Taking Ownership of an Alarm

Applies to Product: USM Appliance™ AlienVault OSSIM®

As part of an alarm remediation response, you should take ownership of an alarm you want to work on. This tells others that you are actively investigating it. This avoids duplication of efforts.

To take ownership of an alarm

  1. From Analysis > Alarms > Group View, locate an alarm you want to investigate.

  2. Take ownership of the alarm by clicking Take, under the Owner column within its row.

    The Owner status now changes from Take to Release, signifying that you now have responsibility for the alarm group.

  3. Select the checkbox at the front of the alarm row.

    4. The following two buttons now appear in the UI above the Description, Status, and Action columns:

    • Close Selected
    • Delete Selected

    Note: Do not click either of these at this time.

    The ticket icon under the Action column now also becomes active.

  4. Under Description, type a reason for the action you want to take:

    • Open a ticket — Under Action, click the ticket icon to open a new ticket on the selected alarm group.

      The New Ticket dialog box appears. See Create a Ticket.

    • Close or Delete an alarm — Select the appropriate action; confirm it when prompted.

      • Close means an alarm still resides in the database. It does not, however, display in the web interface.
      • Delete means that you want to delete the alarm from the database.

      You might close an alarm that you know is a false positive. An example of a false positive might be if instant messaging triggered an alarm, but your corporate security policy allows instant messaging. You should then create a policy to make sure that USM Appliance does not notify you about such events in the future. See Tutorial: Create a Policy to Discard Events.

      After that, you may want to delete all occurrences of this alarm from the SIEM.

      The choice about whether to close or delete an alarm depends on your corporate compliance policy. If alarm retention is not a priority, you should delete them to save disk space.

      AlienVault OSSIM Limitations: Alarms in AlienVault OSSIM lack the built-in context provided in USM Appliance. The work compiled by the AT&T Alien Labs™ Security Research Team to analyze and validate OTX threat data is available in bothUSM Appliance and AlienVault OSSIM.