USM Anywhere™

User Guide
 Copyright © 2023 AT&T Intellectual Property. All rights reserved.

AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T
Intellectual Property and/or affiliated companies. All other marks are the property of their
respective owners.

Updated October 18, 2023

2 USM Anywhere™ User Guide

 Contents

Introduction 9
Prerequisites and Requirements 12
USM Anywhere Network Security Concepts and Terminology 12
USM Anywhere Network Security Capabilities 13
USM Anywhere Data Security 15
USM Anywhere Log Data Enhancement 17
USM Anywhere Web UI 22
Using Multifactor Authentication 25

Getting Started with USM Anywhere 32

USM Anywhere Network Security Best Practices 33
Expectations of Security Monitoring 34
Workflow of the USM Anywhere Event Process 34
Verifying USM Anywhere Operation 36
Establishing Baseline Network Behavior 37
Start Using USM Anywhere 39

USM Anywhere Dashboards 42

Refreshing and Filtering Data from the USM Anywhere Dashboards 43
Exporting Data from the USM Anywhere Dashboards 45
Executive Dashboard 45
Viewing USM Anywhere Dashboards 62
USM Anywhere Custom Dashboards 121

USM Anywhere Best Practices 135

Asset Management 136

Asset Administration in USM Anywhere 137
Asset Groups Administration 234

User Behavior Analytics 282

USM Anywhere™ User Guide 3

 User List View 283
User Discovery 285
Understanding User Status in User Data Sources 288
Viewing Full User Details 289
Events, Alarms, and Notifications Created When a User's Status Changes 292
Merging Users 294
Deleting Users 297
Importing Users from a CSV File 299

Alarms Management 302

Alarms List View 304
Selecting Alarms in Alarm List View 319
Searching Alarms 321
Viewing Alarm Details 338
Labeling the Alarms 358
Alarm Status 362
Create an Alarms Report 365

Events Management 368

Events List View 369
Searching Events 386
Viewing Event Details 406
Create an Events Report 426
Protecting Your Sensor's Performance with EPS Adaptive Response 428
Raw Logs in Events 430

System Events Management 433

USM Anywhere System Events List View 434
Searching System Events 438
Viewing System Event Details 449
Regular Events and System Events 449

4 USM Anywhere™ User Guide

 Console User Events on USM Anywhere 471
USM Anywhere Console User Events List View 472
Searching Console User Events 473
Viewing Console User Events Details 485
Create a Console User Events Report 486

Configuration Issues Management 489

Configuration Issues List View 490
Searching Configuration Issues 494
Viewing Configuration Issues Details 504
Create a Configuration Issues Report 505
List of Configuration Issues in USM Anywhere 507

USM Anywhere Scheduler 512

The Job Scheduler Page 512
USM Anywhere Scheduler Best Practices 513
Managing Jobs in the Scheduler 515
Scheduling Active Directory Scans from the Job Scheduler Page 521
Scheduling Asset Scans from the Job Scheduler Page 527
Scheduling Asset Groups Scans from the Job Scheduler Page 533
Scheduling User Discovery Jobs from the Job Scheduler Page 541
Scheduling Log Collection from the Job Scheduler Page 548

Rules Management 588

Orchestration Rules 589
Correlation Rules 663
Correlation Lists 668
Playbooks 678

Vulnerability Assessment 689

About Vulnerability Assessment 690
System Settings for Authenticated Scans 695

USM Anywhere™ User Guide 5

 Managing Credentials in USM Anywhere 700
Performing Vulnerability Scans 721
Viewing Vulnerabilities Scan Results 725
Searching Vulnerabilities 734
Viewing Vulnerabilities Details 745
Available Remediation Patches for Vulnerabilities 751
Labeling the Vulnerabilities 751
Create a Vulnerabilities Report 756
USM Anywhere Scans Best Practices 758

Open Threat Exchange® and USM Anywhere 762

About OTX 763
Using OTX in USM Anywhere 765
Entering Your OTX Key 771

USM Anywhere Sensor Management 775

Sensors Page Overview 776
Adding a New Sensor 778
Configuring a Sensor 782
Editing a Sensor 782
Assigning a Sensor 783
Redeploying a Sensor 786
Deleting a Sensor 787
Sensor Disconnected from the USM Anywhere Service 788

The AWS Cloud Connector in USM Anywhere 796

Cloud Connector List View 797
Adding an AWS Cloud Connector 799
Viewing AWS Cloud Connector Details 802
Data Source Rules Management 803
Editing an AWS Cloud Connector 808
Downloading an Existing AWS Cloud Connector Template 809

6 USM Anywhere™ User Guide

 Cloud Connectors System Events 814
Deleting an AWS Cloud Connector 817

Subscription Management 819

Subscription Data 819
Raw Log Data 821
Email Notifications Concerning Your License 823
Projected Data Consumption 824
Connecting a USM Anywhere to a USM Central 826
Disconnecting a USM Anywhere from a USM Central 828
Understanding Your Data Consumption Status 830

USM Anywhere Reports 836

Saved Reports on USM Anywhere 837
USM Anywhere Compliance Templates 839
USM Anywhere Event Type Templates 924

Machine Learning 925

Machine Learning Models 926
Machine Learning Dashboard 928
Viewing Machine Learning Alarms and Events 929

USM Anywhere User Management 931

Creating Users 933
Role-Based Access Control (RBAC) in USM Anywhere 935
Editing Users 954
Managing Your Profile Settings 957
Deleting Users 964
Configuring Web UI Session Timeout 965

Using USM Anywhere for PCI Compliance 967

About PCI DSS 967
About USM Anywhere for PCI DSS 967

USM Anywhere™ User Guide 7

 Working with Assets and PCI DSS 967

USM Anywhere Investigations 970

Investigations List View 971
Creating a New Investigation 973
Editing Investigations 974
Viewing Investigations Details 976
Deleting Investigations 989
Notification Rule for Investigations 990

System Status within USM Anywhere 993

USM Anywhere Network System 993
USM Anywhere System Monitor 994
USM Anywhere Log Collection 996

8 USM Anywhere™ User Guide

 Introduction
This guide provides information for users of USM Anywhere who are responsible for
monitoring network security, and identifying and addressing security threats in their
environment. The guide also describes operations provided by the USM Anywhere web user
interface (web UI), which is used to perform most USM Anywhere network security tasks after
initial USM Anywhere deployment.

This guide includes these topics:

l Introduction
l Prerequisites and Requirements: Describes the target audience, recommended skills
and background, and supported browsers for using the USM Anywhere web user inter-
face to perform network security operations.
l USM Anywhere Network Security Concepts and Terminology: Describes key terms such
as assets, threats, and vulnerabilities, and how USM Anywhere uses correlation rules to
detect emerging threats.
l USM Anywhere Network Security Capabilities: Describes essential USM Anywhere secur-
ity capabilities including asset discovery, vulnerability assessment, intrusion detection,
behavioral monitoring and security information, and event management.
l USM Anywhere Web UI: Describes key elements and navigation of the USM Anywhere
web UI used to access and perform USM Anywhere network security monitoring and
analysis operations.
l Using Multifactor Authentication: Describes multi-factor authentication (MFA), which is
a method that grants access to the user. You need to configure MFA for your account.
l Getting Started with USM Anywhere: Describes typical security operations performed
after initial USM Anywhere installation and configuration, including security operation best
practices and workflow, verifying USM Anywhere operations, and establishing baseline net-
work behavior.
l USM Anywhere Dashboards: Provides an overview of USM Anywhere dashboards.
l Asset Management: Describes operations to manage assets and asset groups. Includes top-
ics such as asset creation and discovery, vulnerability scans, and asset monitoring and ana-
lysis.
l User Behavior Analytics: Provides information about how to identify malicious or com-
promised users, and enable you to better prioritize alarms with the addition of user data.

USM Anywhere™ User Guide 9

Introduction

l Alarms Management: Provides information about alarms generated from events and OTX
pulses, viewing and reviewing alarm information and field details, and suppressing alarms
to remove noise in the system.
l Events Management: Provides information on viewing, filtering, and sorting events, event
and OTX field details, and analyzing events that generate alarms.
l System Events Management: Provides information on viewing, filtering, and sorting sys-
tem events, which are the events generated within your environment.
l Console User Events on USM Anywhere. Provides information about the events that USM
Anywhere generates when a user does a specific action in the user interface (UI).
l Configuration Issues Management: Provides information on viewing, filtering, and sorting
configuration issues, and how to suppress them from the main view.
l USM Anywhere Scheduler: Describes the Job Scheduler page. This page provides a list of all
jobs that are defined in your USM Anywhere environment.
l Rules Management: Describes how to create suppression and orchestration rules, and how
USM Anywhere correlation rules work. This chapter also describes how Amazon Simple
Notification Service (SNS) is integrated into USM Anywhere and how to manage Ali-
enApps™.
l Vulnerability Assessment Describes how to perform vulnerability scans, view and under-
stand scan results, and generate reports based on vulnerability scans.
l Open Threat Exchange® and USM Anywhere: Describes the open information-sharing and
analysis network. OTX provides access to real-time information about issues and threats
that may impact your organization, enabling you to learn from and work with others who
have already experienced such attacks.
l USM Anywhere Sensor Management: Describes how to manage sensors within USM Any-
where.
l The AWS Cloud Connector in USM Anywhere: Describes how to manage Amazon Web Ser-
vices (AWS) Cloud Connectors within USM Anywhere.
l Subscription Management: Describes license information, event data, and raw log data.
l USM Anywhere Reports: Describes reports displayed in USM Anywhere. You can find
reports generated from your report creation feature; compliance templates based on
alarms, vulnerabilities, and events collected in the system; and Event Type Templates
based on event categorization by type of data source and by the most used data sources.
l USM Anywhere User Management: Describes USM Anywhere user authentication and role-
based authorization, configuration of authorization for specific assets, and monitoring
user activity.

10 USM Anywhere™ User Guide

 Introduction

l Using USM Anywhere for PCI Compliance: Describes USM Anywhere capabilities to manage
PCI DSS requirements through assets, asset groups, and reports.
l USM Anywhere Investigations: Describes how to organize the information from your envir-
onment. You can link alarms, events, notes, and other files to their responses to have a
complete view set of actions you have taken to address a particular threat.
l System Status within USM Anywhere: Describes the status of your environment. You have
a system monitor page, if your role is Manager, a network settings page, and the log col-
lection page.

