AlienApps parse raw data and convert them into common event fields, such as user, date and time, and source or destination IP address, so that USM Anywhere can manage the information as security events. With a normalized event, USM Anywhere can display information uniformly and correlate events from various systems to generate alarms Alarms provide notification of an event or sequence of events that require attention or investigation..
USM Anywhere provides hundreds of AlienApps that translate log data from common devices, operating systems, and applications. When USM Anywhere receives the raw data, it must identify a data source to use for normalization. Many data sources produce syslog messages that can be used to identify the device or application producing the message (auto-discovered), while other data sources produce log data that requires more guidance to identify a match for the data (not auto-discovered).
In USM Anywhere, many AlienApps can analyze and match log data automatically because of hints — unique information within a syslog message that identifies the data source sending the logs. When matched, these hints enable the syslog An industry standard message logging system that is used on many devices and platforms. message to be read and the data source to be determined, hence auto-discovered.
Not all AlienApps accept hints, however, because some syslog messages only contain generic data. For hints to work, syslog messages must contain unique information. When such information is missing, USM Anywhere can neither automatically identify those data sources nor read their syslog data, hence the data sources are not auto-discovered. These AlienApps require a manual association between the asset forwarding the syslog messages and the AlienApp. See Assign Assets to AlienApps for detailed instructions.
Important: Assigning an AlienApp to an asset disables the usage of hints; therefore, only the assigned AlienApps are used to parse and normalize a log message. If you assign an AlienApp to an asset and that asset produces log messages to be processed by other AlienApps, you must manually assign each AlienApp, including the auto-discovered AlienApps, to the asset.
When multiple AlienApps are assigned to an asset, it can happen that an incorrect AlienApp is invoked to parse and normalize the log message, especially when the needed AlienApp is not included in the list of manually assigned AlienApps.
USM Anywhere clearly indicates whether an AlienApp can auto-discover its data source in the user interface (UI). On Data Sources > AlienApps > Available Apps, when Show Auto-discoverable is selected, auto-discovered AlienApps display a black banner at the bottom of the tile:
If you click a tile to open the page for a particular AlienApp, look for the following clues to indicate that the AlienApp is auto-discovered:
Data Source Details
Each of the standard AlienApps contains a section of the data source details on the Configuration page. Click Data Source Details to see the data format and the full list of details for the app's data parsing.
Occasionally, a log line cannot be matched by any AlienApps. This is typically caused by devices that generate non-standard syslog messages. For example, when there are non-standard date formats or other information in the syslog header, the USM Anywhere syslog parser is unable to properly extract the tag header. In some cases, you can modify the logging configuration on the device to produce a better result.
For cases where a matching data source is not identified, USM Anywhere parses it using a generic data source. This data source parses the log line using regular expressions and advanced text searches, including common log keywords. If USM Anywhere uses the AlienVault Generic Data Source as a best effort to parse a log line, it adds a Was Fuzzied = True field to the event. You can view such events on the Activity > Events page. See AlienVault Generic Plugin for more information.