AlienVault® USM Central™

Alarms List View

USM Central's Alarms page provides an overview of alarms triggered within connected deployments of USM Anywhere and USM Appliance. Here you can review all alarm activity, view only a select number of deployment alarms, of filter the alarms by specific details. The main Alarms page displays a graph showing an overview of recent alarm activity, and a list of the most recent alarms below it.

Across the top, you can see any filters you have applied, and you have the option to create and select different views of the alarms. The main part of the page is the list of alarms. Each row describes an individual alarm and includes a check box on the left side of each one for selecting it. You can select all alarms on the same page by clicking the check box in the first column of the header row.

Alarm Summary Graph

The section above the page includes There is a bubble graph that provides a graphical representation of alarms by intent. Blue circles indicate the number of times that an alarm in an intent showed. A bigger circle indicates a higher number of alarms. You can hover over each of the circles to get the actual number of different types of intent. In addition, if you click any of the blue circles, USM Central displays only the alarms corresponding to that circle. You can change the displayed period of time by clicking the Created during filter.

Alarms graphed by intent are sorted into five different categories, which are represented by the graphic icons in the display

Delivery & Attack
Environmental Awareness
Exploitation & Installation
Reconnaissance & Probing
System Compromise

Alarm List Columns

For each alarm in the alarm columns list, USM Central displays useful information to help you determine the best response.

List of the default columns in Alarms
Column / Field Name Description
Intent Describes the attack pattern of indicators intruding on your system
Strategy Type of attack
Method If known, the method of attack or infiltration associated with the indicator that generated the alarm
Deployment Name of the deployment on which the alarm has been triggered
Time Created The date and time of the creation of the alarm. The displayed date depends on your computer's time zone
OTX Indicates if it is an OTX alarm or not. If the icon is active, click on it to go the OTX site
Sources Hostname or IP address of the source
Destinations Hostname or IP address of the destination
Labels Label(s) applied to the alarm
Sensors Sensor associated with the alarm
Priority Impact of the detected attack. Can be Low, Medium, or High. See Priority Field for Alarms for more information

From the list of alarms, you can click on any individual alarm row to display more information on the selected alarm, including individual events that actually triggered the alarm. See View Alarm Details for further details.

You can also sort items by selecting 20, 50, or 100 below the result table. Some columns can be classified if you click the icons to the right side of the heading. You will sort the item information in ascending or descending order.

Click the icon to open the Export as Report dialog box to export alarms.

Configure Columns

You can configure the columns and fields that display in the list and save your columns configuration to get back to it whenever you need it.

To configure your columns

  1. From the alarms list view, click the icon. The Columns Configuration dialog box displays.
  2. Search the columns you want to have in the list view. You can enter your search in the search field.
  3. Use the and icons to pass the items from one column to the other and select the columns you want to see.
  4. Click Apply.

Note: If you export a report when you have set custom columns, your report keeps the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting Save View > Save as. Otherwise, your custom view is not kept when you move to another feature.

Views

To create a view configuration

  1. From the Alarms AlienVault Generic Plugin list view, click the icon.
  2. Use the and icons to pass the items from one column to another and select the columns you want to see.
  3. Click Apply.
  4. If you want to delimit the search, select the filters you want to apply.
  5. Select Save View > Save as.

    Views dialog vox

  6. Enter a name for the view.
  7. Select Share View if you want to share your view with other users.
  8. Click Save.

    9. The created view is already selected.

To select a configured view

  1. From the AlarmsAlienVault Generic Plugin list view, click View above the filters.
  2. Click Saved views and select the view you want to see.

  3. Note: A shared view includes the icon next to its name.

  4. Click Apply.

To delete a configured view

  1. From the AlarmsAlienVault Generic Plugin list view, click View above the filters.
  2. Click Saved views and click the icon next to the saved view you want to delete.

    3. A dialog box displays to confirm the deletion.

    Note: You can delete the views you have created.

  3. Click Accept.

    4. Important: The icon does not display if the view is selected.