USM Anywhere™ User Guide 11

Prerequisites and Requirements

Prerequisites and Requirements

The information in this guide is primarily targeted for security engineers, security analysts,
and operators, IT managers and professionals, and system administrators, using the USM
Anywhere product to provide network security within their own organization’s environment.
We recommend you have knowledge of your organization's network infrastructure and the
networking technologies you use.

Recommended skills for users include the following:

l Basic TCP/IP networking knowledge and skills including IP addressing, DNS, switching, and
routing.
l Basic familiarity with IT security concepts and associated skills, including threats, vul-
nerabilities, risk management, and security devices/applications.

Information provided in this guide assumes a customer has completed installation and
configuration of USM Anywhere as described in the USM Anywhere Deployment Guide. In
addition, users of this guide need the appropriate credentials to access USM Anywhere, and a
web browser to access the USM Anywhere web UI through HTTPS.

Web Browsers Support

USM Anywhere works best in the latest desktop version of the following web browsers:

l Google Chrome
l Mozilla Firefox

USM Anywhere Network Security Concepts and

Terminology

When working with USM Anywhere and using the USM Anywhere web UI to perform network
security operations, it is important to understand a few basic USM network security concepts.
First, a key principle of the USM system is that it monitors assets. Assets are all devices in an
enterprise that have some value to the enterprise and, generally, that it is possible to monitor
or gather information about, such as their status, health or availability, configuration, activity,
or events. The value comprises either the cost of the device itself, or the value of the data
that is stored on the device or travels through the device.

12 USM Anywhere™ User Guide

 USM Anywhere Network Security Capabilities

l An asset is defined as a unique IP address

l Assets are organized into networks based on IP addressing
l Networks are organized into locations, based on their geographical location

Typically, at least one USM Anywhere Sensor is used to monitor one geographically self-
contained location. If several locations are used by an enterprise, each location is monitored
with at least one USM Anywhere Sensor, which sends information to USM Anywhere about
assets that are in the same location. AlienApps are used in the USM Anywhere Sensor to
extract and normalize data from different data sources into standard-format events. USM
Anywhere provides a wide assortment of integrations that can be used to collect events for
most commonly encountered data sources.

USM Anywhere includes correlation rules for identifying important events or patterns of
events within large volumes of data. Alarms are generated by an explicit call within the rules,
either orchestration or correlation rules. Correlation rules detect threats and are continuously
provided as part of the AT&T Alien Labs™ Security Research Team. Information about specific
threats is obtained from sources such as those reported by AT&T Alien Labs™ Threat
Intelligence Subscription and AT&T Alien Labs™ Open Threat Exchange® (OTX™). For
example, OTX provides indicators of compromise and notifications of malicious hosts, which
can link assets by their vulnerabilities to specific threats and notification about events that
involve known or suspect malicious hosts. USM Anywhere can also perform scans which
identify assets' vulnerabilities to specific and identified threats.

See Rules Management for more information.

USM Anywhere Network Security Capabilities

AlienVault USM Anywhere provides five essential security capabilities in a single SaaS
platform, giving you everything you need to detect and respond to threats and manage
compliance. As a cloud-based security solution, you can scale your threat detection and
response capabilities as your hybrid environment changes.

USM Anywhere™ User Guide 13

USM Anywhere Network Security Capabilities

The USM Anywhere cloud security management platform receives continuous updates from
the AT&T Alien Labs™ Security Research Team. This team analyzes the different types of
attacks, emerging threats, suspicious behavior, vulnerabilities, and exploits that they uncover
across the entire threat landscape.

USM Anywhere supplements the Security Research Team with data from AT&T Alien Labs™
Open Threat Exchange® (OTX™). OTX is the largest and most authoritative crowd-sourced
threat intelligence exchange in the world.

Here is a brief description of the essential functions that USM Anywhere provides:

l Asset Discovery is an essential security capability of USM Anywhere, which discovers

assets in your environment, detects changes in assets, and discovers malicious assets in
the network.
l Vulnerability Assessment, which is done in authenticated state, identifies vulnerabilities
or compliance by comparing the installed software on assets with a database of known vul-
nerabilities. Vulnerability scans can be performed manually or scheduled to be performed
periodically.
l Intrusion Detection monitors network traffic for malicious activity, monitors system log
messages, and monitors user activity. Intrusion detection for USM Anywhere consists of
network-based intrusion detection (NIDS) components.

HIDS can be used to spot problems on host endpoints, and can include file integrity
monitoring, rootkit and registry checks. NIDS passive sniffing interfaces can analyze
network payload data to monitor for potentially malicious activity.

14 USM Anywhere™ User Guide

 USM Anywhere Data Security

l Behavioral Monitoring identifies suspicious behavior and potentially compromised sys-

tems. USM Anywhere provides continuous monitoring of services run by particular sys-
tems. Data used for behavioral monitoring and analysis is collected from network devices
and user behavior. USM Anywhere has access to logs in the cloud (Azure: Monitor, AWS:
CloudTrail, S3, ELB) and VMware logs.
l SIEM and Log Management correlates and analyzes security event data and respond.
USM Anywhere SIEM draws intelligence from different sources including the Alien Labs
Threat Intelligence Subscription and OTX. Correlation rules, created by the Security
Research Team, are used to identify patterns associated with malicious activity. OTX
threat data provides IP reputation information and OTX pulses, which consist of Indicators
of Compromise (IOCs) that identify a specific threat.

All of USM Anywhere's various security operation features and functionality are accessible
from the USM Anywhere web UI.

USM Anywhere Data Security

As a security-first organization, AT&T Cybersecurity makes your data protection and privacy
a top priority. USM Anywhere architecture and processes are designed to protect your data in
transit and at rest.

Data Collection
All data sent from the USM Anywhere Sensor deployed in your on-premises or cloud
environment to the USM Anywhere service in the AT&T Cybersecurity Secure Cloud is
encrypted and transferred over a secure TLS 1.2 connection. Each sensor generates a
certificate to communicate with the USM Anywhere service. This means that all
communication is uniquely encrypted between each sensor and USM Anywhere.

All forensic data (raw logs) is backed up on an hourly basis. The data collected in USM
Anywhere is secured using AES-256 encryption for both hot (online) storage and cold (offline)
storage.

Data Access
Your data in USM Anywhere is treated as highly confidential, and only a select few AT&T
Cybersecurity staff members have access. This group of employees uses multi-factor
authentication (MFA) to access the AT&T Cybersecurity Secure Cloud. Strict internal controls
and automation enable support for the service while minimizing administrative access.

USM Anywhere™ User Guide 15

USM Anywhere Data Security

AT&T Cybersecurity also has a formal information security program that implements various
security controls to the National Institute of Standards Technology (NIST) Cyber Security
Framework. Key controls include: Inventory of Devices, Inventory of Software, Secure
Configurations, Vulnerability Assessment, and Controlled Use of Administrative Privileges.
Additionally, AT&T Cybersecurity conducts security self-assessments on a regular basis.

Cold Storage Data Integrity

USM Anywhere offers secure long-term log retention, known as cold storage. By default, USM
Anywhere stores all data associated with a customer’s subdomain in cold storage for the life
of the active USM Anywhere subscription at no additional charge, while AT&T TDR for Gov
customer data are kept for three years or longer (if requested).

Important: The retention period set on the license (30-days standard or 90-days
standard) only applies to regular events. The retention policy for system events is 30
days and for user activities is 180 days, while the user activities related to investigations
never expire.

USM Anywhere uses a write once, read many (WORM) approach in log storage to prevent log
data from being modified or otherwise tampered with. You can download your raw logs at
any time. If you do not renew your subscription, AT&T Cybersecurity will keep the raw logs for
14 days after your subscription expires, giving you a grace period to restart your service.
Within the 14 days, no data is collected until your license is reactivated. Therefore, data is lost
between license expiration and reactivation. After 14 days, your data will be destroyed.

End-of-Contract Shut Down

If your subscription expires and you decide not to renew, your USM Anywhere instance will be
decommissioned 14 days after the expiration. All data, including asset information,
orchestration rules, user credentials, events and vulnerabilities (hot storage), and raw logs
(cold storage), will be destroyed.

Business Continuity Plan

To ensure business continuity, USM Anywhere executes a backup procedure 2 times a day,
encrypts the data, and stores it for 15 days. The Recovery Point Objective (RPO) is up to 12
hours and the Recovery Time Objective (RTO) is approximately an hour, depending on the
size of the data being restored.

16 USM Anywhere™ User Guide

 USM Anywhere Log Data Enhancement

Password Policy
USM Anywhere stores and encrypts user credentials using the latest industry standards for
securing passwords.

Keep in mind these points when you are logging in:

l The login credentials that you set will apply to any USM Anywhere™ and USM Central™ you
have access to.
l USM Anywhere requires all passwords to have a minimum length of 8 characters and a
maximum length of 128 characters.
l The password must contain numerical digits (0-9).
l The password must contain uppercase letters (A-Z).
l The password must contain lowercase letters (a-z).
l The password must contain special characters, such as hyphen (-) and underscore ( _ ).

Note: USM Anywhere passwords expire after 90 days. When your password expires, USM
Anywhere enforces a password change when you next log in. A new password must be
different from the previous four passwords.

After 45 days of inactivity, your user account will be locked. Manager users can unlock
inactive accounts.

A user account is locked for 30 minutes after 5 consecutive failed login attempts (GovCloud
users are locked out after 3 consecutive failed login attempts).

USM Anywhere Log Data Enhancement

When evaluating threats to your systems, the more complete and clear the context of an
incident is, the more accurate and efficient USM Anywhere can be in identifying and
responding to those threats. Log data is one of the key sources of this threat data context,
providing a tremendous amount of information about network events. Every network
connection, authentication request, file transfer, and privilege escalation generates a log
message.

However, many of these log messages were not originally designed to be used for security
purposes. There are no official standards for log contents (although there are best practices);
therefore, log message content is often inconsistent and incomplete.

For example, look at a typical log message generated by an authentication event:

USM Anywhere™ User Guide 17

USM Anywhere Log Data Enhancement

{
"outcome" : "Allow",
"type" : "Authentication",
"source" : "13.107.4.50",
"destination" : "10.60.5.94",
“time” : “2018-10-17T19:03:26+00:00”
}

This message is brief and doesn't provide enough context for incident analysis. USM
Anywhere can improve that context by normalizing and enriching the data provided in the log
message.

