A USM Anywhere integration is a software component that provides logic specific to producing normalized event data from the raw log data received from an external data source. The integration parses the raw data and converts it into common event fields, such as user, date and time, and source or destination IP address, so that USM Anywhere can manage the information as a security event. With a normalized event, USM Anywhere can display information uniformly and correlate events from various individual systems to generate alarmsAlarms provide notification of an event or sequence of events that require attention or investigation..
USM Anywhere provides numerous integrations that translate log data from common devices, operating systems, and applications. When USM Anywhere receives the raw log data, it must identify a integration to use for normalization. Many data sources produce syslog messages that contain information that can be used to identify the device or application that produced the message. Others data sources produce log data that requires more guidance to identify a match for the data.
In USM Anywhere, many integrations can be identified and matched to the log data automatically because of hints — unique information within a syslog message that identifies the data source sending the logs. These hints allow the syslogAn industry standard message logging system that is used on many devices and platforms. message to be read and the integration type to be identified when the hints match the criteria set for each integration type. Therefore, if an integration accepts hints, USM Anywhere can automatically identify it as a match for a syslog message.
When you review integration details in USM Anywhere, these integrations are designated with Autodiscovered = Yes.
Not all integrations accept hints, because some syslog messages contain only generic data. For hints to work, syslog messages must contain unique information. For this reason, USM Anywhere can neither automatically identify those integrations nor ready their syslog data. These integrations require a defined match in USM Anywhere by associating the asset with the integration or by associating the integration with an asset.
When you review integration details in USM Anywhere, these integrations are designated with Autodiscovered = No.
With one or more manual integration associations for an asset, it is possible for the wrong integration to be invoked for parsing and normalizing a log message. This typically happens if the needed integration is not included in the list of manually associated integrations.
Important: Assigning a data source to an asset disables the usage of hints and only the assigned data sources are used to parse and normalize a log message. Therefore, if you assign a data source to an asset and that asset produces log messages to be processed by more than one data source, you must manually assign each data source, including the auto-discovered data sources, to the asset.
For detailed instructions about how to associate these integrations with an asset or asset group, see Manual Integration Management.
Occasionally, a log line does not match either a manually enabled or an auto-discovered integration. This is typically caused by devices that generate non-standard syslog messages. Because they put non-standard date formats or other information in the syslog HEADER, the USM Anywhere syslog parser is unable to properly extract the tag header. In some cases, you can modify the logging configuration on the device to produce a better result.
For cases where a matching integration is not identified, USM Anywhere parses it using a generic integration. This integration parses the log line using Regular ExpressionsA sequence of characters that define a search pattern. Regex statements are used in integrations configuration files that determine how raw log information for network or device events can be parsed to normalize the data and extract information to populate standard event fields. and advanced text searches, including common log keywords.
After it scans for key phrases, it starts looking for patterns within the log. It typically looks for these patterns:
Where separators can be one of the following:
: = , ; [ ] / \n
If USM Anywhere uses the AlienVault Generic Integration as a best-effort to parse a log line, it adds a Was Fuzzied = True field to the event within the Events (Activity > Events) page.
USM Anywhere includes the predefined AlienVault Generic Integration view to provide easy access to these events (Activity > Events: AlienVault Generic Integration). If the reporting asset is defined in the USM Anywhere asset inventory, you can manually assign an integration directly from this view.
For more information about the information and tools available in this view, see AlienVault Generic Plugin.