy the certificate in the form with the header.
Password field (only appears if you selected password
authentication) — Type the password that authenticates the user.
This box displays when you select Private key with or without
pass-phrase.
Type your private key
Passphrase
This box displays when you select Private key with pass-phrase.
Type your pass-phrase
Privilege elevation
Indicate the type of elevated privilege you want to require:
l
l
l
121
sudo, which runs single command with root privileges
su, which switches you to the root user account and requires the
root account's password
Cisco IOS Enable Password, for CISCO devices
Password
(Private key users only) Password for the privileged user
Port
SSH listens by default on port 22. This port number cannot be
changed
USM Anywhere™ User Guide
Creating Credentials for Vulnerability Scans
Credential Type: Windows RM Fields
Field
Description
Username
Username for an identification into the system and user privileges.
Password
Password that identifies the user. If you do not type a private key,
this is a mandatory field.
Domain
Name registered in the DNS.
Port
Port number. The port by default is 5985 if you do not specify a port
number.
3. Click Save.
To associate a credential to an asset
1. Navigate to ENVIRONMENT > ASSETS.
2. Click the Ellipsis icon (
Details.
) next to the asset you want to add the credential to and select Full
3. Click Assign Credentials or Actions > Assign Credentials.
4. Choose a credential or create a new one by choosing Create New Credential (see To create a
new credential).
5. Click Save if you selected Create New Credential or click Cancel if you selected a credential.
To remove a credential associated with an asset
1. Navigate to SETTINGS > CREDENTIALS.
2. Click the Wrench icon (
3. Click the cross icon (
) in the line of the credential you want to remove the association from.
) next to the asset you want to remove the credential from.
A confirmation popup window displays.
4. Click Accept to confirm the process or click Cancel to exit.
To assign a credential to an asset or a set of assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Select the assets. See Selecting Assets in Asset List View for more information.
3. Select Actions > Assign Credentials.
4. Choose a credential or create a new one by choosing CREATE NEW CREDENTIAL (see To
create a new credential).
5. Click Save.
USM Anywhere™ User Guide
122
Performing Vulnerability Scans
To assign a credential to an asset group
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click Ellipsis icon ( ) next to the asset group you want to assign the credential and select
Assign Credentials.
3. Choose a credential or create a new one by choosing Create New Credential (see To create a
new credential).
4. Click Save.
Performing Vulnerability Scans
In USM Anywhere you can run vulnerability scans from the following pages:
l
l
Environment > Assets for running an authenticated scan in that precise moment. For instructions, see Running Authenticated Scans from Assets.
Settings > Scheduler > Asset Scans for scheduling during a period of time an authenticated
scan job. For instructions see Creating Authenticated Scan Jobs.
Keep in mind that an authenticated scan may fail if the local mail exchanger, which
applies to Linux hosts, is enabled in the target asset.
Creating Authenticated Scan Jobs
1. Navigate to Settings > Scheduler.
The Job Scheduler page displays.
2. Click Asset Scans on the left navigation panel.
3. Click Create Scan Job.
4. Type the name and the description.
5. In case of having more than one sensor installed, select the sensor. This field displays when you
have more than one sensor installed in your system.
6. In the Select App field, select Authenticated Asset Scanner.
7. In the App Action field, the Scan option is by default. There is no other option.
8. In the Asset field you have to write the asset you want to scan.
9. In the Schedule field, schedule a scan to run at a set frequency. The options are Minute, Hour,
Day, Week, Month, and Year. Depending on your selection, you will have different options to
configure the frequency.
10. Click Save.
123
USM Anywhere™ User Guide
Viewing Vulnerabilities Scan Results
The job displays now in the list.
11. Click the Enabled icon (
) or the Disabled icon (
).
Viewing Vulnerabilities Scan Results
Viewing Vulnerabilities
A vulnerability is a weakness in your system, which reduces your system's information assurance.
USM Anywhere helps you to define, identify, classify, and prioritize the vulnerabilities in your system.
USM Anywhere provides a centralized view of your configuration issues. Navigate to
ENVIRONMENT > VULNERABILITIES.
The vulnerabilities page displays information on vulnerabilities. On the left you can find the search
and filters options. Across the top, you can see any filters you have applied, and you have the option
to create and select different views of the vulnerabilities. The main part of the page is the actual list of
vulnerabilities. Each row describes an individual vulnerability.