Data Normalization
The first step USM Anywhere takes when it analyzes your system logs is to normalize them so
that all incoming data uses the same terminology. In this context, normalization means
mapping it to a standard terminology. For example, a vendor may use the terms "outcome" or
“result” to describe the success or failure of the authentication attempt. USM Anywhere
normalizes these two different attributes, replacing them with a single, standard term.
Likewise, things like source, source_ip, client, and client_ip all need to be mapped to the same
set of terminology so events from different vendors can be used for correlation and alarm
generation.

The following is an example of how normalization works. Note that USM Anywhere preserves
the original log message as a best practice in case you need to share it with a vendor or need
to refer to the original alert. This means that the normalization phase of message processing
likely increases the size of the log message by around 100%.

{
"log" : "{ \"outcome\" : \"Allow\",
\"type\" : \"Authentication\",
\"source\" : \"13.107.4.50\",
\"destination\" : \"10.60.5.94\" }",
"source_address" : "13.107.4.50",
"destination_address" : "10.60.5.94",
“event_outcome” : “ALLOW”,
"event_name" : "Authentication",
"timestamp_occured" : “2018-10-17T19:03:26+00:00”
}

18 USM Anywhere™ User Guide

 USM Anywhere Log Data Enhancement

Data Enrichment
Normalization enables you to analyze all the log messages USM Anywhere receives. Given the
incomplete nature of so many log messages, it also makes sense to use this same process to
add valuable information to the log messages, which helps USM Anywhere perform better
incident detection.

Data enrichment is the process by which valuable information is added to log messages. The
USM Anywhere infrastructure has a large amount of contextual data about the network and
systems that it can attach to the log messages to fill in the gaps and enhance threat
detection. It also has access to many databases of things like the location of specific IP
addresses, device types, and threats it can also leverage.

These are examples of information that can be added through data enrichment:

l Device identity
l Geolocation
l Collection details and flags

Device Identity
Most servers rely on Dynamic Host Configuration Protocol (DHCP) for dynamic IP address
allocation. From a security point of view, this means that identifying and containing threats is
much more difficult. By the time a system is identified as compromised, it may be on the
network in a completely different place with a completely different IP address. To address
that problem, USM Anywhere uses the network context it has to collect and includes the
media access control (MAC) address, fully qualified domain name (FQDN), and a unique
identifier for the system, depending on which are known:

"source_asset_id" : "f8ebb373-b551-43d0-a628-a00771b5d0c1",
"source_mac" : "98:01:A7:B4:D8:47",
"destination_fqdn": "ip-10-6-255-129.ec2.internal",
"source_fqdn": "ip-10-6-2-102.ec2.internal",

Geolocation
Knowing where your network connections are terminating is important when deciding if
traffic should be permitted, blocked, or more carefully monitored. Geolocation can play a role
in deciding if a given incident is worthy of more attention. USM Anywhere augments logs with
geolocation information of source and destination. In the following example, this data enables
an operator to quickly determine that this particular destination is probably not an issue:

USM Anywhere™ User Guide 19

USM Anywhere Log Data Enhancement

"destination_address" : "10.60.5.94",
"destination_name" : "AD Server",
"destination_asset_id" : "8cdf98a1-533d-9ec2-b5bc-3424caecef15",
"destination_organisation : "Microsoft Azure",
"destination_city" : "Redmond",
"destination_fqdn" : "ad.alienvault.com",
"destination_hostname" : "ad",
"destination_organisation : "Microsoft Azure",
"destination_latitude" : "47.6801",
"destination_longitude" : "-122.1206",
"destination_region" : "WA",
"destination_country" : "US",
"destination_country_registered" : "US",

Collection Details and Flags

USM Anywhere also includes some additional information about how the log message was
acquired and processed. This information is included to give the security analyst and
correlation algorithms insight into the source of the log, when a sensor received it, and how it
was processed. For example, was_fuzzied = true means that the log message was
received from a source that USM Anywhere doesn’t have a specialized plugin for and,
therefore, it may not have normalized all the fields. If the log is key to an investigation, the
operator should look at the original log message and ensure nothing was overlooked.

Impact on Log Storage

Because USM Anywhere adds data to log messages, the size of the original log message
inevitably grows. Very sparse messages can grow as much as 1860%. However, the messages
themselves are still relatively small, typically growing from less than 250 B to as much as 2.6
KB, adding up over time. The good news is that the amount of metadata added is stable,
which means it doesn't grow much larger or shrink in size for different event classes. So with
careful planning, storage use can still be quite predictable. For larger events (for example,
events coming from network-based intrusion detection systems [NIDS] and Amazon Web
Services [AWS]), the percentage goes down significantly since the messages start out quite
large. However, for small events such as the one in the previous example, it can have a
noticeable impact on the total amount of data stored.

These are some syslog- and AWS-heavy data points for planning purposes.

Syslog-heavy deployment

From a sample size of 599,979 events

20 USM Anywhere™ User Guide

 USM Anywhere Log Data Enhancement

l Total size including enriched data in bytes: 1,612,790,164

l Total size of just log data in bytes: 145,781,057
l Average log size in bytes: 243
l Average log size with enriched data: 2,688
l Increase in size: 1106%

AWS-heavy deployment

From a sample size of 500,000 events

l Total size including enriched data in bytes: 1,934,740,282

l Total size of just log data in bytes: 711,502,141
l Average log size in bytes: 1,423
l Average log size with enriched data: 3,868
l Increase in size: 272%

What Happens When You Reach the Tier Limit?

If you find yourself running into problems with inadequate storage space, your first step
should be to review your logging strategy with AT&T Cybersecurity Technical Support or your
service provider. It may be that you don’t need to send as many logs as you are. However, it's
better to err on the side of logging too much rather than logging too little, since lost logs
can't be recovered and security investigations can lead in unexpected directions.

Important: Tier options do not have unlimited processing power, memory allotment, or
disk input/output (I/O) speeds. In addition to storage per month, your deployment size's
impact on any of these factors will influence which tier option is right for your
environment. AT&T Cybersecurity recommends pre-deployment sizing discussions with
your sales representative to help select the right tier for you.

AT&T Cybersecurity strives to guarantee that no data is lost, even when you're facing
inadequate storage space or processing power. Because of this, USM Anywhere always makes
data storage a top priority. When you exceed your data tier, or are projected to far exceed
your tier, your system tries to store as much data as possible, even if functionality must be
reduced to preserve the data. For instance, if you find that you are over your data tier, you
may find that your USM Anywhere has transitioned into one of four possible data
consumption tiers. In these tiers, your USM Anywhere may experience some small limitations
to its functionality, such as paused correlation, asset counters, and more. All functionality is
restored once your USM Anywhere is no longer experiencing resource limitations.

USM Anywhere™ User Guide 21

USM Anywhere Web UI

See Understanding Your Data Consumption Status in the USM Anywhere User Guide for more
information.

Event Filtering
If you want to be proactive with your data consumption, consider reducing the amount of
data stored by using filters. Event filtering enables packets to be dropped before they enter
correlation and persistence and consume any of the monthly storage allotment. Filtering
enables you to define a set of rules for fields, which, when matched, are dropped. This enables
you to easily pick certain types of packets that you don't want to enter the system. When
filtering, it's important to realize the impact:

l Filtered events are not stored within cold storage.

l Filtered events are not correlated. Alarms are not generated off filtered events.
l Filtered events are dropped from going into hot storage. You will not see them within your
events view.

When using filters, it's important to make sure that you're precisely defining the criteria for
events to be dropped. If the filter rule is too broad, there is a chance you may drop packets
that you are interested in keeping.

USM Anywhere Web UI

The USM Anywhere web user interface (UI) provides access to all the tools and capabilities
that USM Anywhere makes available for managing the security of your organization’s
network and the devices in it. From the USM Anywhere web UI, you can view all essential
information about network devices, applications, user activity, and network traffic in your
environment. You can begin monitoring information coming from devices and then go about
defining orchestration rules to fine tune the behavior of your system. USM Anywhere includes
by default correlation rules to alert you of potential security issues and vulnerabilities.

The USM Anywhere web UI runs in a standard web browser. Your system administrator can
provide the web address and credentials to log in and access the features and functions
appropriate to your role in your organization’s security operation.

Note: The recommended screen resolution for viewing the USM Anywhere web UI is
1440 pixels wide.

When you first log in, the USM Anywhere web UI displays the main window.

22 USM Anywhere™ User Guide

 USM Anywhere Web UI

By default, the web UI displays a collection of high-level graphs and charts summarizing
activity in your organization’s network. From this main window, you can select different menu
options or click other links and buttons.

Important: You can also load the configured default landing page by clicking the logo of
USM Anywhere located in the upper-left corner of the page.

The main navigable elements and expand selections are provided consistently through the
web UI. Use the and icons to expand or collapse the left navigation pane.

Primary menu

The primary menu provides access to the main functions or operations of USM Anywhere.
These include:

l Dashboards. Provides charts, tables, and graphs. There are dashboards that will be dis-
played depending on the sensor you have installed; there are also dashboards related to
the AlienApp you have configured and that will be visible if you have data for them. See
USM Anywhere Dashboards for more information.

USM Anywhere™ User Guide 23

USM Anywhere Web UI

l Activity. Provides search, sorting, filtered selection, and visualization of Alarms and Events.
See Alarms Management and Events Management for more information.
l Environment. Provides display and management of Assets, Asset Groups, Vulnerabilities,
and Configuration Issues. See Asset Management, Vulnerability Assessment, and Con-
figuration Issues Management for more information.
l Reports. Provides display and management of reports which are the result of export data
that you can find in assets, asset groups, alarms, events, vulnerabilities, and configuration
issues. You can also choose the format of the report (PDF and CSV). There are also Com-
pliance and Event Type Templates. See USM Anywhere Reports for more information.
l Data Sources. Provides options to view and manage deployed USM Anywhere Sensors,
the AlienVault Agent, AlienApps, and Sensor Apps. See USM Anywhere Sensor Man-
agement, The AlienVault Agent, AlienApps OverviewUSM Anywhere AlienApps Guide, The
Graylog (GELF) Sensor App, The Syslog Server Sensor App, and Windows Event Collector
Sensor App for more information.
l Investigations. Provides options to organize the information from your environment. See
USM Anywhere Investigations for more information.
l Settings. Provides options to view and manage credentials and system events. There are
administration options which let you manage users and asset fields, display the system
status, schedule jobs, validate your OTX key, and manage orchestration rules. You can also
display the data about your subscription and connect your USM Anywhere to USM Central
environments.

