After the basic installation and configuration of your USM Anywhere system is completed, you can use the USM Anywhere web UI to verify that it is operating properly.
The following process describes tasks you can perform to verify basic operations, also walking you through information available from the primary menu options.
- When you first launch the USM Anywhere web UI, it displays the main dashboards page.
- Confirm that security eventsInformation collected and displayed that describes a single system or user level activity that took place. are being collected, and populating the USM Anywhere correctly. To see events, go to Activity > Events.
Confirm that USM Anywhere is creating alarms and the alarms are displaying correctly. The USM Anywhere generates alarms from correlation rulesA correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source.. To see alarms in your system, go to Activity > Alarms.
By default, the middle portion of the page provides a graphical representation of current alarms being generated in your environment. Blue circles indicate the number of alarms in a category that are displaying at a particular time. A bigger circle indicates a higher number of alarms. Alarms are prioritized by categories that reflect typical methods used by attackersOne who maliciously attempts to bypass security restrictions or negatively impact a system or resource.. See Viewing Alarm Details for more information on alarm categorization.
You can also search for and filter out specific alarms using time ranges and other search criteria. Click a specific alarm row to display additional information for the selected alarm, in a dialog box. You can view and examine full details about an alarm, in a full browser window, by clicking the alarm, and then clicking Full Detail. Use this link to see all the information about the alarm such as the events that triggered the alarms, source and destination IPTarget IP address for an event. addresses, and the recommended actionsIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to be done.
This high-level view of summary information shows the overall state of your network, so you can get an immediate indication of the levels of eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. occurring in your environment.
On this page, any normalized log event, or any other event received or generated by any USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. at the application, system, or network level, will show in the display, unless a suppression event has filtered it out.
You can also search for and filter out specific events using time ranges and other search criteria. Click a specific event row to display additional information for the selected event, in dialog box. You can view and examine full details about an event, in a full browser window, by clicking the event, and then clicking Full Detail. Use this link to see all the information about the event such as the details of the events, the related assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers., the source and destination IP addresses, and the log of the event.