Adding AlienApps to an Asset

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere receives syslog An industry standard message logging system that is used on many devices and platforms. log data from external data sources: devices, applications, or operation systems. If that data is not automatically matched with an AlienApp through hints (see Data Sources: Auto Discovered or Not), you must manually associate the AlienApp with an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere. There are two methods for creating these associations:

  • By assigning one or more assets to the AlienApp. See Assign Assets to AlienApps for details.
  • By adding one or more AlienApps to the asset (this document).

You can use a combination of these methods to ensure that USM Anywhere can identify the correct AlienApps for the log data it receives from an asset.

Important: Assigning an AlienApp to an asset disables the usage of hints for the logs coming from this asset; therefore, USM Anywhere only uses the assigned AlienApps to parse and normalize those logs.

If you use a log-forwarding software (such as Splunk or Loggly) to send logs to USM Anywhere, AT&T Cybersecurity recommends that you use at least two such forwarders: one forwarder for all the auto-discoverable AlienApps, and the other for the non-auto-discoverable AlienApps. In the latter case, you must create an asset in USM Anywhere to denote the forwarder and assign it to the non-auto-discoverable AlienApps. This ensures that USM Anywhere uses the correct AlienApp to parse your logs.

Adding an AlienApp to an asset requires that you know what log data that the USM Anywhere Sensor receives from the asset and which AlienApp(s) are the best match for parsing and normalizing that data to produce meaningful events for your needs.

You can add an AlienApp on the Asset Details page. The Asset Details page provides access to all of the available information and tools for managing an individual asset. See Asset Management for more information about managing discovered assets in USM Anywhere.

To add an AlienApp from the Asset Details page

  1. Go to Environment > Assets.

  2. (Optional.) Use the Search & Filters option to filter the list and help you to locate the asset you want.

    See Searching Assets for more information.

  3. Click the icon next to the asset name and select Full Details.

    Open the full details for the Carbon Black asset

    This displays the Asset Details.

  4. At the bottom of the expanded page, select the AlienApps tab and click Add AlienApp.

    Click Add AlienApp to associate an AlienApp with the asset

  5. In the dialog box, select the AlienApp you want to assign to the asset. Enter full or part of the name in the Set a New AlienApp field and select one from the displayed list.

    Enter part of the name and select the correct AlienApp from the displayed list.

    The system displays this message at the top of the page:

    AlienApp added successfully.

  6. (Optional.) Repeat the previous step to add another AlienApp.

  7. Click the icon to close the dialog box.

    On the AlienApps tab, you can see the list of AlienApps added.

    View the associated AlienApps in the Asset Details page.

For logs where a matching AlienApp is not identified, USM Anywhere parses it using a generic data source. You can review the generated events in the AlienVault Generic Data Source events view. If the reporting device for the event is defined in the USM Anywhere asset inventory, you can manually assign an AlienApp directly from this view.

See AlienVault Generic Data Source for more information about the information and tools available in this view.

To assign an AlienApp from a AlienVault Generic Data Source event

  1. Go to Activity > Events.
  2. Click View > Saved views > AlienVault Generic Data Source.
  3. Click Apply.
  4. Review the listed events and locate an event where the reporting device is displayed in blue and you want to manually assign a known AlienApp to the asset.

  5. In the Reporting Device column, click the icon next to the asset name and select Assign AlienApp.

    Events Main Page, Menu on the Reporting Device Column

    The Add AlienApp to an asset dialog box opens.

    Events Main Page, Add AlienApps dialog box

  6. In the dialog box, select the AlienApp to use for log data from the asset.

    Enter part of the AlienApp name in the Set a New AlienApp field and select the AlienApp from the displayed list.

    Enter part of the plugin name and select the correct plugin from the displayed list.

  7. (Optional.) Repeat the previous step to add another AlienApp for the asset.
  8. Click the icon to close the dialog box.