Applies to Product:

USM Appliance™

LevelBlue OSSIM®

Both a high-level overview and a detailed look at individual alarm types, the List View lets you filter alarms by one of two methods:

• Using the Alarm Graph to see where you have the most or the highest-risk alarms (Filtering Alarms, Using the Alarm Graph).
• Searching and filtering for alarms using specific criteria (Using Specific Search and Filter Criteria for Alarms).

Filtering Alarms, Using the Alarm Graph

Alarms in the graph appear correlated by intent, based on the Cyber Kill Chain model.

Blue bubbles of varying sizes indicate the relative number of alarms generated among your assets on each day within a 31-day period.

To expose the Alarm Graph

1. On the Alarms page, look for the label Show Alarm Graph on the far right of the Search and Filter section.

2. Click No.

   This toggles the Alarm Graph to Yes and the Alarm Graph appears.

   

3. Hover over one of the bubbles to get more details.

   

   Each bubble represents the alarms of a specific intent for a three-hour period of one day in a 31-day cycle. Each exposes the following details:

   • Time span in three-hour increments.
   • Number of alarms.
   • Top five strategies among these alarms, for example, spyware infection or worm infection.

4. Click one of the bubbles.

   Now the Alarms list appearing below the graph shows just the alarms of the type and window of time you selected.

   You can click on any of the alarms to see the event that triggered it. See Review Security Events.

   

To hide the Alarm Graph from view

• Go to the Show Alarm Graph toggle (shown) and click the Yes default to toggle the setting to No.

  The Alarm Graph now no longer displays.

• When you want to see it again, just toggle No to Yes.

Using Specific Search and Filter Criteria for Alarms

You can use the Search and Filter area of the Alarms page to search for specific alarms, based on the following criteria:

• Alarms from a specific USM Appliance Sensor
• Alarm name / ID
• Source and destination IP address
• Date range
• Asset Group Asset groups are administratively created objects that group similar assets for specific purposes.
• Intent
• Directive An object in USM Appliance that contains one or more correlation rules. ID
• Alarms containing certain event types
• Number of events in the alarm
• Risk level of the alarm
• Alarms exclusively from OTX pulses OTX pulses provide information on the reliability of threat data, who reported a threat, and other details of threat investigations., or search on the pulse name.

Note: At this time, USM Appliance does not offer a filter for IP Reputation-based alarms. However, you can view these within the Alarms list, where they occur.

To filter for specific alarms

1. In the Search and Filter section of the Alarm page, select your search criteria and click Search.

   Your search results appear in the Alarms List.

   

2. To see more details, click on one of the alarms (Reviewing Alarms as a List).

   Note: Hide closed alarms is selected by default.