Analyzing Alarms, Events, Logs, and Tickets

Applies to Product: USM Appliance™ AlienVault OSSIM®

You will likely spend the most time reviewing and analyzing the network security of your environment using various options provided in the USM Appliance web UI Analysis menu. The Analysis menu provides the following submenu selections:

  • Alarms — Shows all the alarms generated in USM Appliance. (Any event with a calculated risk value of 1 or greater generates an alarm.) You can also search for alarms using filters.
  • Security Events (SIEM) — Displays all events that were processed or generated by the USM Appliance Server. You can also search and filter events that appear in the display as well as view details of specific events.
  • Raw Logs — Provides access and display all the events that USM Appliance Logger saved to archive log files, for long-term storage and forensic investigation. The USM Appliance Logger digitally signs and timestamps the archived log files, to ensure their integrity and guarantee, for compliance reporting, that the data in log files has not been tampered with.
  • Tickets — Provides access to USM Appliance ticket management system. Tickets provide workflow tracking of activity related to detected alarms or any other issues that you want to keep track of.

The Alarms Page Display

When you select the Analysis > Alarms option, USM Appliance displays the following page.

Alarms page

By default, the display opens in List View, which simply lists alarms in reverse chronological order (the latest issued alarm is displayed first). You can also change the display to Group View, which allows you to group alarms by different keys such as alarm name, source and destination IP address, or alarm type.

The middle portion of the screen includes a table that provides a graphical aggregated representation of alarms that occurred in the last 31 days; each column represents a different day. Blue circles indicate the number of times that an alarm in a category appeared. A bigger circle indicates a higher number of alarms were generated. You can mouse over each of the circles to get the actual number of different types of events that occurred as well as a Top 5 list of possible remedies for each alarm type.

Alarms are sorted into five different categories, which are represented by the graphic icons in the display. These are:

  • System compromise ( )
  • Exploitation and installation ( )
  • Delivery and attack ( )
  • Reconnaissance and probing ( )
  • Environmental awareness ( )

The categories are also consistent with the sequence or stages of events that an attacker might follow to successfully infiltrate a network, gain unauthorized access to data, or perform some malicious act. The categories are also consistent with a model of attack detailed by Lockheed Martin called the Cyber Kill Chain.

Below the categorized display of alarm icons, USM Appliance displays a tabular listing of individual alarms, by default, in reverse chronological order. In addition, if you click on any of the blue circles, USM Appliance will display only the alarms corresponding to the selected circle. From the list of alarms, you can click on any individual alarm row to expand the display of information about the alarm. You can then click the View Details button, or click the View Details () icon, to display more information on the selected alarm, including individual events that actually triggered the alarm.

The top section of the Alarms page display lets you search for and filter alarms that are displayed on the Alarms page. You can qualify alarms by event attributes such as sensor location, asset group, risk level, or OTX pulse.

Note: See Alarm Management for more information on the operation of Alarms in USM Appliance.

The Security Events (SIEM) Page Display

When you select the Analysis > Security Events (SIEM) menu option, USM Appliance displays the following page.

Events (SIEM) Page

By default, the Security Events (SIEM) page displays a SIEM view of events. The USM Appliance web UI also provides two other options for displaying security events:

  • Real-Time — view that shows events in progress in your network.
  • External Databases — display security events from an external AlienVault database that is associated with a different AlienVault USM Appliance installation. For more information on configuring a connection to an external AlienVault database, see How to display Security Events from an External AlienVault Database.

From the SIEM option view, you can search and filter for events using time ranges and other event attribute criteria.

See Event Management for more information on monitoring analyzing events in USM Appliance.

Below the Search Filter section of the page, USM Appliance provides a display of all events, or filtered events (if you specified search criteria for events). Any normalized log event, or any other event received or generated by any USM Appliance Sensor at the application, system, or network level will appear in the display unless a USM Appliance policy has filtered it out or you have specified search filter criteria.

From the tabular summary listing of events, you can click on a specific event row to view further details about that event in a popup window. You can also click the More Details () icon in an event row to display event detail on a new page, which also lets you choose further actions to take with the current event.

The Raw Logs Page Display

When you select the Analysis > Raw Logs option, USM Appliance displays the following page.

Raw Logs Display

This page provides access and display of all the normalized events that USM Appliance Logger saved to its archive log files, for long-term storage and forensic investigation. The USM Appliance Logger digitally signs and timestamps the archived log files, to ensure their integrity and guarantee, for compliance reporting, that the data in log files has not been tampered with. From the Raw Logs page, you can click the Validate () icon to validate that any particular event has not been altered.

Note: See Raw Log Management for more information on accessing and using USM Appliance raw logs.

By default, the Raw Logs page displays a raw log event trending graph, which shows the number of events occurring within a specified interval of time. You can click on any of the bars to display only the events that occurred within that time frame.

The USM Appliance web UI provides another option, Show the Main Chart, which provides another view of raw log events. You can also click the View Pie Graphs () icon to alternate the display to a collection of pie charts that show the distribution of events by sensor, event types, sources, and destinations.

Below the trending chart, you can specify the duration of the time frame, such as last 2 hours, last 24 hours, or last week. In addition, you can specify a logical expression search string query to filter the event display. Below the trending chart, and Search areas, the web UI provides a tabular display of events matching a selected time frame, or matching an indexed or raw query.

The Tickets Page Display

When you select the Analysis > Tickets option, USM Appliance displays the following page.

Tickets page

This page provides access to the USM Appliance ticket remediation system. Tickets provide workflow tracking of activity related to detected alarms or any other issues that you want to keep track of. By default, the USM Appliance web UI displays a list of all tickets. In addition, you can click the Create button to create a new ticket of a specific type or category.

In the Filters section at the top of the Tickets page, you can choose criteria to filter the ticket results. You can choose additional criteria to filter ticket results by clicking the Switch to Advanced option.

From the Ticket summary list, you can click on a specific ticket to open the ticket and display the entire details of the ticket on a new page. From this ticket detail display, you can perform various actions such as editing fields in the ticket, assigning the ticket, adding notes and attachments, and changing the status and priority of a ticket, depending on whatever method or process you want to use to track resolution of issues.