Secondary Menu

The secondary menu provides access to the system configuration, the user profile
information, the help link, and the bookmarked items:

l Bookmarks. The icon enables you to see and access alarms, events, or assets that you

(or another user) bookmarked for easy access. The number on the icon indicates the num-
ber of items bookmarked.

l
Help. The icon includes the these options:

l Documentation: Links to online documentation

l Support: Links to the AT&T Cybersecurity Support page
l Forums: Links to the AT&T Cybersecurity Success Center

l
Feedback. The icon provides a direct communication with the USM Anywhere team.

24 USM Anywhere™ User Guide

 Using Multifactor Authentication

l
Profile Settings. The icon shows your profile settings. You can change your email, full

name, update your password, enable multi-factor authentication (MFA) for the account,
select your default landing page after you have logged in, configure an interval for auto-
refreshing the dashboards and alarms pages, and the configuration of receiving alarm noti-
fications. See Managing Your Profile Settings for more information.

The remainder of this guide describes best practices in performing common network security
operations and provides step-by-step instructions for performing specific tasks. Following
sections also describe the USM Anywhere web UI from which you can monitor network
security and access all of USM Anywhere’s security operation features and functionality.

Using Multifactor Authentication

Role Availability Read-Only Investigator Analyst Manager

To protect your USM Anywhere account, enable multifactor authentication (MFA). MFA adds
extra security because it requires multiple factors to authenticate a user, making it more
difficult for an unauthorized person to gain access to the account. In USM Anywhere, MFA
provides a layered defense of two independent credentials: what you know (your username
and password) and what you have (security token on your personal device).

To use multifactor authentication in USM Anywhere, you must have a mobile device that
supports an Authenticator app. AT&T Cybersecurity recommends the Google Authenticator
app, which is available for iOS and Android devices. Google Authenticator implements two-
step verification services using the Time-Based One-Time Password (TOTP) algorithm and
HMAC-Based One-Time Password (HOTP) algorithm for authentication.

Configuring MFA for Your Account

Before you set up MFA for your account, you must install the Authenticator app on your
device.

USM Anywhere™ User Guide 25

Using Multifactor Authentication

To configure MFA for your account

1. In the lower-left corner of the USM Anywhere web user interface (UI), click the icon,

and then select Profile Settings.

2. Select Enable Multi-Factor Authentication, and then click Save.

3. Click the icon, and then select Logout.

4. Click Login.

26 USM Anywhere™ User Guide

 Using Multifactor Authentication

5. On the login page, enter your username and password, and then click Login.

USM Anywhere displays the Multi-factor authentication page to prompt you to complete
your MFA configuration. The displayed page provides a unique QR code that is used by the
Authenticator app to retrieve a verification code.

6. Open the Authenticator app on your device.

7. Scan the QR code using the Authenticator app.
8. Enter the one-time passcode in the text box of the USM Anywhere, and then click Verify
Code and Login.

USM Anywhere™ User Guide 27

Using Multifactor Authentication

Activating Required MFA

Users in a manager role can require non-admin users to log in using MFA. If a manager user
enables this setting and you do not already have MFA configured, you will be prompted to set
up MFA upon your next log in.

Before you set up MFA for your account, you must install the Authenticator app on your
device.

To activate required MFA

1. On the login page, enter your username and password, and then click Login.

USM Anywhere displays the Multi-factor authentication page to prompt you to activate
MFA for your account. The displayed page provides a unique QR code that is used by the
Authenticator app to retrieve a verification code.

28 USM Anywhere™ User Guide

 Using Multifactor Authentication

2. Open the Authenticator app on your device.

3. Scan the QR code using the Authenticator app.

4. Enter the one-time passcode in the text box of the USM Anywhere, and then click Verify
Code and Login.

Changing Your Authentication Device

In the event that you lose or change your mobile device, there is a function to reset the MFA
for your user account. Another user in your USM Anywhere environment can edit your user
account to reset the QR code used to pair the device with your account.

USM Anywhere™ User Guide 29

Using Multifactor Authentication

To change your authentication device

1. Go to Settings > Users.

2. Click the icon of the user for whom you want to reset the MFA account. Your role

must be Manager.
3. Click Reset Multi-Factor Authentication.

A message displays at the top of the page to inform you about the success of the MFA
reset request.

4. Click Cancel.

After the reset, USM Anywhere displays the Multi-factor authentication page at your next
login. Follow the same steps to set up the authentication with the new device.

Requiring Multifactor Authentication

Role Availability Read-Only Investigator Analyst Manager

Manager users can configure USM Anywhere to require users to log in using multifactor
authentication (MFA).

30 USM Anywhere™ User Guide

 Using Multifactor Authentication

To require MFA for users

1. Go to Settings > System > MFA Settings.

2. Toggle on MFA Required.

Users will be prompted to enroll in MFA on their next login if they do not already have
MFA configured.

USM Anywhere™ User Guide 31

 Getting Started with USM Anywhere
This section details typical security operations performed after the system installation, initial
deployment, and configuration of USM Anywhere.

The section includes several chapters for explaining these security operations. There is a
chapter which describes how essential is the review of some of the overall best practices that
many organizations follow in implementing and then maintaining network security
operations in their environments.

Another chapter is about the significance of having a good network security monitoring
system which can discover things every day that provide value to security efforts.

You can also find in this section, a chapter which describes a best practice workflow for using
USM Anywhere to perform operations during the entire Security Monitoring and
Management lifecycle.

You can also find information about how you can use the USM Anywhere web UI to verify that
it is operating properly after the basic installation and configuration of your USM Anywhere
system.

Finally, in this section, there is a chapter on which you will find how you could establish a
Baseline Network Behavior for what constitutes normal behavior in your network. Through
this baseline, you could evaluate results and filter out the noise to identify and filter out right
away some false positives.

This section includes the following topics:

USM Anywhere Network Security Best Practices 33

Expectations of Security Monitoring 34

Workflow of the USM Anywhere Event Process 34

Verifying USM Anywhere Operation 36

Establishing Baseline Network Behavior 37

Start Using USM Anywhere 39

USM Anywhere™ User Guide 32

USM Anywhere Network Security Best Practices

USM Anywhere Network Security Best Practices

Providing strong and effective security for an organization's network, IT infrastructure, and
environment requires some forethought and planning. If you are now tasked with monitoring,
managing, or maintaining network security operations within your organization, after USM
Anywhere has already been deployed, many of the planning steps and decisions may have
already been made. In any case, it is worth reviewing some of the overall best practices that
many organizations follow in implementing and then maintaining network security
operations in their environments. This is the general process:

l Determine the scope of your network security operation, the range of networks and sub-
networks to be covered, and the network devices or assets (host servers, applications, fire-
walls, routers, and switches) to be protected.
l Assess risk, determine what is most important to protect, and determine the type of net-
work security you need to provide. Identify specific threats and vulnerabilities you need to
address. Also determine specific regulatory compliance and other business standard
requirements you need to meet.
l Define and determine security team roles, permissions, tasks and responsibilities, and
implement authentication and authorization to support USM Anywhere security oper-
ations. Also determine notification and escalation strategy for emails, ticket handling, incid-
ent response, and compliance documentation requirements.
l Develop a plan for initial implementation and rollout of network security operations, plus
planned updates and enhancements, based on priorities. Take into account the time and
resources required for monitoring, incident analysis and response, compliance reporting,
and record-keeping, plus subsequent updates to address additions or changes in the envir-
onment, as well as new threats and vulnerabilities.
l Deploy and run USM Anywhere to monitor and analyze the behavior of the environment.
Use dashboards, reports, and other features of the USM Anywhere web UI to examine
events, network traffic, alarms, and notifications. Establish baseline behavior, identify
threats and vulnerabilities, and eliminate or reduce false positives and other noise from
normal, benign behavior. After establishing a baseline, you can use various tools provided
within the USM Anywhere web UI to investigate alarms and suspicious events, identify
threats and vulnerabilities, and continue monitoring your network for attacks, intrusions,
or any other type of malicious and potentially damaging behavior.
l Make continuous security lifecycle improvements and perform regular maintenance: new
asset discovery and risk assessments, new vulnerability and thread detection, compliance
reporting, backup and archival record-keeping.

33 USM Anywhere™ User Guide

 Expectations of Security Monitoring

l Incident Response. Develop and implement processes and procedures for Incident
Response (IR) to provide special event and incident handling. Detect anomalies and sus-
pect behavior; investigate, identify, and isolate threats, intrusions, or attacks; eradicate,
remediate, or mitigate threats; conduct post-incident, post-mortem reviews to identify
improvements to security processes and practices.

Expectations of Security Monitoring

Security monitoring is often about monitoring often-overlooked things such as host, device,
and application vulnerabilities, because those are typically the same things that attackers will
leverage against you later in carrying out attacks or attempting unauthorized access to data
or resources. A good network security monitoring system discovers things every day that
provide value to security efforts. USM Anywhere can help to locate or identify:

l Misconfigured systems.
l Hosts that have fallen off the radar of asset management.
l Systems compromised by opportunistic malware or other attacks by malicious software.
l Inappropriate or unauthorized access of sensitive data or resources from both internal and
external parties; for example, detecting websites that should be blocked at the proxy
server, but were not.

USM Anywhere priorities for network security operations are determined primarily by
correlation rules. The rules link events together into meaningful bundles and turn data into
useful information. Correlation is a function of USM Anywhere, which configures automated
analysis of correlated events for identifying potential security threats and produces alerts to
notify recipients of immediate issues. You can also create orchestration and suppression rules
to secure your network security operations.

Workflow of the USM Anywhere Event Process

After USM Anywhere is installed in your environment, events start flowing through the
system, so you can start gaining visibility into the type of events that are occurring, what
natural or non-threatening activity is taking place, and what activity can be a possible attack.
USM Anywhere also begins collecting other informan tion about your network and various
network devices such as firewalls, routers and switches, servers, and applications. In addition,
it is discovering and determining possible vulnerabilities and threats to your environment.

USM Anywhere™ User Guide 34

Workflow of the USM Anywhere Event Process

The following illustration details a high level view of events and other information from your
network environment as it is collected or generated by the USM Anywhere Sensors and
Agents, and then delivered to the USM Anywhere for processing and storage.