List of the default columns in Vulnerabilities
Column / Field Name
Description
Last Seen
Last date on which the vulnerability was seen in the asset. The displayed
date depends on your computer's time zone
Vulnerability ID
Displays the associated CVE ID, in case of having it
Vulnerability Name
Displays the name of the vulnerability
Asset
This is the asset that is vulnerable
Severity
Indicates the severity of the vulnerability. Values are High, Medium, and
Low, see About Vulnerability Severity, on page 119
Score
Common Vulnerability Scoring System (CVSS), see About Vulnerability
Severity, on page 119
First Seen
Date of the detection of the vulnerability in the asset. The displayed date
depends on your computer's time zone
You can also sort vulnerabilities by selecting either 20, 50, or 100 in the vulnerabilities result area.
Sort the vulnerabilities information by ascending and descending order by clicking the arrows to the
right side of the heading, or select a menu option to the right of Sort.
Click the export as report icon (
127 for further details.
USM Anywhere™ User Guide
) to export vulnerabilities. See Exporting Vulnerabilities, on page
124
Searching Vulnerabilities
Click the star symbol to the left of a vulnerability to bookmark it for quick access. Clicking the Star
icon (
) on the secondary menu shows the bookmarked items and a link to them.
Views
You can configure the view you want for the list of vulnerabilities. Create a view configuration for
having your own selected filters.
To create a configuration view
1. From the vulnerabilities list view, configure the filters you want to apply.
2. Click the pull-down menu Save > Save as.
3. Type a name for the view and click Save.
To select a configured view
1. From the asset list view, click the pull-down menu next to Saved Views.
2. Select the view you want to see.
Vulnerabilities from Assets Main Page
To explore vulnerabilities from assets
1. Navigate to Environment > Assets.
2. Click the filter Has Vulnerabilities.
3. Click the Ellipsis icon (
nerabilities.
) next to the asset you want to explore its vulnerabilities and select Vul-
The asset details page opens with the list of vulnerabilities.
4. Click View on the vulnerability you want to explore.
5. Optionally, click the star symbol to the left of the vulnerability name to mark it for quick access.
Clicking the Star icon (
) on the secondary menu shows the bookmarked items and a link to it.
The More information link opens the Open Threat Exchange platform with the information
about the CVE Identifier.
Searching Vulnerabilities
You can either filter your search, or type what you are looking for in the search box, in the upper lefthand corner of the vulnerabilities page.
125
USM Anywhere™ User Guide
Searching Vulnerabilities
Searching Vulnerabilities by Using Filters
USM Anywhere includes several filters displayed by default. You can configure more filters than the
displayed ones by clicking the Filter Configuration icon ( ). The management of filters is similar to
the one for assets. See Managing Filters for more information.
Filters displayed by default in the main Vulnerabilities page
Filter Name
Meaning
Created during
Identify vulnerabilities triggered in the last hour, last 24 hours, last 7 days, or
last 30 days. You can also configure your own period of time by clicking the
Custom Range
option
Show active
Display the active or inactive vulnerabilities. See About Active and Inactive
Vulnerabilities
Labels
Label(s) applied to the vulnerability
Vulnerability Name
Displays the name of the vulnerability
Severity
Indicates the severity of the vulnerability. Values are High, Medium, and Low,
see About Vulnerability Severity
Asset
This is the asset that is vulnerable
Asset Groups
This is the asset group that has vulnerable asset(s)
The displayed number close to each filter between brackets indicates the number of vulnerabilities
that matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results. The icons below each filter consist of the following:
Filters in the Vulnerabilities page: icons below filters
Toggle the ability to select multiple values as an OR statement
You can view and toggle between the currently filtered item, and other filtered
items. You do not have to reset the search
Toggle values with (0) matches
Sort the information alphabetically
Sort the filters by number of items that matches them
Reset
Resets to the default values
Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon (
) next to the filter. Or clear all filters by clicking the Clear All Filters link.
USM Anywhere™ User Guide
126
Exporting Vulnerabilities
When applying filters, the search uses the logical AND operator if the used filters are
different. However, when the filter is of the same type, the search uses the logical
OR.
To search vulnerabilities using a filter
1. Navigate to ENVIRONMENT > VULNERABILITIES.
2. Click on a filter.
The result of your search displays with vulnerabilities identified.
