Review Event Details

Applies to Product: USM Appliance™ LevelBlue OSSIM®

Event Details identifies all information USM Appliance collected about this event. It also displays the number of indicators involved, when the event relates to an Open Threat Exchange® (OTX™) pulse, and the IP reputation Threat ranking of IP addresses that have been submitted by the OTX community as being malicious or at least suspicious.-calculated reliability and risk level data.

Event details page

Event Detail Fields (order as appeared on the web UI)
Fields Description
Date Date and time of the event.
LevelBlueSensor Sensor that processed the event.
Device IP IP address of the USM Appliance Sensor that processed the event.
Event Type ID ID assigned by USM Appliance to identify the event type.
Unique Event ID# Unique ID number assigned to the event by USM Appliance.
Protocol Protocol used for the source/destination of the event, for example, TCP IP.
Category Event taxonomy for the event, for example, Authentication or Exploit.
Sub-Category Subcategory of the event taxonomy type listed under Category. For example, this would be Denial of Service, if the category were Exploit.
Data Source Name

Name of the external application or device that produced the event.

Data Source ID

ID associated with the external application or device that produced the event.

Product Type

Product type of the event taxonomy, for example, Operating System or Server.

Note: Events with IP Reputation-related data have product types; OTX pulses do not.

Additional Info If the event were generated by a suspicious URL, for example, this field would state URL. When present, these URLs provide additional background information and references about the components associated with the event.
Priority Priority ranking, based on value of the event type. Each event type has a priority value, used in risk calculation.
Reliability

Reliability ranking, based on the reliability value of the event type.

Each event type has a reliability value, which is used in risk calculation.

Risk

Risk level of the event: Low = 0, Medium = 1, High > 1

Note: Risk calculation is based on this formula:

Asset Value * Event Reliability * Event Priority / 25 = Risk

If Asset Value = 3, Reliability = 2 and Priority = 2, the risk would be 3 * 2 * 2 / 25 = 0.48 (rounded down to 0)

Therefore, Risk is Low

OTX Indicators Number of indicators associated with an IP Reputation or OTX pulse event.
Source / Destination

IP addresses and hostname for the source and destination, respectively, of the event. If the host is an asset, you can right-click it to go to the Asset Details page for information.

Right-clicking the IP address displays a menu from which you can select information about the IP, such as all events originating from that host or all events for which the IP is the destination.

 

Hostname

Hostname of the event source/destination.

If the source or destination hostname for an event is within your asset inventory, this field contains a value. You can click it to go to the Asset Details page for more information.

 

MAC Address

Media Access Control (MAC) of the host for the event, if known.
 

Port

External or internal asset source/destination port for the event.
 

Latest Update

The last time USM Appliance updated the asset properties.
 

Username & Domain

Username and domain associated with the asset that generated the event.
 

Asset Value

Asset value of the asset source/destination if within your asset inventory.
 

Location

If the host country of origin is known, displays the national flag of the event source or destination.
 

Context

If the asset belongs to a user-defined group of entities, USM Appliance displays the contexts.
 

Asset Groups

When the host for the event source/destination is an asset belonging to one or more of your asset groups, this field lists the asset group name or names.

You can click the field to go to the Asset Details page for more information.

 

Networks

When the host for the event source/destination is an asset belonging to one or more of your networks, this field lists the networks.

You can click the field to go to the Network Group Details page for more information.

 

Logged Users

A list of any users who have been active on the asset, as detected by the asset scan, for example, with the username and user privilege (such as admin).
 

OTX IP Reputation

(Yes/No) Whether or not IP Reputation identifies the IP address as suspicious.
  Service List of services or applications detected on the source/destination port.
  Port Port used by the service or application.
  Protocol Protocol used by the service or application.
Raw Log Raw log details of the event.
When you see N/A displayed for a certain field, it means that USM Appliance has no related data in the event log or the asset inventory.

When event data derives from a log or the asset inventory, some of the fields below appear after Service, Port, and Protocol and above the Raw Log data. (See screenshot above.) Otherwise, these fields do not display.

Optional Event Fields

Fields Description
Filename Name of file associated with the event.
Username The username associated with the event.
Password The password associated with the event.
Userdata 1-9 User-created log fields.
Payload Payload of the event.
Rule Detection LevelBlue NIDS rule used to detect the event.

There are some actions you can perform directly from the event details page.

Actions on Event Details
Actions Description
Delete Delete the event.
Create Ticket Create a ticket in USM Appliance based on the event.
Insert Into DS Group Add this event type into an existing data source group.
Edit Event Properties Change the default priority and/or reliability value of this event type so that the calculated risk will differ. Changes will apply to future events.
Learn More Launches the Knowledge Base information for this event.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.