USM Anywhere Sensor combines asset discovery, vulnerability assessment, threat detection,
and behavioral monitoring to provide full situational awareness. USM Anywhere Sensor is the
front-line security module of the USM Anywhere platform and provides detailed visibility into
your environment, vulnerabilities, attack targets and vectors, and services.

USM Anywhere Sensor receives data and other activity or status information from devices
and normalizes the information into a standardized event format. USM Anywhere Sensor
then sends the normalized event to USM Anywhere, which tries to match every event with an
asset or a user, enrich the event with environmental data where possible, and saves it.

35 USM Anywhere™ User Guide

 Verifying USM Anywhere Operation

Note: To protect the health of your system, USM Anywhere monitors the rate of events
being sent to your sensor. If that rate, measured in events per second (EPS), threatens
to impact your sensor's capacity your EPS will be throttled. Throttling allows your
system to take more time to process events coming in, without risking event loss. USM
Anywhere will generate an event when EPS throttling is engaged. See Protecting Your
Sensor's Performance with EPS Throttling for more details about when EPS is engaged
and how it works.

USM Anywhere provides a unified management interface through the web UI that combines
security automation, and AT&T Alien Labs™ Open Threat Exchange® (OTX™) and threat
intelligence from the AT&T Alien Labs™ Security Research Team to correlate data, spot
anomalies, reduce risk, and improve operational efficiency.

Correlation can be done logically, where events can be compared to patterns and multiple
conditions can be connected by using logical operators such as OR and AND. After events are
processed and correlated, USM Anywhere performs risk analyses and triggers an alarm if the
risk of the event is high enough.

Verifying USM Anywhere Operation

After the basic installation and configuration of your USM Anywhere system is completed,
you can use the USM Anywhere web UI to verify that it is operating properly.

The following process describes tasks you can perform to verify basic operations, also
walking you through information available from the primary menu options.

1. When you first launch the USM Anywhere web UI, it displays the main dashboards page.

This high-level view of summary information shows the overall state of your network, so
you can get an immediate indication of the levels of events and alarms occurring in your
environment.

2. Confirm that security events are being collected, and populating the USM Anywhere cor-
rectly. To see events, go to Activity > Events.

On this page, any normalized log event, or any other event received or generated by any
USM Anywhere Sensor at the application, system, or network level, will show in the
display, unless a suppression event has filtered it out.

You can also search for and filter out specific events using time ranges and other search
criteria. Click a specific event row to display additional information for the selected event,
in a dialog box. You can view and examine full details about an event, in a full browser

USM Anywhere™ User Guide 36

Establishing Baseline Network Behavior

window, by clicking the event, and then clicking Full Detail. Use this link to see all the
information about the event such as the details of the events, the related assets, the
source and destination IP addresses, and the log of the event.

3. Confirm that USM Anywhere is creating alarms and the alarms are displaying correctly.
The USM Anywhere generates alarms from correlation rules. To see alarms in your
system, go to Activity > Alarms.

By default, the middle portion of the page provides a graphical representation of current
alarms being generated in your environment. Blue circles indicate the number of alarms in
a category that are displaying at a particular time. A bigger circle indicates a higher
number of alarms. Alarms are prioritized by categories that reflect typical methods used
by attackers. See Viewing Alarm Details for more information on alarm categorization.

You can also search for and filter out specific alarms using time ranges and other search
criteria. Click a specific alarm row to display additional information for the selected alarm,
in a dialog box. You can view and examine full details about an alarm, in a full browser
window, by clicking the alarm, and then clicking Full Detail. Use this link to see all the
information about the alarm such as the events that triggered the alarms, source and
destination IP addresses, and the recommended actions to be done.

Establishing Baseline Network Behavior

When you first start using USM Anywhere, it is a good idea to let it run for a few days to
determine which events and alarms you can consider "noise" and which ones to investigate
further. By noise, we mean false positives that obscure true positives.

Because no system is perfect, you must ensure that you have actionable alarms and useful
reports, not hundreds of things to review. What you learn from the baseline collection and the
evaluation of those events helps you create orchestration and suppression rules that tell USM
Anywhere what is important or not. Alarms are also created from correlation rules, which are
created by the AT&T Alien Labs™ Security Research Team.

See Rules Management for more information.

Baselining
To be able to tune the system, you need to create a baseline for what constitutes normal
behavior in your network. This is called baselining. The alarms and events generated during

37 USM Anywhere™ User Guide

 Establishing Baseline Network Behavior

this initial period represent currently normal behavior, in other words, a snapshot in time. Of
course, there may be things you want to filter out right away. But in general, you should resist
the temptation and wait until you have had a chance to observe any patterns in your network.

Evaluating Results
After you collect these data points, you need to start making decisions about them, based on
these criteria:

l Which events have value and applicability to my system?

l Which events have to do with network policy and therefore are not potential threats?
l Was the rule properly assessed?
l Which events have value for reporting?
l Who should receive notification when this event occurs?

Answering these questions for the first time is best done in a group setting with the relevant
stakeholders. In subsequent iterations of this process, usually only the analysts participate,
because the fundamental questions for each event can be applied through taxonomy.
Because AT&T Cybersecurity releases new signatures frequently, this decision making
process will be a recurring event.

Filtering Out the Noise

You may want to identify and filter out right away some false positives. One example might
be an alarm indicating scanning of hosts in the network. Such activity can be completely
legitimate if performed by an internal network mapper. On the other hand, it may be
currently benign, but may also be a precursor to a real attack. USM Anywhere treats both
events equally.

If you examine an alarm and you determine that the event that triggered it was noise, not a
real threat, consider taking these steps:

1. Create an orchestration rule that prevents USM Anywhere from processing new events
from the source. For example, let's say that USM Anywhere properly detected vul-
nerability scanning coming from an internal scanner but such events do not interest you,
because the internal vulnerability scanner is controlled by your environment. See Orches-
tration Rules for more information.
2. If not interested in specific alarms, you can do:

USM Anywhere™ User Guide 38

Start Using USM Anywhere

l Reconfigure the external data source to not send such events.

l Use a rule to discard such events.
l Modify or remove the rule.
3. Suppress all occurrences of the alarm from USM Anywhere. See Creating Suppression
Rules from the Alarms Page for information on how to do this.

Start Using USM Anywhere

After you have initialized your new USM Anywhere Sensor and you have configured it in the
Setup Wizard, you can start using it. See these links for more information:

l USM Anywhere Deployment Process

l Completing the AWS Sensor Setup
l Completing the Azure Sensor Setup
l Completing the GCP Sensor Setup
l Completing the Hyper-V Sensor Setup
l Completing the VMware Sensor Setup

Once you click the Start Using USM Anywhere button, the page for entering your username
and password displays:

39 USM Anywhere™ User Guide

 Start Using USM Anywhere

AT&T Cybersecurity employs a single user account and single set of credentials to access all
of your USM Anywhere and USM Central instances. Your role, and the actions available to you,
will change from instance to instance depending on your user account's settings in that
instance.

Keep in mind these points when you are logging in:

l The login credentials that you set will apply to any USM Anywhere™ and USM Central™ you
have access to.
l USM Anywhere requires all passwords to have a minimum length of 8 characters and a
maximum length of 128 characters.
l The password must contain numerical digits (0-9).

USM Anywhere™ User Guide 40

Start Using USM Anywhere

l The password must contain uppercase letters (A-Z).

l The password must contain lowercase letters (a-z).
l The password must contain special characters, such as hyphen (-) and underscore ( _ ).

Note: USM Anywhere passwords expire after 90 days. When your password expires, USM
Anywhere enforces a password change when you next log in. A new password must be
different from the previous four passwords.

After 45 days of inactivity, your user account will be locked. Manager users can unlock
inactive accounts.

The messages you can have are these:

l Password successfully updated. Please log in with your new password.

l Your session has expired.
l The username or password you entered is incorrect.
l The server responded incorrectly.
l There was an error with your security token. Try refreshing your page or contact support.

Important: Five failed sign-in attempts are allowed for USM Anywhere before the user
account is locked. For Threat Detection and Response for Government, three failed
sign-in attempts are allowed before the user account is locked. The lockout time for
both USM Anywhere and AT&T TDR for Gov is 30 minutes.

There are four roles in USM Anywhere:

l Read-Only: You can access views and search the system, but you cannot make system
changes that impact other users.
l Investigator: You can access views, search the system, and generate reports, but you can-
not make system changes that impact other users.
l Analyst: You can view and search the system, schedule jobs, launch actions, configure
rules, and configure asset credentials. But you cannot add or modify sensor configurations;
configure credentials for AlienApp, notification apps, and threat intelligence integrations;
or add users.
l Manager: This role enables analyst permissions and enables you to add or modify sensor
configurations; configure credentials for AlienApps, notification apps, and threat intel-
ligence integrations; and add users.

See USM Anywhere User Management for all the information related to users.

41 USM Anywhere™ User Guide

 USM Anywhere Dashboards
Role Availability Read-Only Investigator Analyst Manager

The first view of the USM Anywhere web UI is a set of dashboards. These dashboards provide
overall visibility into the activity on your network and display various network security
metrics.

Note: USM Anywhere also makes available several reports that you can display. These
reports provide detail on various aspects of USM Anywhere network security. For more
information on reports, see USM Anywhere Reports.

This topic discusses these subtopics:

Refreshing and Filtering Data from the USM Anywhere Dashboards 43

Exporting Data from the USM Anywhere Dashboards 45

Executive Dashboard 45

Viewing USM Anywhere Dashboards 62

USM Anywhere Custom Dashboards 121

USM Anywhere™ User Guide 42

Refreshing and Filtering Data from the USM Anywhere Dashboards

Refreshing and Filtering Data from the USM Anywhere

Dashboards

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere gives you the option of refreshing dashboards automatically in a period of
time that you can configure.

You can also filter your search in the upper left corner of the dashboards page. When you
select one or more filters, the dashboard restricts the views to the selected filters. If you
export the dashboard as an HTML report, it preserves the selected filters. See Exporting Data
from the USM Anywhere Dashboards for more information.

Refreshing Dashboards
You can configure a period of time for refreshing the data on your dashboards. See Managing
Your Profile Settings for more information.

Following the name of the dashboard, you can click the icon to stop the auto-refresh

countdown and refresh the page manually.