Searching Vulnerabilities by Using the Search Box
To search alarms using the search box
1. Navigate to ENVIRONMENT > VULNERABILITIES.
2. Type your search.
3. Click the Magnifying Glass icon (
).
The result of your search displays with the vulnerabilities identified.
Exporting Vulnerabilities
You can export vulnerabilities to a CSV or HTML file for later analysis.
To export vulnerabilities
1. Navigate to ENVIRONMENT > VULNERABILITIES.
2. Use filters if you want to limit the number of vulnerabilities to export. For assistance, see Searching Vulnerabilities, on page 125.
3. Click the export as report icon (
) at the upper right-hand corner of the page.
4. Type a report name.
5. (Optional) Type a report description.
6. Choose a date range.
7. Choose the export format, CSV or HTML.
If you choose CSV, your browser downloads the exported file automatically.
If you choose HTML, a new tab opens in your browser, displaying the report. You can print it by
clicking Print.
8. Choose the number of records to export.
127
USM Anywhere™ User Guide
Exporting Vulnerabilities
9. If you have chosen the HTML format, you will see the Graphs section. Use this section to include
additional views. Select the graph you want to include in the report and click the right arrow icon
(
).
10. Click Save & Run.
You can see exportation reports again through the option REPORTS > DATA
EXPORT HISTORY. See Data Export History for further information.
USM Anywhere™ User Guide
128
USM Anywhere Sensor Management
USM Anywhere Sensors deploy into each environment and help you gain visibility into all of your onpremises and cloud environments. USM Anywhere Sensors collect and normalize logs, monitor
networks, and collect information about the assets deployed in your environments.
After you install and set up the USM Anywhere Sensor, it communicates with USM Anywhere in the
cloud about the assets in your network. The USM Anywhere Sensor then transfers any available
raw plugin data to USM Anywhere in the cloud for correlation and event generation, among other
things.
This topic discusses the following subtopics:
l
Adding a New Sensor
l
Configuring a Sensor
l
Editing a Sensor
l
Assigning a Sensor
l
Replacing a Sensor
l
Deleting a Sensor
USM Anywhere™ User Guide
129
Adding a New Sensor
Adding a New Sensor
You will be able to create as many sensors as you need in your environment, whenever your
USM Anywhere license allows it.
To check your allowed USM Anywhere sensors
1. Navigate to SETTINGS > MY SUBSCRIPTION.
The My Subscription page displays.
2. Check the allowed sensors you have and the license end date. The displayed date depends on
your computer's time zone.
If you want to modify your USM Anywhere License, please contact the AlienVault
Sales Department.
To add a new sensor
1. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
2. Click New Sensor.
If your USM Anywhere License does not allow you to create more sensors, this
button will remain inactive.
A popup window displays showing the authentication code that you will later need for activating
your sensor.
3. Deploy the sensor following the given instructions in the Deployment Guide.
4. Configure your USM Anywhere Sensor following the steps in the Setup Wizard. See the Setup
Wizard documentation for further information.
5. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
6. Check in the list of sensors that your new sensor is on the list, ready and well-configured.
Configuring a Sensor
USM Anywhere allows you to modify the configuration data of your sensor.
130
USM Anywhere™ User Guide
Editing a Sensor
To configure a sensor
1. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
2. Click the Wrench icon (
) of the sensor you want to configure.
The setup wizard displays. This wizard is specific to each sensor and guides you through the
configuration of your USM Anywhere Sensor. See the Setup Wizard documentation for further
information.
3. Modify the data you need to by following the steps in the Setup Wizard.
4. After you complete the last step in the Setup Wizard, click Start Using USM Anywhere to come
back to the main page.
Editing a Sensor
This option allows you to change the sensor name and the description of a sensor.
To edit a sensor
1. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
2. Click the Edit icon (
) of the sensor you want to edit.
3. Modify the data you need to.
4. Click Save.
Assigning a Sensor
All assets that are detected by a sensor in the scan of your network are assigned automatically to
that sensor. If you have several sensors, the asset will be assigned to the sensor that has detected
the asset. An asset cannot be assigned to more than one sensor.
It is best practice to identify, prioritize and organize assets. By doing so, you can limit the scope of
network security audits to subsections of your network, making scan results more manageable. You
can also more easily distribute assets to multiple users to facilitate the delegation of responsibilities.
USM Anywhere provides a way of organizing your assets. If you have more than one sensor
configured and you want to organize your assets in your network, you may want to assign a different
sensor from the one that was assigned automatically.
