Alarms List — Fields

Applies to Product: USM Appliance™ LevelBlue OSSIM®
Alarms list fields
Column/FIeld Name

Description
Date Date and time USM Appliance completed alarm correlation.
Status Whether or not the alarm is open and still correlating, or closed.
Intent & Strategy

Describes the attack pattern of indicators intruding on your system.

Intent and strategy are based on the taxonomy, or classification, of adirective. For example, a directive of AV Malware might have an “intent” of system compromise, with a "strategy" of suspicious behavior. When alarms come from OTX pulses, the Intent is always Environmental Awareness and the Strategy is OTX Indicators of Compromise.

Note: Due to the size of the field label, only the strategy is visible from the Alarms list. However, when you click the row, thereby expanding the Alarms tray, the strategy becomes visible.

The taxonomy for alarms with IP reputation data is based on the directive that generated the alarm.

Method If known, the method of attack or infiltration associated with the indicator that generated the alarm. For OTX pulses, the method is the pulse name.
Risk

Risk level of an alarm, which can be Low (1), Medium (2), or High (>=3) .

Risk calculation is based on the formula: Asset Value Specifies an asset’s importance or criticality relative to other managed assets. * Event Reliability Specifies the likelihood that the event is accurate. It ranges from 0 to 10. * Event Priority Defines how urgently the event should be investigated. It ranges from 0 to 5. / 25 = Risk

So if Asset Value = 3, Reliability = 4 and Priority = 5, the risk would be 3 * 4 * 5 / 25 = 2.4 (rounded down to 2), therefore the Risk value is Medium.

OTX

OTX icon present when events causing the alarm contained IP Reputation-related data or were from IoCs related to an OTX pulse.

  • Orange — Alarm was generated by one of the following:

    • A pulse
    • Both IP Reputation and OTX pulse indicators. In this case, the pulse name displays.
  • Blue — Alarm contains IP Reputation data about one more of the IP address involved.
  • N/A — If no OTX data available.
Source Hostname or IP address of the source, with national flag if country is known, for an event creating the alarm.
Destination Hostname or IP address of the destination, with national flag if country is known, that received the events generating the alarm.