Alarm Details — Columns and Fields

Applies to Product: USM Appliance™ AlienVault OSSIM®
Alarm Details field descriptions
Column/Field Name Description
Status Whether or not the alarm is open or was closed.
Risk

Risk level of an alarm, which can be Low (1), Medium (2), or High (>=3) .

Risk calculation is based on the formula: Asset Value Specifies an asset’s importance or criticality relative to other managed assets. * Event Reliability Specifies the likelihood that the event is accurate. It ranges from 0 to 10. * Event Priority Defines how urgently the event should be investigated. It ranges from 0 to 5. / 25 = Risk

So if Asset Value = 3, Reliability = 4 and Priority = 5, the risk would be 3 * 4 * 5 / 25 = 2.4 (rounded down to 2), therefore the Risk value is Medium.

Attack Pattern Analyzed method of infiltration or attack. Shows how the attack took place, for example, external to internal, one to many, external to external, or many to many.
Created Date alarm was correlated
Duration Duration between the first event and the most recent event creating the alarm.
# Events Number of events associated with the alarm.
Alarm ID Identification of the alarm.
OTX Indicators Information provided with OTX pulse updates that provides actionable intelligence and steps to detect latest threats in your environment. Number of OTX pulse indicators, shown in blue, generating the alarm.
Source/Destination Hostname or IP address of the host. The number in parentheses next to the label stands for the number of IPs or hosts involved with the events associated with this alarm.
  • Location
If the country of origin is known, displays the national flag of the event responsible for the alarm.
  • Asset Groups

When the source/destination belongs to your asset inventory, displays any asset groups to which that asset belongs.

When the source/destination is an external host, Assets Groups displays Unknown.

When the source/destination is a host within one of your asset groups, these sections contain a value. You can click it to go to the Asset Details page for more information.

  • Networks

When the source/destination belongs to your asset inventory, displays any networks to which that asset belongs.

When the source/destination originates from a host in an external network, Networks displays Unknown.

When the source/destination of the alarm events comes from one of your networks, the field contains a value. You can click it to the Network Group Details page for more information.

  • OTX IP Reputation

(Yes/No) If “Yes,” the IP or hostname is known to IP Reputation and it may be malicious. It is, at minimum, suspicious.

Note: When you click Yes, a popup displays, providing more information about the IP address. A hypertext link to the details about that IoC Indicator of Compromise in OTX also appears, allowing you to better assess the threat.

Open Ports

Any open ports discovered by USM Appliance.

If the source/destination is an asset in your inventory, displays all open ports detected.

If the source/destination is an external host, displays any open ports detected, based on USM Appliance communication with that host.

  • Ports

You can select the number of ports you want to display in increments of 5, 10, and 20.

  • Port
Associated port number.
  • Service
Name of the service using the port, if applicable.
Vulnerabilities, Properties, Notes These tabs appear only if the source/destination is an asset belonging to your asset inventory.
  • Vulnerabililties
Includes the service/port and severity of the vulnerability.
  • Properties
Lists all asset properties defined in Asset Details.
  • Notes
User-entered comments about the asset and/or alarm.
Other Details

Clicking SIEM Events and Raw Logs takes you to those respective pages, where filtering is based on the source/destination IP addresses. These pages provide information about other events or logs that reference the IP address for the alarm.

Other links go to external security resources, such as Honey-Pot, Whois, or Reverse-DNS, where you may find out more about the particular IP.

For information on these, see the Open Threat Exchange (OTX) User Guide or visit their respective websites.

Events

Lists the events that generated the alarm.

Note: In general, whether events generate an alarm depends solely on the directive taxonomy in USM Appliance. However, IoC events from OTX pulses automatically generate an alarm.

  • Alarm, Risk, Date, Source, Destination, OTX
For definitions, see above.
  • Correlation level

Correlation level assigned, based on a rules hierarchy USM Appliance employs, with each rule assigned a priority and a reliability value.

For details, see Event Correlation.