There is an auto-refresh countdown that refreshes the page at a regular interval. The number
inside the blue circle indicates the remaining time until the next refresh. See Managing Your
Profile Settings to configure this interval.

43 USM Anywhere™ User Guide

 Refreshing and Filtering Data from the USM Anywhere Dashboards

General Filters
All dashboards include two filters:

Last 24 Hours

Use this filter for identifying data created during the last hour, last 24 hours, last 7 days, or last
30 days. You can also configure your own period of time by clicking the Custom Range
option. This option enables you to customize a range. When you click Custom Range, a
calendar opens. You can choose the first and last day to delimit your search by clicking the
days on the calendar or entering the days directly. Then select the hours, minutes, and
seconds by clicking the specific box. Finally, select AM or PM.

All Assets

Use this filter for searching data according to assets. You can search by all assets or by asset
groups.

To apply one or more filters to a dashboard

1. Select the dashboard on which you want to display data.

2. Select the filter. You can select both filters option.
3. Click Apply.

Widgets Filters
There are some widgets that include the icon to filter data on that widget. Use this filter

for identifying data created during the last hour, last 24 hours, last 7 days, or last 30 days.

USM Anywhere™ User Guide 44

Exporting Data from the USM Anywhere Dashboards

Exporting Data from the USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to export data from the dashboards as an HTML report.

To export data as a report

1. Display the dashboard you want to have a report.

2. Click Generate Report at the upper right-hand corner of the page.
3. Enter a title for your report.
4. (Optional.) Enter a report description.

5. Click Print.

A dialog box opens to configure the options of the report that you are going to print.

6. Click Save in case you want to print your report or save it as PDF.

Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

The executive dashboard provides a visual display of important security metrics with the goal
of giving an at-a-glance view into performance across your security program.

45 USM Anywhere™ User Guide

 Executive Dashboard

This dashboard offers widgets that detail all aspects of your environment. You can click these
widgets, taking you to the detailed information page, and enabling you to drill down into the
data even more. Use the executive dashboard to check the information included in your
environment, detect possible problems, and decide the solutions that are better at every
moment.

You can filter data included in the widgets by clicking the icon. See Refreshing and

Filtering Data from the USM Anywhere Dashboards for more information.

You can clone and customize your executive dashboard to meet your specific needs. See
Clone the Executive Dashboard for more information.

You can also export data from the dashboard as an HTML report. See Exporting Data from
the USM Anywhere Dashboards for more information.

The executive dashboard includes these separate sections:

l Executive Summary: Provides several widgets with general information. These widgets
are platform updates, threat metrics, security funnel, number of AT&T Alien Labs™
Open Threat Exchange® (OTX™) pulse hits, data source usage, alarms cycle time, and
vulnerabilities remediation time by severity. See Executive Summary Section inside the
Executive Dashboard for more information.

l Investigations: Provides several widgets related to investigations. These widgets are the
number of investigations, average time to close an investigation, and top severity closed
investigations. See Investigations Section inside the Executive Dashboard for more
information.

l Alarms: Provides several widgets related to alarms. These widgets are alarms summary,
opened investigations by intent, alarms by severity, alarms method by strategy, and
alarms method by intent. See Alarms Section inside the Executive Dashboard for more
information.

l Vulnerability Assessment: Provides several widgets related to vulnerabilities. These

widgets are scan jobs history, number of vulnerabilities, and the top five vulnerable assets
by score. See Vulnerability Assessment Section inside the Executive Dashboard for more
information.

l Events: Provides several widgets related to events. These widgets are events trend and
top 10 generating data sources. See Events Section inside the Executive Dashboard for
more information.

Executive Summary Section inside the Executive Dashboard

USM Anywhere™ User Guide 46

Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

This section shows the related actions that occur in your environment.

Widgets in Executive Summary Section inside the Executive Dashboard

Widgets Description

Platform Updates Total number of updates that a logged-in user has made on orchestration
rules, dashboard, views, plugin updates, and assets.

Threat Metrics Total number of updates that a logged-in user has made on alarms,
investigations, vulnerabilities, configuration issues, and users.

Security Funnel Total number of events tied to alarms and the alarms tied to investigations.

Number of OTX Sankey diagram that displays the top AT&T Alien Labs™ Open Threat
Pulse Hits Exchange® (OTX™) indicators or pulses found on alarms.

47 USM Anywhere™ User Guide

 Executive Dashboard

Widgets in Executive Summary Section inside the Executive Dashboard (Continued)

Widgets Description

Data Source Graph that displays the number of events ingested in USM Anywhere per
Usage individual data source.

Alarm Cycle Time Graph that displays the alarm remediation and response. It shows how long
it took to respond to a threat and how long it took to resolve the alarm.

Vulnerabilities Graph that displays the number of open vulnerabilities by severity over
Remediation Time time.
by Severity

Investigations Section inside the Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

This section displays information about the investigations you have created. The
investigations organize the information from your environment and enables you to manage
and coordinate incident response activities. See USM Anywhere Investigations for more
information.

USM Anywhere™ User Guide 48

Executive Dashboard

Widgets in the Investigations Section inside the Executive Dashboard

Widgets Description

Number of Number of all investigations in your environment. The options are open, in
Investigations review, and closed.

Average Time to Graph that displays, in days, the average time to close an investigation, from
Close an the moment is opened to the moment is closed.
Investigation

Top Severity Displays a list of the top closed investigations by severity.

Closed
Investigations

Alarms Section inside the Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

This section displays information related to the detected alarms in your environment. These
widgets include the results of the USM Anywhere correlation engine and the value of
mapping those into actionable groups based on the risk factor. See Alarms Management for
more information.

49 USM Anywhere™ User Guide

 Executive Dashboard

Widgets in the Alarms Section inside the Executive Dashboard

Widgets Description

Alarm Summary Graph that displays the number of alarms that you have in your
environment on a monthly basis and their current status. The options are
open, suppressed, closed, and total.

Opened Pie chart displaying the opened investigations correlated by intent.

Investigations by
Intent

USM Anywhere™ User Guide 50

Executive Dashboard

Widgets in the Alarms Section inside the Executive Dashboard (Continued)

Widgets Description

Alarms by Severity Alarms correlated by severity (critical, high, medium, and low) and related to
a range of dates. The size of the bubbles depends on the number of issues.

Alarms Method by Method name with count of number of alarms under that method. The data
Strategy are in tabular format.

Alarms Method by Method name with count of number of alarms under that method. The data
Intent are in tabular format.

Vulnerability Assessment Section inside the Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

This section provides you with a way to understand your assets' exposure and measure the
remediation cycle. See Vulnerability Assessment for more information.

51 USM Anywhere™ User Guide

 Executive Dashboard

Widgets in the Vulnerability Assessment Section inside the Executive Dashboard

Widgets Description

Scan Jobs History Graph that displays the total number of asset scans on each day in the
current month to identify vulnerabilities.

Number of Total number of vulnerabilities in your environment.

Vulnerabilities

Top 5 Vulnerable List of the top five vulnerable assets ordered by score.
Assets by Score

Events Section inside the Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

This section displays the security refinement you get when using USM Anywhere, and how it
relates to different data sources on your network. See Events Management for more
information.

Widgets in the Events Section inside the Executive Dashboard

Widgets Description

Events Trend Graph that displays the number of events ingested in USM Anywhere on
hourly basis.

Top 10 List of the top 10 generating data sources based on the number of events
Generating Data ingested.
Sources

USM Anywhere™ User Guide 52

Executive Dashboard

Actions on the Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

When you open the executive dashboard, there is an Action button in the upper right side of
the page.

This button includes these options:

l Create New Dashboard: Creates a new dashboard. You can customize your own
dashboard with the widgets and content you need. See USM Anywhere Custom
Dashboards for more information.

l Clone Dashboard: Clones the executive dashboard and you can edit it and customize your
own dashboard with the widgets and content you need. See Clone the Executive
Dashboard for more information.

Clone the Executive Dashboard

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to clone the executive dashboard and customize the cloned
dashboard with the widgets and content you need.

To clone the Executive Dashboard

1. Go to Dashboards > Executive.

2. Click Actions > Clone Dashboard.

The new dashboard displays in the navigation menu, below Custom Dashboards.

53 USM Anywhere™ User Guide

 Executive Dashboard

To edit your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

USM Anywhere™ User Guide 54

Executive Dashboard

To change the name of your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

55 USM Anywhere™ User Guide

 Executive Dashboard

3. Modify the title of the dashboard.

4. Click Save.

To change the group name of your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

USM Anywhere™ User Guide 56

Executive Dashboard

3. Click the icon next to the group name you want to change.

4. Modify the group name.

5. Click icon to save the group name or the icon to cancel the change.

6. Click Save.

To remove a group of your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

57 USM Anywhere™ User Guide

 Executive Dashboard

3. Click the Remove Group link next to the group name you want to remove.
4. Click Save.

To modify the widget order of your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

USM Anywhere™ User Guide 58

Executive Dashboard

3. Click the icon and drag the widget to the desired place.

4. Click Save.

To modify the widget row height of your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

59 USM Anywhere™ User Guide

 Executive Dashboard

3. Click one of these icons and change the widget row height.

The values are small, medium, and large.

4. Click Save.

To delete a widget of your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

USM Anywhere™ User Guide 60

Executive Dashboard

3. Click the icon next to the widget you want to delete.

4. Click Save.

To add a widget in your cloned executive dashboard

1. In the navigation menu, click your cloned executive dashboard.

2. Click Actions > Edit Dashboard.

The Edit Executive Dashboard dialog box opens.

61 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

3. Click the Add Widget link in the group where you want to add the widget.
4. Select the data you want to add to that widget.
5. Click Save.

Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a set of dashboards that display data collected from your network.
Dashboards are visible if you have data for them. Sometimes it takes a few minutes for the
dashboards to display.

Note: There are dashboards related to the AlienApp you have configured, which are
visible if you have data for them. See USM Anywhere AlienApps™ for more information.

USM Anywhere™ User Guide 62

Viewing USM Anywhere Dashboards

Important: If there are events from the last seven days, then you can see the related
dashboard. When there are no events from the previous seven days, that dashboard
doesn't display.

Dashboards include widgets with important information about your environment. You can
find different types of widgets. There are lists, graphs, pie charts, total numbers of a feature
or element, and some other ways of presenting the data to have a valuable and quick view of
your environment.

Some of the widgets include a filter that you can use to select a predefined range between
Last Hour, Last 24 Hours, Last 7 Days, or Last 30 Days. Click the icon to use this filter.

AlienVault Agent Dashboard

Role Availability Read-Only Investigator Analyst Manager

This dashboard will have data when your environment has deployed agents on the assets. See
The AlienVault Agent for more information.

63 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the AlienVault Agent Dashboard

Widgets Description

Agent Platform Total number of assets with a deployed agent by platform, Windows, macOS,
and Linux.

Agent Version Total number of agents with the current version installed, and the total
number of agents that can be updated to a new version using the Update and
Troubleshoot AlienVault Agents.

Agent Status Total number of agents that are online and offline.

Alarms By Intent Alarms correlated by intent and related to a range of dates. The size of the
bubbles depends on the number of issues.

Count/Time Graph that shows the number of events over a period of time.

Top Event List of the top events related to the agent.

Names

USM Anywhere™ User Guide 64

Viewing USM Anywhere Dashboards

Widgets in the AlienVault Agent Dashboard (Continued)

Widgets Description

File integrity Pie chart displaying, in percentages, the top actions based on integrity
Monitoring — changes on those systems.
Top Action

File Integrity List of the top file path based on integrity changes on those systems.
Monitoring —
Top File Path

Amazon DynamoDB Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Amazon DynamoDB dashboard. This dashboard displays data when the Amazon Web
Services (AWS) CloudTraildata source has been configured and includes Amazon DynamoDB
events.

Widgets in the DynamoDB Dashboard

Widgets Description

Events By Name List of events by name.

Access Control Pie chart displaying, in percentages, the authentication and access control
for DynamoDB.

65 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the DynamoDB Dashboard (Continued)

Widgets Description

Top List of the top DynamoDB streams.

Tables/Streams

Actions List of actions supported by Amazon DynamoDB.

Top Users List of the Amazon DynamoDB top users.

User Activity Users related to their implied activity, which can be create, read, update
and delete (CRUD). The size of the bubbles depends on the number of
issues.

Amazon S3 Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Amazon Simple Storage Service (S3) dashboard. This dashboard displays data when the
Amazon Web Services (AWS) CloudTraildata source has been configured and receives
s3.amazonaws.com events.

USM Anywhere™ User Guide 66

Viewing USM Anywhere Dashboards

Widgets in the Amazon S3 Dashboard

Widgets Description

Events By Name List of events by name.

Top Buckets Top of Amazon S3 resources that can store objects from different S3
storage tiers.

Top Users List of the Amazon S3 top users.

Access Control Pie chart displaying, in percentages, the authentication and access control
for Amazon S3.

Authentication Pie chart displaying, in percentages, the authentication mode for Amazon
Mode S3.

Authentication Pie chart displaying, in percentages, the authentication type for Amazon
Type S3.

Actions List of actions supported by Amazon S3.

User Activity Users related to their implied activity, which can be create, read, update
and delete. The size of the bubbles depends on the number of issues.

Amazon VPC Flow Logs Dashboard

Role Availability Read-Only Investigator Analyst Manager

The Amazon Virtual Private Cloud (VPC) Flow Logs dashboard only displays events from
Amazon VPC Flow Logs when the Amazon VPC Flow Logs data source is used. See Collect
Amazon CloudWatch Logs and Example: Creating a Suppression Rule for VPC Flow Logs for
more information.

67 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the AWS VPC Flow Logs Dashboard

Widgets Description

Events by Pie chart displaying, in percentages, the top AWS VPC Flow Logs events
outcome ordered by outcome.

Rejects by Pie chart displaying, in percentages, the top AWS VPC Flow Logs events
Protocol rejected by protocol.

Top Blocked List of the 10 top blocked sources from further access in order to prevent
Sources intrusions.

Top Blocked List of the 10 top blocked destinations by AWS VPC Flow Logs.
Destinations

Top Source List of the 10 top source countries.

Countries

USM Anywhere™ User Guide 68

Viewing USM Anywhere Dashboards

Widgets in the AWS VPC Flow Logs Dashboard (Continued)

Widgets Description

Top Destination List of the 10 top destination countries.

Countries

Top Sources with List of the 10 top sources with bad reputation.
Bad Reputation

Flows Per Hour Graph that displays the number of events accepted or rejected per hour
during the last 24 hours.

AWS Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Amazon Web Services dashboard. This dashboard displays data when the Amazon Web
Services (AWS) CloudTraildata source has been configured.

69 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

USM Anywhere™ User Guide 70

Viewing USM Anywhere Dashboards

Widgets in the AWS Dashboard

Widgets Description

Messages by List of the fifteen assets receiving the most messages.

Source

Event Action: Total number of assets created for the current day and for the current
Create week.

Event Action: Total number of assets updated for the current day and for the current
Update week.

Event Action: Total number of assets deleted for the current day and for the current
Delete week.

Event Action: Total number of assets read for the current day and for the current week.
Read

Unauthorized List of the unauthorized activity that has been made on events.
Activity

Asset Instances List of asset instances ordered by type.

by Type

Messages by Pie chart displaying, in percentages, the outcome for access control, which
Outcome can be Allow or Deny.

Asset States List of the state of the assets and the total number at each state.

Asset Information Total number of assets having vulnerabilities, configuration issues, and
alarms.

Asset Instances Total number of asset instances by region.

by Region

Latest Console Date of the latest console login.

Login

Account Vendors Pie chart displaying, in percentages, the known vendor services in AWS.

User Actions Users related to the implied action of the event, which can be create, read,
update, and delete. The size of the bubbles depends on the number of
issues

Denied Activity Sankey diagram which displays the source username, the event name, and
the data in which the events were received.

AWS Load Balancer Dashboard

71 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Amazon Web Services (AWS) Load Balancer dashboard. This dashboard displays data
when the ELBAccess data source has been configured or your environment has the AWS
Application Load Balancer installed. See Collect ELB Access Logs for more information.

Widgets in the AWS Load Balancer Dashboard

Widgets Description

Events by Pie chart displaying, in percentages, the top AWS Load Balancer events
Outcome ordered by outcome.

Events by Pie chart displaying, in percentages, the main events by response code.
Response Code

Events by TLS Pie chart displaying, in percentages, the main events by Transport Layer
Version Security (TLS) Version.

Events by List of the main events by device.

Device

USM Anywhere™ User Guide 72

Viewing USM Anywhere Dashboards

Widgets in the AWS Load Balancer Dashboard (Continued)

Widgets Description

HTTP 4xx Error Graph that displays the HTTP4xx error codes by periods of time.
Codes

Top URL with List of the top URL with errors.

Errors

HTTP 5xx Error Graph that displays the HTTP 5xx error codes by periods of time.
Codes

Azure Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Microsoft Azure dashboard. This dashboard displays data when the Azure Cloud data
source has been configured.

73 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Azure Dashboard

Widgets Description

Messages by Pie chart displaying, in percentages, the received messages by severity.

Severity

Activity by User List of the top five usernames with the most activity.

Events by List of the events by provider.

Provider

Top Denied Users List of the top-denied users.

Events by List of the events by resource.

Resource

Unauthorized List of the unauthorized activity.

Activity

Number of VMs Total number of virtual machines (VMs) installed.

VMs by OS Total number of virtual machines (VMs) installed by operating system (OS).

VMs by Region Total number of virtual machines (VMs) installed by region.

VMs by Size Total number of virtual machines (VMs) installed by size.

Box Dashboard

Role Availability Read-Only Investigator Analyst Manager

The Box dashboard displays a summary of the events originating from Box logs. This option is
visible if there are Box events. See The AlienApp for Box for more information.

USM Anywhere™ User Guide 74

Viewing USM Anywhere Dashboards

Widgets in the Box Dashboard

Widgets Description

Top Events List of top events detected by Box

Box Activity Graph that displays the activity in Box by periods of time

User Activity List of the five users that have more activity in Box

Top File List of the top five file names in Box

Names

Login by List of the top five logins in Box

Country

Top Users List of the top five failed logins by user

With Failed
Logins

Cisco AMP Dashboard

Role Availability Read-Only Investigator Analyst Manager

The widgets might be visible in the Cisco AMP dashboard if there are Cisco AMP events. See
AlienApp for Cisco Secure Endpoint for more information.

75 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in Cisco AMP Dashboard

Widgets Description

Events over Graphs that displays events over time.

Time

Events by Name Pie chart displaying, in percentages, the top events by name.

Threat Detected Total of Cisco events with the name 'Thread Detected'.

Top Alarms List of top alarms ordered by event name.

Multiple Infected Total of multiple infected files.

Files

Top Source List of the top sources.

Activity by Host Top Cisco AMP activity by host.

Malicious Total of malicious activity detected by Cisco AMP.

Activity
Detection

Cisco Meraki Dashboard

USM Anywhere™ User Guide 76

Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

The widgets might be visible in the Cisco Meraki dashboard if there are Cisco Meraki events.

Widgets in Cisco Meraki Dashboard

Widgets Description

Count/Time Graph that shows the number of issues over a period of time.

Top Device List of the top device categories on Cisco Meraki.

Categories

HTTP Hostname Pie chart displaying, in percentages, the specific host names and IP addresses
that are visited by clients on your network.

Top Categories Total number of top supported syslog event types.

Reporting Device List of reporting device hostnames.

Hostname

Cisco Umbrella Dashboard

Role Availability Read-Only Investigator Analyst Manager

This option is visible if there are Cisco Umbrella events.

77 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in Cisco Umbrella Dashboard

Widgets Description

Events By Action Pie chart displaying, in percentages, the events detected by action.

Top Blocked Pie chart displaying, in percentages, the top blocked categories.
Categories

USM Anywhere™ User Guide 78

Viewing USM Anywhere Dashboards

Widgets in Cisco Umbrella Dashboard (Continued)

Widgets Description

Number Of Pie chart displaying, in percentages, the number of events by identity.

Events By
Identity

Top Domains List of the top 5 popular domains in order of popularity.

Top Categories List of the top 5 content categories on Cisco Umbrella.

Top Blocked List of the top 5 domains blocked by Cisco Umbrella.

Domains

Top Blocked List of the top 5 identities blocked by Cisco Umbrella.

Identities

Blocked Activity Sankey diagram which displays the blocked activity detected by Cisco
Umbrella.

Cloudflare Dashboard

Role Availability Read-Only Investigator Analyst Manager

The widgets might be visible in the Cloudflare dashboard if there are Cloudflare events. See
The AlienApp™ for Cloudflare for more information.

