USM Anywhere provides a centralized view of your events. Go to Activity > Events to see this centralized view.

The Events page displays information on events. These are the different parts of the Events page:

• On the left side of the page are the search and filters options. Use filters to delimit your search. See Searching Events for more information.
• At the top of the page, you can see any filters you have applied, and you have the option to create and select different views of the events.
• The main part of the page is the list of events, where each row describes an individual event. Click an event to open a summary view. See Viewing Event Details for more information.

Your environment can display events when an asset has not received messages within a configured period of time. To see this kind of events, you previously need to configure a period of time that indicates when the asset has to start generating events. See Events Created When an Asset Stops Sending Data for more information.

If you want to analyze the data and see the additional columns without having to scroll left and right, you can maximize the screen and hide the filter pane. Click the icon to hide the filter pane. Click the icon to expand the filter pane.

The following table lists the fields you see on the page.

List of the Default Columns in Events

Column / Field Name	Description
Event Name	Name of the event.
Time Created	The date and time of the creation of the event. The displayed date depends on your computer's time zone.
OTX	Indicate if it is an OTX The world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, and seamless integration with USM Anywhere and USM Appliance, and AlienApps for other security products. event or not. If the icon displays active, click it to go to OTX.
Source Asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.	Hostname A hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network. or IP address of the host Reference to a computer on a network. (with the national flag if the country is known) that initiates the event. Important: If you want to create a rule, instead of using this field, use the Source Name or Source Asset ID fields.
Destination Asset	Hostname or IP address of the host (with the national flag if the country is known) that receives the event. Important: If you want to create a rule, instead of using this field, use the Destination Name or Destination Asset ID fields.
Sensor	Name of the USM Anywhere Sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. detecting the event. The type of sensor is also displayed below the sensor name.
Username	Username associated with the event.

The asset name includes the icon if the asset is not in the system, or the icon if the asset has been added to the system.

Click the icon to access these options:

• Add to current filter: Use this option to add the asset name as a search filter. See Searching Events.
• Look up in OTX: This option searches the IP address of the source asset in the Open Threat Exchange page. See Using OTX in USM Anywhere
• Add asset to system: Use this option to create the asset in the system. See Adding Assets.

Click the icon to access these options:

• Add to Current Filter: Use this option to add the asset name as a search filter. See Searching Events for more information.
• Look up in OTX: This option searches the IP address of the asset in the OTX page. See Using OTX in USM Anywhere for more information.
• Full Details: See Viewing Assets Details for more information.
• Configure Asset: See Editing Assets for more information.
• Delete Asset: See Deleting the Assets for more information.
• Assign Credentials: See Managing Credentials in USM Anywhere for more information.
• Authenticated Scan: Authenticated scans are performed from inside the machine using a user account with appropriate privileges. This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Authenticated Asset Scans for more information.
• Scan with AlienApp: This option enables you to run an asset scan through an AlienApp. See Running Asset Scans Using an AlienApp for more information.
• Run Scan: This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Asset Scans for more information.
• Configuration Issues: An identified configuration of deployed software or features of software that is in use, which is known to be insecure. This option opens the Assets Details page. The Configuration Issues tab is selected in the page. See Viewing Assets Details for more information.
• Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selected in the page. See Viewing Assets Details for more information.
• Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page. See Viewing Assets Details for more information.
• Events: Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. This option opens the Assets Details page. The Events tab is selected in the page. See Viewing Assets Details for more information.

You can configure the view you want for the list of events. See Event Views for more information.

Click Generate Report to open the Configure Report dialog box. See Create an Events Report for more details.

The graph above the events list displays the amount of events in a period of time. You can change this period by clicking Last 24 Hours filter.

Click the icon to access these options:

• Actions / User: Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories.
• Count / Time: The Count/Time view is a graph that provides a graphical representation of the number of events in a period of time.

  Important: The period of time is mapped with the timestamp_occurred field. This field can be overwritten by the current sensor UTC timestamp if, when processing events, a delay is detected up to 15 minutes or the timestamp_occurred field is not provided.

• Auth / User: Reports authorization actions.
• Source Map: Provides the number of events associated with each country on a global map.

Click the icon to bookmark an item for quick access.

Click the icon to filter your search by row fields. See Filtering Events by Row Fields for more information.

You can choose the number of items to display by selecting 20, 50, or 100 below the table. You can classify some columns by clicking the icons to the right side of the heading. You can sort the item information in ascending or descending order.

Configuring Columns

Within the page, you can configure the columns and fields that display in the List view. You can also save your columns configuration to return to it whenever you need it.

To configure your columns

1. From the events list view, click the icon.

   The Manage Columns dialog box opens.

   

2. Search the columns you want to have in the list view. You can enter your search in the search field.

3. Use the and icons to pass the items from one column to the other and select the columns you want to see.

4. You can order the columns by clicking one of them and dragging the column to the desired place.

5. Click Apply.