Security Events Views

Applies to Product: USM Appliance™ LevelBlue OSSIM®

The Security Events (SIEM) page, under Analysis > Security Events (SIEM), consists of two views: SIEM View and Real-Time View. You can also create your own Custom Views with specific search criteria and column selections.

SIEM View

This view offers search and robust filtering categories for isolating types of events to review.

From the tabular summary listing of events, you can click on a specific event row to view further details about that event in a popup window. You can also click the More Details () icon in an event row to display event details on a new page, which also lets you choose further actions to take with the current event. For field references, see Review Event Details

Real-Time View

The Real-Time view shows you an up-to-the-minute snapshot of all events occurring within your system.

This view may or may not contain any OTX data, depending on what events are currently transpiring in your system.

Custom Views

When examining the Events list, USM Appliance allows you to edit the default views or create custom views with your specific search criteri and column selections.

To create a custom view for events

  1. Go to Analysis > Security Events (SIEM) and perform a search to include the events you want to see.
  2. Click Change View to select a predefined view.

    Predefined views include Default, Taxonomy, Reputation, Detail, Risk Analysis, and IDM. Each view displays the same events but with different columns.

  3. Alternatively, click Change View and then select Create New View.

    1. In Create New Custom View, select the columns you want to see in this view.
    2. To apply the same query every time when you launch this view, select Include custom search criteria in this predefined view.
    3. Type a name for the view, and then click Create.

    USM Appliance saves your changes and refreshes the page to display the view.

To delete a custom view for events

  1. On Analysis > Security Events (SIEM), click Change View to select the view you want to delete.
  2. Click Change View again and select Edit Current View.
  3. In Edit Current View, click Delete at the bottom.
  4. Confirm the action when prompted.

    USM Appliance deletes the corresponding view and refreshes the page to display the Default view.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.