USM Anywhere receives syslog An industry standard message logging system that is used on many devices and platforms. log data from external data sources: devices, applications, or operation systems. If that data is not automatically matched with an AlienApp through hints (see Data Sources: Auto Discovered or Not), you must manually associate the AlienApp with an asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere. There are two methods for creating these associations:
- By assigning one or more assets to the AlienApp.
See Assign Assets to AlienApps for details.
- By adding one or more AlienApps to the asset
You can use a combination of these methods to ensure that USM Anywhere can identify the correct AlienApps for the log data it receives from an asset.
Important: Assigning an AlienApp to an asset disables the usage of hints; therefore, only the assigned AlienApps are used to parse and normalize a log message.
If you forward logs to an asset and then from that asset to USM Anywhere, AT&T Cybersecurity recommends the use of at least two different assets, which avoids the system collecting logs by an incorrect AlienApp. You can use one of the assets for all the auto-discoverable AlienApps, and the other (or others) for the non-auto-discoverable AlienApps.
Adding an AlienApp to an asset requires that you know what log data that the USM Anywhere Sensor receives from the asset and which AlienApp(s) are the best match for parsing and normalizing that data to produce meaningful events for your needs.
You can add an AlienApp on the Asset Details page. The Asset Details page provides access to all of the available information and tools for managing an individual asset. See Asset Management for more information about managing discovered assets in USM Anywhere.
To add an AlienApp from the Asset Details page
- Go to Environment > Assets.
(Optional.) Use the Search & Filters options to filter the list and help you to locate the asset you want.
See Searching for Assets for more information.
Click the icon next to the asset name and select Full Details.
This displays the Asset Details.
At the bottom of the expanded page, select the AlienApps tab and click Add AlienApp.
In the dialog box, select the AlienApp you want to assign to the asset. Enter full or part of the name in the Set a New AlienApp field and select one from the displayed list.
The system displays this message at the top of the page:
AlienApp added successfully.
- (Optional.) Repeat the previous step to add another AlienApp.
Click the icon to close the dialog box.
On the AlienApps tab, you can see the list of AlienApps added.
For logs where a matching AlienApp is not identified, USM Anywhere parses it using a generic data source. You can review the generated events in the AlienVault Generic Data Source events view. If the reporting device for the event is defined in the USM Anywhere asset inventory, you can manually assign an AlienApp directly from this view.
For more information about the information and tools available in this view, see AlienVault Generic Plugin.
To assign an AlienApp from a AlienVault Generic Data Source event
- Go to Activity > Events: AlienVault Generic Plugin.
- Review the listed events and locate an event where the reporting device is displayed in blue and you want to manually assign a known AlienApp to the asset.
In the Reporting Device column, click the icon next to the asset name and select Assign plugin.
In the dialog box, select the AlienApp to use for log data from the asset.
Enter part of the AlienApp name in the Set a New AlienApp field and select the AlienApp from the displayed list.
- (Optional) Repeat the previous step to add another AlienApp for the asset.
- Click the icon to close the dialog box.