Reviewing Alarms as a List

Applies to Product: USM Appliance™ LevelBlue OSSIM®

In most cases, the List View of the USM Appliance Alarms page provides you with the best starting place for analyzing alarms. (For field descriptions, see Alarms list fields).

You can review alarms in List View by one of two methods:

  • Using the Alarm Graph to see where you have the most or the highest-risk alarms.
  • Searching and filtering for alarms using specific criteria.

To review alarms as a list

  1. Go to Analysis > Alarms.
  2. On the far-right side of the Search and Filter section, toggle Show Alarm Graph to Yes.

    The setting persists until you change it.

  3. Review the Alarm Graph to assess the level and number of issues USM Appliance has found.

    For details about how the Alarm Graph works, see Filtering Alarms in List View.

  4. Review the Alarms list, if necessary, using Search and Filter to get information about specific alarms.

    For details about how Search and Filter works, see Filtering Alarms in List View.

    In addition to other navigation options, in both Alarm and SIEM Event list views, you can right-click on Source and Destination IP addresses or host names, which will display a popup menu of available actions you can take corresponding to a specific IP address or host name.

    Right-click context menu providing options for event and alarm source and destination IP addresses

    For example, the Look up in OTX option opens the OTX site to display potential and reported threats related to the selected location. If no threat information is found about the location, the Look Up in OTX option opens the Create New Pulse web page in OTX, which lets you create a new Pulse to report a possible new threat.

  5. Analyze the alarms, paying attention to the following, in the order dictated by your incident response plan:

    • Alarms with the highest risk level.

      These contain events with the highest reliability and priority, and involve assets with the highest value.

    • Alarms occurring with the greatest frequency.

      By analyzing and eliminating such events, whether harmful, relevant, or not, you reduce the number of events that USM Appliance or an analyst must process.

    • Examine new types of alarms.

      These indicate changes in network patterns and behavior. Look at hosts that seem to be involved in a lot of alarms. This may indicate a vulnerable host or an infection of the host with malicious software.

  6. Get more details about an alarm by clicking inside of its row in the list.

    Note: If the alarm comes from an OTX pulse, clicking on the OTX icon takes you to OTX for research on the indicators comprising the pulse. If you want system details about the alarm, click anywhere else in the row. If you find that an OTX pulse is generating too many false positive alarms, you can always unsubscribe from the pulse .

    The Alarms tray appears:

    Alarms tray from alarm list view.

    For field descriptions, see Alarms Tray – Fields.

  7. Review the information to determine the reliability of the alarm.

    Note: If the alarm contains only one event, it may not be as reliable as if it contained multiple events over a period of time. Only your detective work can find this out.

  8. Get more details by clicking View Details. (For field descriptions, see Alarm Details — Columns and Fields.)
    1. Review the source and destination for this alarm.

      Do these tell you anything environmentally?

    2. Review the risk of this alarm. For details on risk calculation, see USM Appliance Network Security Concepts and Terminology.

      Alarm details from Alarms.

    3. If you find an alarm you want to investigate further, see Review Security Events.

  9. If needed, go back to the Alarms list and use Search and Filter to get information about other alarms originating from a particular asset or of a certain type.

    For details about how Search and Filter works, see Filtering Alarms in List View.