Applies to Product:

USM Appliance™

LevelBlue OSSIM®

USM Appliance provides over 4,500 built-in directives and adds more every week through the LevelBlue Labs™ Threat Intelligence Update. The directives are grouped into different categories.

USM Appliance correlation directive categories

Category Name	Explanation	Example
User Contributed	A placeholder for user created and/or modified directives. By default, this category is empty.
AlienVault Attacks	Directives to detect various attacks against vulnerable services and applications.	AV Attacks, Successful OpenSSL HeartBeat attack
AlienVault BruteForce	Directives to detect brute force attacks on services that require authentication.	AV Bruteforce attack, SSH authentication attack against DST_IP (destination IP)
AlienVault DoS	Directives that detect Denial of Service (DoS) attacks on different applications and services.	AV Service attack, successful denial of service against IIS web server on DST_IP (MS07-041)
AlienVault Malware	Directives to detect malware.	AV Malware, botnet Koobface activity detected on SRC_IP (source IP)
AlienVault Misc	Directives to detect activities that do not fall into any other category.	AV Misc, suspicious executable download from a dynamic domain on SRC_IP
AlienVault Network	Directives detect network related anomalies and attacks.	AV Network attack, too many dropped inbound packets from DST_IP
AlienVault Policy	Directives to detect policy violations.	AV Policy violation, vulnerable Java version detected on SRC_IP
AlienVault Scada	Directives to detect attacks on industrial supervisory control and data acquisition (SCADA) systems.	AV SCADA attack, Modbus scanning or fingerprinting against DST_IP
AlienVault Scan	Directives to detect scanning activities.	AV Network scan, Nmap scan against DST_IP

USM Appliance provides a web interface, Configuration > Threat Intelligence > Directives, for you to examine, modify, or create new correlation directives.

To display a directive

1. Click the black triangle to the left of the category name.
2. Click the black triangle to the left of the directive.

Each directive consists of the following

• Global properties
• One or more rule(s)
• Directive Info
• (Optional) Knowledge Base article(s)

AlienVault OSSIM Limitations: USM Appliance includes a faster and more robust correlation section with more complex correlation directives. LevelBlue OSSIM has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.