Assign Assets to AlienApps

USM Anywhere receives syslog An industry standard message logging system that is used on many devices and platforms. log data from external data sources: devices, applications, or operation systems. If that data is not automatically matched with an AlienApp through hints (see Data Sources: Auto Discovered or Not), you must manually associate the AlienApp with an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere. There are two methods for creating these associations:

  • By assigning one or more assets to the AlienApp (this document).
  • By adding one or more AlienApps to the asset. See Adding AlienApps to an Asset for details.

You can use a combination of these methods to ensure that USM Anywhere can identify the correct AlienApps for the log data it receives from an asset.

Important: Assigning an AlienApp to an asset disables the usage of hints for the logs coming from this asset; therefore, USM Anywhere only uses the assigned AlienApps to parse and normalize those logs.

If you use a log-forwarding software (such as Splunk or Loggly) to send logs to USM Anywhere, AT&T Cybersecurity recommends that you use at least two such forwarders: one forwarder for all the auto-discoverable AlienApps, and the other for the non-auto-discoverable AlienApps. In the latter case, you must create an asset in USM Anywhere to denote the forwarder and assign it to the non-auto-discoverable AlienApps. This ensures that USM Anywhere uses the correct AlienApp to parse your logs.

To assign an asset to an AlienApp

  1. Go to Data Sources > AlienApps > Available Apps.
  2. Look for the AlienApp you want to use and click the tile.
  3. After the page finishes reloading, click Assign Asset.
  4. Select the asset you want to assign. Click Create Asset to add an asset if it is not yet in USM Anywhere.
  5. Click Assign.
  6. When applicable, select the collection method you want to use.

    Set the colection method for an asset

  7. When applicable, select the format. See AlienApps Supported Log Formats for more information.

    Select a format

  8. Click the icon to confirm.
  9. Click Done.

To remove an asset from an AlienApp

  1. Go to Data Sources > AlienApps > Available Apps.
  2. Look for the AlienApp from which you want to remove the asset and click the tile.
  3. Click the icon.

    Delete assets from an AlienApps

  4. Click Accept to confirm.

To modify an assigned format

  1. Go to Data Sources > AlienApps > Available Apps.
  2. Look for the AlienApp you want to modify and click the tile.
  3. Click the icon of the asset.

    Modify assets to an AlienApps

  4. Select the new format you want to use.
  5. Click the icon to confirm.
  6. Click Done.

AlienApps Supported Log Formats

Some AlienApps in USM Anywhere support multiple formats, giving you the option to select the format suitable to your environment. The following table lists the log formats and provides a sample log line for each one.

Log Formats Supported by AlienApps
Format

Description

Sample Log

CEF ArcSight Common Event Format

CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

CEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10| src=10.0.0.1 dst=2.1.2.2 spt=1232

CLF NCSA Common Log Format 125.0.0.1 user - identifier sjones [10/Oct/2011:13:55:36 -0700] "GET /examp_alt.png HTTP/1.0" 200 10801
CSV Comma-Separated Values 2,398778306028,eni-abc,1.1.1.1,2.2.2.2,52392,443,6,11,1935,1461792267,1461792322,ACCEPT,OK
GELF Graylog Extended Log Format { "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_some_info": "foo" }
JSON JavaScript Object Notation {"DateTime":1438189080000,"UsersName":"Dev","UsersEmail":"dev@blah.com","IPAddress":"1.1.1.1","Action":Test"}
Key‑Value A key and value pair id=”0001” severity=”info” name=”http access” action=”pass” method=”GET” srcip=”1.1.1.1” dstip=“2.2.2.2” user=“myuser”
LEEF Log Event Extended Format

LEEF:Version|Device Vendor|Device Product|Device Version|Event ID|Name| Severity|key=value<tab>key=value<tab>key=value<tab>key=value

LEEF:0|Security|threatmanager|1.0|100|worm successfully stopped|10| src=10.0.0.1 dst=2.1.2.2 spt=1232

RegEx Regular Expression sshd[1097]: Failed password for invalid user ben from 1.1.1.1 port 43312 ssh2
Split The fields are separated using a character other than comma 200|939|3934|1.1.1.1|-|1.1.1.1|"'Technology & Telecommunication’"|"test\test"|false|allowed|2.2.2.2
W3C Extended Log File Format from W3C

#Fields: time cs-method cs-uri

 

00:34:23 GET /foo/bar.html

XML Extensible Markup Language <Root><EventID>90060</EventID><Priority>4</Priority><Message>Application - End</ Message><Category>AUDIT</Category></Root>