For this reason, you may need to edit shared properties of some assets to assign a sensor. Luckily
you do not have to edit these assets one by one. Instead, you can select all the relevant assets and
modify their shared properties in one go. USM Anywhere allows you to perform the following tasks
for your own asset organization, which saves time and resources
USM Anywhere™ User Guide
131
Replacing a Sensor
l
l
l
set a sensor to an asset if you want to change the one that was assigned automatically
set multiple assets at the same time. You can do this by performing a bulk operation. You can set
a sensor to several assets at the same time if you want to have certain assets assigned to a particular sensor
set a sensor to an asset group if you want to have a group of assets assigned to a particular
sensor
To assign a sensor to an asset or a set of assets
1. Navigate to ENVIRONMENT > ASSETS.
2. Select the assets you want to include in a group. See Selecting Assets in Asset List View.
3. Select Actions > Set Sensor.
4. Select the sensor you want to assign the selected assets.
5. Click Save.
To assign a sensor to an asset group
1. Navigate to ENVIRONMENT > ASSET GROUPS.
2. Click the Ellipsis icon (
) and select Full Details.
3. Select Actions > Set Sensor.
4. Select the sensor you want to assign the selected asset group.
5. Click Save.
Replacing a Sensor
USM Anywhere allows you to replace a sensor instead of deleting it forever. You can use this option,
for instance, when your disk is corrupted, you have an irreparable failure, or you want more
resources in your environment.
After replacing a sensor, the current disk and memory states are discarded, and your environment
reverts to the disk and memory states of your previous configuration. If you replace a sensor, you will
keep all the information the sensor has, such as events, assets, and alarms. If you delete a sensor
you will lose all the information related to that sensor.
All your data will be secure if you replace the sensors that are on the same platform.
To replace a sensor
1. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
132
USM Anywhere™ User Guide
Deleting a Sensor
2. Click the Delete icon (
) of the sensor you want to replace.
3. Click Delete this sensor and replace it with a new one.
A popup window displays showing the authentication code that you will later need for activating
your sensor.
4. Deploy the sensor following the instructions in the Deployment Guide. Depending on your type
of sensor, you will have to follow different instructions.
5. Configure your USM Anywhere Sensor following the steps in the Setup Wizard. See the Setup
Wizard documentation for further information.
6. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
7. Check in the list of sensors that your replaced sensor is on the list, ready and well-configured.
Deleting a Sensor
USM Anywhere allows you to delete completely a sensor from your environment. Keep in mind that
if you delete a sensor, you will delete all information related to that sensor such as events, assets,
and alarms.
To delete a sensor
1. Navigate to SETTINGS > DEPLOYMENT.
The Manage Sensors page displays.
2. Click the Delete icon (
) of the sensor you want to delete.
3. Click Delete this sensor permanently.
The deleted sensor is not displayed in the list of sensors.
USM Anywhere™ User Guide
133
Subscription Management
Once you have a USM Anywhere license you can always view your subscriptions in one place. Use
My Subscriptions page to access your license information, event data, and raw log data.
To open My Subscription page
1. Navigate to SETTINGS > MY SUBSCRIPTION.
The My Subscription page displays.
Information on the 'My Subscription' page
Field
Description
License Type
Trial or Subscription
License End Date
Trial Expiration date (Trial Licenses) or Support End Date (Subscription Licenses).
The displayed date depends on your computer's time zone
Service Tier
Storage per month (250 GB per month, 500 GB per month, 1 TB per month, 1.5 TB
per month, 2 TB per month, 3 TB per month, 4 TB per month)
Licensed Sensors
Number of Licensed Sensors
Active Sensors
Number of Active Sensors
Months of cold
storage for raw logs
12 months of cold storage by default
Total Data Consumed
(This Month)
Amount of data USM Anywhere has processed on a monthly basis
Remaining Data
Available (For This
Month)
Amount of remaining data you have available for this month
Average Monthly
Consumption
Average amount of data you have consumed on a monthly basis
Historical Data
Consumption
List of data consumption by month
USM Anywhere™ User Guide
134
Raw Log Data
Information on the 'My Subscription' page (Continued)
Field
Description
Total Event Data
Amount total of data USM Anywhere has processed
Total Days of Storage
Capability
Total days of storage capacity available
First Day of Data
Storage
First day on which data started to be stored
Raw Log Data
Raw Log Data is data that has been forwarded through your sensors. USM Anywhere stores this
data and allows you to extract Raw Log Data for audit purposes or further forensic analysis.
To extract Raw Log Data
1. Navigate to SETTINGS > MY SUBSCRIPTION.
2. Click Request Raw Log Files.
3. Select a date range to download the raw log files in zip format.
4. Click Request Download.
A popup window informs you that your request is being processed and it is in progress. Keep in
mind this process can take up to 6 hours.
5. Click OK.
In a few minutes you will receive an email with a link to download your files (zip file).
6. Click the link you have in the email to download the zip file.
7. Extract the zipped bundle and you see the files listed as forensics.log.YYYY-MMDD.bz2.
Reaching the Monthly Usage Limit Space
If your environment has exceeded your data consumption tier, your USM Anywhere starts operating
in transient mode. When running in transient mode, USM Anywhere no longer stores events in the
searchable data store, but will still generate alarms, run authenticated asset scans, and store raw
logs associated with Events in cold storage. This transient mode finishes when you start a new
month (based on your anniversary start date) or if you upgrade your subscription tier.
Please contact the AlienVault Sales Department to upgrade your subscription tier
and modify your license.
135
USM Anywhere™ User Guide
Receiving Email Notifications Concerning my License
The My Subscription page allows you to purge your earliest seven days of data and start collecting
data again. Keep in mind that the button that allows you to purge the data will only be active after you
hit your limit and your system is operating in a transient mode.
USM Anywhere will display an early and persistent warning to inform you that you
are going to exceed your monthly tiered usage.
To purge your earliest seven days of data
1. Navigate to SETTINGS > MY SUBSCRIPTION.
2. Click Purge 7 Earliest Days of Event Data.
Receiving Email Notifications Concerning my License
USM Anywhere will send you emails for notification purposes related to your license:
l
A license is changed from trial to subscription
l
A license tier is upgraded
l
A license expiration date is updated
l
The number of sensors allowed is updated
USM Anywhere™ User Guide
136
Receiving Email Notifications Concerning my License
137
l
An activated license enters in grace period
l
An activated license is deleted
USM Anywhere™ User Guide
USM Anywhere Reports
AlienVault USM Anywhere generates reports from your exporting files. Reports are selectable by
categories, which are assets, asset groups, alarms, and events. You can also choose the format of
the report (HTML and CSV).
Data Export History
You can find here reports which are the result of export data that you can find in assets, asset
groups, alarms, and events. You can access through the primary menu (REPORTS > DATA
EXPORT HISTORY). You can find the history of your reports grouped into 'Report Category' and
'Report format' for easy access.
You can use the Export History to see, modify, or run exports that you have previously created. This
option allows you to recover the searches in an easier way.
You can filter your Export History by report category or report format using the options in the Search
and Filters area on the left side of the page. There are 4 report categories: assets, asset groups,
alarms, and events; and there are 2 report formats: HTML or CSV.
If you choose HTML format, a new tab in your browser opens, displaying the report. You can print it
by clicking Print or you can save it as PDF.
USM Anywhere™ User Guide
138
User Management
Since USM Anywhere manages important security functions for your organization, the system
requires that all users log in with a user name and a password. The system can store and manage
up to 10 users names internally.
USM Anywhere collects information on the time that a user is inside the system and what the user
does, logging this activity in the USM Anywhere web interface.
After logging in for the first time, you have to change the default password for your users. After you
enter the new password, the main window displays.
If you want to log out of the system, click the
icon.
Creating Users
To create a user
1. Navigate to SETTINGS > USERS.
The Users List page displays.
2. Click New User.
3. Type the user's email.
4. Type the user's full name.
5. Select Manager as role.
6. Select the status you want for the user. It can be enabled or disabled.
7. Click Save.
The user will receive an email inviting him to set a password. This will give him access.
Editing Users
You can edit and modify the data of a user.
USM Anywhere™ User Guide
139
Editing Users
To edit a user
1. Navigate to SETTINGS > USERS.
The Users List page displays.
2. Click the Edit icon (
), located in the same line of the user.
A popup window with the settings of the user displays.
3. Modify the data you need to.
4. Select Receive Alarm Notifications to start receiving alarm notifications in the account of that
user.
5. Click Save.
140
USM Anywhere™ User Guide

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz