USM Central provides a consolidated view of any alarms triggered within all of your connected deployments. The displayed alarms in USM Central are compiled from the connected deployments. An alarm consists of one or more events, based on the following:
One or more rules performed by the correlationCorrelation identifies potential security threats by identifying relationships between multiple types of events occurring in two or more assets. engine of USM Anywhere or USM Appliance, which analyzes these events for behavioral patterns. These rules look at and connect events to assess their priority and reliability and, when the system identifies a pattern, it generates an alarm.
An orchestration rule defined and enabled in a deployment, which is configured to raise an alarm when a particular type of event is found.
USM Central displays the first 10 events associated with an alarm. If you need to see more events, you can drill into the specific deployment that created the original alert. See Drill Down to a Specific Deployment for further information.
Alarms in USM Anywhere that are suppressed or have a closed status are, by default, not forwarded to USM Central. You can have them forwarded from USM Anywhere by going to Settings > My Subscription in USM Anywhere and clicking the Suppressed Alarm Synchronization toggle.
Topics covered in this section include the following: