This guide provides information for users of USM Anywhere who are responsible for monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. network security, and identifying and addressing security threats in their environment. The guide also describes operations provided by the USM Anywhere web user interface (web UI), which is used to perform most USM Anywhere network security tasks after initial USM Anywhere deploymentEntire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment..
This guide includes these topics:
- Getting Started with USM Anywhere: Describes typical security operations performed after initial USM Anywhere installation and configuration, including security operation best practices and workflow, verifying USM Anywhere operations, and establishing baseline network behavior.
- USM Anywhere Dashboards: Provides an overview of USM Anywhere dashboards.
- Asset Management: Describes operations to manage assets and asset groupsAsset groups are administratively created objects that group similar assets for specific purposes.. Includes topics such as asset creation and discovery, vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. scans, and asset monitoring and analysis.
- The AlienVault Agent: Describes the AlienVault Agent, which is a lightweight endpoint agent based on osqueryOsquery is a agent that runs on Linux hosts used for File Integrity Monitoring (FIM) and log collection.. It enables endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.
- Alarms Management: Provides information about alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. generated from events and OTXThe world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, and seamless integration with USM Anywhere and USM Appliance, and AlienApps for other security products. pulses, viewing and reviewing alarm information and field details, and suppressing alarms to remove noise in the system.
- Events Management: Provides information on viewing, filtering, and sorting events, event and OTX field details, and analyzing events that generate alarms.
- System Events Management: Provides information on viewing, filtering, and sorting system events, which are the events generated within your environment.
- Configuration Issues Management: Provides information on viewing, filtering, and sorting configuration issuesAn identified configuration of software that is deployed, or features of software that is in use, which is known to be insecure., and how to suppress them from the main view.
- Rules Management: Describes how to create suppression and orchestration rules, and how USM Anywhere correlation rules work. This chapter also describes how Amazon Simple Notification Service (SNS) is integrated into USM Anywhere and how to manage AlienApps™AlienApps extend the threat detection and security orchestration capabilities of the USM Anywhere platform to other security tools that your IT team uses, providing a consolidated approach to threat detection and response..
- Vulnerability Assessment Describes how to perform vulnerability scans, view and understand scan results, and generate reports based on vulnerability scans.
- Open Threat Exchange® and USM Anywhere: Describes the open information-sharing and analysis network. OTX provides access to real-time information about issues and threats that may impact your organization, enabling you to learn from and work with others who have already experienced such attacks.
- USM Anywhere Sensor Management: Describes how to manage sensorsSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. within USM Anywhere.
- Subscription Management: Describes license information, event data, and raw log data.
- USM Anywhere Reports: Describes reports displayed in USM Anywhere. You can find reports generated from your report creation feature; compliance templates based on alarms, vulnerabilities, and events collected in the system; and Event Type Templates based on event categorization by type of data source and by the most used data sources.
- USM Anywhere User Management: Describes USM Anywhere user authenticationProcess used to verify the identity of a user, user device, or other entity, usually through a username and password. and roleTasks and responsibilities based on job description and position within an organization. A user's role is often used to define access to functionality and privileges to perform specific tasks and operations.-based authorization, configuration of authorization for specific assets, and monitoring user activity.
- Using USM Anywhere for PCI Compliance: Describes USM Anywhere capabilities to manage PCI DSSPayment Card Industry Data Security Standard. Set of security standards intended to reduce credit card fraud by protecting cardholder information in organizations that handle credit, debit, and other types of payment cards. requirements through assets, asset groups, and reports.
- Investigations: Describes how to organize the information from your environment. You can link alarms, events, notes, and other files to their responses to have a complete view set of actions you have taken to address a particular threat.
- System Status within USM Anywhere: Describes the status of your environment. You have a system monitor page, if your role is Manager, a network settings page, and the log collection page.