Correlation Directives

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance provides over 4,500 built-in directives and adds more every week through the LevelBlue Labs™ Threat Intelligence Update. The directives are grouped into different categories.

USM Appliance correlation directive categories

Category Name



User Contributed

A placeholder for user created and/or modified directives. By default, this category is empty.


AlienVault Attacks

Directives to detect various attacks against vulnerable services and applications.

AV Attacks, Successful OpenSSL HeartBeat attack

AlienVault BruteForce

Directives to detect brute force attacks on services that require authentication.

AV Bruteforce attack, SSH authentication attack against DST_IP (destination IP)

AlienVault DoS

Directives that detect Denial of Service (DoS) attacks on different applications and services.

AV Service attack, successful denial of service against IIS web server on DST_IP (MS07-041)

AlienVault Malware

Directives to detect malware.

AV Malware, botnet Koobface activity detected on SRC_IP (source IP)

AlienVault Misc

Directives to detect activities that do not fall into any other category.

AV Misc, suspicious executable download from a dynamic domain on SRC_IP

AlienVault Network

Directives detect network related anomalies and attacks.

AV Network attack, too many dropped inbound packets from DST_IP

AlienVault Policy

Directives to detect policy violations.

AV Policy violation, vulnerable Java version detected on SRC_IP

AlienVault Scada

Directives to detect attacks on industrial supervisory control and data acquisition (SCADA) systems.

AV SCADA attack, Modbus scanning or fingerprinting against DST_IP

AlienVault Scan

Directives to detect scanning activities.

AV Network scan, Nmap scan against DST_IP

USM Appliance provides a web interface, Configuration > Threat Intelligence > Directives, for you to examine, modify, or create new correlation directives.

Directives page for managing correlation directives.

To display a directive

  1. Click the black triangle to the left of the category name.
  2. Click the black triangle to the left of the directive.

Each directive consists of the following

AlienVault OSSIM Limitations: USM Appliance includes a faster and more robust correlation section with more complex correlation directives. LevelBlue OSSIM has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.

AlienVault OSSIM Limitations: In the LevelBlue OSSIM environment, the following directives are inactive

  • AlienVault DoS
  • AlienVault Network
  • Alienvault Scada