AlienApps and Data Sources

AlienApps parse raw data and convert them into common event fields, such as user, date and time, and source or destination IP address, so that USM Anywhere can manage the information as security events. With a normalized event, USM Anywhere can display information uniformly and correlate events from various systems to generate alarms Alarms provide notification of an event or sequence of events that require attention or investigation..

USM Anywhere provides hundreds of AlienApps that translate log data from common devices, operating systems, and applications. When USM Anywhere receives the raw data, it must identify a data source to use for normalization. Many data sources produce syslog messages that can be used to identify the device or application producing the message (auto-discovered), while other data sources produce log data that requires more guidance to identify a match for the data (not auto-discovered).

Data Sources: Auto Discovered or Not

In USM Anywhere, many AlienApps can analyze and match log data automatically because of hints — unique information within a syslog message that identifies the data source sending the logs. When matched, these hints enable the syslog An industry standard message logging system that is used on many devices and platforms. message to be read and the data source to be determined, hence auto-discovered.

Not all AlienApps accept hints, however, because some syslog messages only contain generic data. For hints to work, syslog messages must contain unique information. When such information is missing, USM Anywhere can neither automatically identify those data sources nor read their syslog data, hence the data sources are not auto-discovered. These AlienApps require a manual association between the device sending the syslog messages and the AlienApp. See Assign Assets to AlienApps for detailed instructions.

Important: Assigning an AlienApp to an asset disables the usage of hints for the logs coming from this asset; therefore, USM Anywhere only uses the assigned AlienApps to parse and normalize those logs.

If you use a log-forwarding software (such as Splunk or Loggly) to send logs to USM Anywhere, AT&T Cybersecurity recommends that you use at least two such forwarders: one forwarder for all the auto-discoverable AlienApps, and the other for the non-auto-discoverable AlienApps. In the latter case, you must create an asset in USM Anywhere to denote the forwarder and assign it to the non-auto-discoverable AlienApps. This ensures that USM Anywhere uses the correct AlienApp to parse your logs.

When multiple AlienApps are assigned to an asset, it can happen that an incorrect AlienApp is invoked to parse and normalize the log message, especially when the needed AlienApp is not included in the list of manually assigned AlienApps.

USM Anywhere clearly indicates whether an AlienApp can auto-discover its data source in the user interface (UI). On Data Sources > AlienApps > Available Apps, when Show Auto-discoverable is selected, auto-discovered AlienApps display a black banner at the bottom of the tile:

Available Apps auto-discovered

If you click a tile to open the page for a particular AlienApp, look for the following clues to indicate that the AlienApp is auto-discovered:

this app is auto-discovered

Data Source Details

Each of the standard AlienApps contains a section of the data source details on the Configuration page. Click Data Source Details to see the data format and the full list of details for the app's data parsing.

Example of Data Source Details

The AlienVault Generic Data Source

Occasionally, a log line cannot be matched by any AlienApps. This is typically caused by devices that generate non-standard syslog messages. For example, when there are non-standard date formats or other information in the syslog header, the USM Anywhere syslog parser is unable to properly extract the tag header. In some cases, you can modify the logging configuration on the device to produce a better result.

For cases where a matching data source is not identified, USM Anywhere parses it using a generic data source. This data source parses the log line using regular expressions and advanced text searches, including common log keywords. If USM Anywhere uses the AlienVault Generic Data Source as a best effort to parse a log line, it adds a Was Fuzzied = True field to the event. You can view such events on the Activity > Events page. See AlienVault Generic Data Source for more information.