79 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in Cloudflare Dashboard

Widgets Description

Platform Pie chart displaying, in percentages, the platforms detected by Cloudflare

Top Hostnames List of the top hostnames on Cloudflare

Top Events List of the top events detected by Cloudflare

TLS Version Pie chart displaying, in percentages, the main events by Transport Layer
Security (TLS) Version

TLS Cipher Pie chart displaying, in percentages, the main events by Transport Layer
Security (TLS) Cipher

Cylance Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the BlackBerry Cylance dashboard. This dashboard displays data when the CylancePROTECT
data source has been configured.

USM Anywhere™ User Guide 80

Viewing USM Anywhere Dashboards

Widgets in the Cylance Dashboard

Widgets Description

Devices by Pie chart displaying, in percentages, the connected devices by platform.

platform

Stats Total number of connected devices, threats, and devices with threats.

Top Exploits Pie chart displaying, in percentages, the top exploit attempts by category.
Attempts by
Category

Top Users by List of the top users by number of threats.

Number of
Threats

Top Devices by List of the top devices by number of threats.

Number of
Threats

81 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Cylance Dashboard (Continued)

Widgets Description

Top Exploits List of the top exploit attempts by process.

Attempts by
Process

Top Exploits List of the top exploit attempts by device.

Attempts by
Device

FireEye Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the FireEye dashboard. This dashboard displays data when the Reporting Device Vendor
field has the FireEye value .

USM Anywhere™ User Guide 82

Viewing USM Anywhere Dashboards

Widgets in the FireEye Dashboard

Widgets Description

Alert Types List of alerts by type.

Severity Pie chart displaying, in percentages, the detected severity.

Alerts by Device Total number of alerts by device.

Top Sources List of the top sources.

Top Ports Pie chart displaying, in percentages, the top ports.

Top Destinations List of the top destinations.

Top Malware List of the top malware.

83 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the FireEye Dashboard (Continued)

Widgets Description

Last Alerts List of the last-detected alerts.

Daily Activity Per Graph that displays the daily activity per hour.
Hour

FortiGate Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Fortinet FortiGate dashboard. This dashboard displays data when the FortiGate data
source has been configured.

USM Anywhere™ User Guide 84

Viewing USM Anywhere Dashboards

Widgets in the FortiGate Dashboard

Widgets Description

Actions Pie chart displaying, in percentages, the actions supported by FortiGate.

Intrusion List of the ten top intrusion prevention events.

Prevention

Top Blocked List of the five top blocked users by FortiGate.

Users

Events by Pie chart containing percentage of FortiGate events by severity.

Severity

Applications List of the ten top applications detected in the events.

Inbound Traffic Graph that displays the inbound traffic per hour and by interface.
Per Hour by
Interface

Outbound traffic Graph that displays the outbound traffic per hour and by interface.
Per Hour by
Interface

Google Cloud Platform Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Google Cloud Platform dashboard. This dashboard displays data when the Google Cloud
Audit data source has been configured.

85 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in Google Cloud Platform Dashboard

Widgets Description

Messages by List of the top sources receiving the most messages.

Source

Activity by Project Pie chart displaying, in percentages, the top projects with the most activity.

Unauthorized List of the unauthorized activity.

Activity

Top Users List of the top users.

Top Actions Pie chart displaying the top actions in Google Cloud Platform.

Asset Instances List of assets instances ordered by type.

by Type

Messages by Pie chart displaying, in percentages, the outcome for access control, which
Outcome can be Allow or Deny.

Asset States List of the state of the assets and the total number at each asset.

USM Anywhere™ User Guide 86

Viewing USM Anywhere Dashboards

Widgets in Google Cloud Platform Dashboard (Continued)

Widgets Description

Asset Information Total number of assets having vulnerabilities, configuration issues, and
alarms.

Asset Instances Total number of assets instances by region.

by Region

Google G Suite Audit Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Google G Suite audit dashboard. This dashboard displays data when the G Suite audit
data source has been configured.

87 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

USM Anywhere™ User Guide 88

Viewing USM Anywhere Dashboards

Widgets in G Suite Audit Dashboard

Widgets Description

Login Attempts Pie chart displaying, in percentages, the successful and unsuccessful login
attempts to G Suite Audit.

Failed Login By List of the 5 failed login by user.

User

Login Failed Pie chart displaying, in percentages, the reasons of the failed login.
Reasons

Top Category List of the top 5 G Suite Audit category.

Failed Login By List of the 5 failed login in G Suite Audit by address.

Address

Login By Country List of the 5 login in G Suite Audit by country.

Recently List of the recently authorized applications by G Suite Audit.

Authorized
Applications

Top Actions List of the top 5 actions in G Suite Audit.

Login Activity Graph that displays the successful and unsuccessful login attempts to G
Suite Audit.

Authorized Sankey diagram which displays the authorized applications by G Suite Audit.
Applications

Google G Suite Drive Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Google G Suite Drive dashboard. This dashboard displays data when the G Suite Drive
data source has been configured.

89 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Google G Suite Audit Dashboard

Widgets Description

Top Events List of top events detected by Google G Suite Audit.

Resource Type Pie chart displaying, in percentages the type of resource in Google G Suite
Audit.

Top Category List of the top Google G Suite Audit category.

User Activity List of the 5 users that have more activity in Google G Suite Audit.

Top File Names List of the top 5 file names in Google G Suite Audit.

Activity Graph that displays the activity in Google G Suite Audit by periods of time.

McAfee ePO Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the McAfee ePO dashboard. This dashboard displays data when the McAfee ePO data source
has been configured. See The AlienApp™ for McAfee ePO for more information.

USM Anywhere™ User Guide 90

Viewing USM Anywhere Dashboards

Widgets in the McAfee ePO Dashboard

Widgets Description

Top Events Pie chart displaying, in percentages, the top events detected by McAfee ePO.

Event by Pie chart containing percentage of McAfee ePO per severity.

Severity

Events by Action Pie chart displaying, in percentages, the events detected by action.

Top Malware List of the top malware families expressed in total numbers.
Families

Top Hosts List of top hosts expressed in total numbers.

Top Users Pie chart containing percentage of McAfee ePO logs per user.

Daily Activity Per Graph that displays the daily activity of McAfee ePO per hour.
Hour

Microsoft ATA Dashboard

91 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

The widgets might be visible in the Microsoft Advanced Threat Analytics (ATA) dashboard if
there are Microsoft Advanced Threat Analytics events.

Widgets in Microsoft ATA Dashboard

Widgets Description

Top Activity Graph that shows the number of events over a period of time.

Alarms Over Graph that shows the number of alarms over a period of time.
Time

Top Active Users List of the Microsoft ATA top active users.

Top Applications List of the ten top applications detected in the events.

Top Failures List of the Microsoft ATA top failures.

USM Anywhere™ User Guide 92

Viewing USM Anywhere Dashboards

Widgets in Microsoft ATA Dashboard (Continued)

Widgets Description

Top Events by Pie chart containing percentage of Microsoft ATA events by severity.
Severity

Top Activity by List of the Microsoft ATA top activity by host.

Host

MITRE ATT&CK Dashboard

Role Availability Read-Only Investigator Analyst Manager

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally

accessible knowledge base of adversary tactics and techniques based on real-world
observations. This dashboard includes the tactics and techniques to describe adversarial
actions and behaviors. Techniques are specific actions an attacker might take, and tactics are
phases of attacker behavior. See MITRE ATT&CK and Alarms List View for more information.

Note: You can watch the How to improve threat detection and response with the MITRE
ATT&CK framework customer training webcast on-demand to learn how to use MITRE
ATT&CK within USM Anywhere.

93 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the MITRE ATT&CK Dashboard

Widgets Description

MITRE ATT&CK Table with Tactics and Techniques, see Alarms List View for more information.

Command and The command and control tactic represents how adversaries communicate
Control Top with systems under their control within a target network.
Assets

USM Anywhere™ User Guide 94

Viewing USM Anywhere Dashboards

Widgets in the MITRE ATT&CK Dashboard (Continued)

Widgets Description

Exfiltration Top Exfiltration refers to techniques and attributes that result or aid in the
Assets adversary stealing files and information from a target network.

Privilege Privilege escalation is the result of actions that allows an adversary to obtain
Escalation Top a higher level of permissions on a system or network.
Assets

Lateral Lateral movement consists of techniques that enable an adversary to access

Movement Top and control remote systems on a network and could, but does not
Assets necessarily, include execution of tools on remote systems.

Credential Credential access represents techniques resulting in access to or control over

Access Top system, domain, or service credentials that are used within an enterprise
Assets environment.

Discovery Top Discovery consists of techniques that allow the adversary to gain knowledge
Assets about the system and internal network.

Defense Evasion Defense evasion consists of techniques an adversary may use to evade
Top Assets detection or avoid other defenses.

Persistence Top Persistence is any access, action, or configuration change to a system that
Assets gives an adversary a persistent presence on that system.

Execution Top The execution tactic represents techniques that result in execution of
Assets adversary-controlled code on a local or remote system

Collection Top Collection consists of techniques used to identify and gather information,
Assets such as sensitive files, from a target network prior to exfiltration.

Initial Access The initial access tactic represents the vectors adversaries use to gain an
Top Assets initial foothold within a network.

MobileIron Threat Defense Dashboard

Role Availability Read-Only Investigator Analyst Manager

The MobileIron Threat Defense dashboard displays data when the MobileIron Threat Defense
(MTD) source has been configured and includes MobileIron events. See AlienApp for
MobileIron Threat Defense for more information.

95 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the MobileIron Threat Defense Dashboard

Widgets Description

Top Activity Graph that shows the number of events over a period of time.

Top Alerts Graph that shows the number of alarms over a period of time.

Top Event Types Pie chart displaying, in percentages, the top events types related to the MTD.

Top Event Pie chart displaying, in percentages, the top events severities related to the
Severities MTD.

Events by Pie chart displaying, in percentages, the top events by platform related to the
Platform MTD.

Asset Total number of assets having not upgraded Apple iOS, not upgraded
Information Android, not upgradable iOS, and not upgradable Android.

Critical Events Total number of critical MobileIron events.

NIDS Dashboard

USM Anywhere™ User Guide 96

Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the network-based intrusion detection system (NIDS) dashboard. This dashboard displays
data when the AlienVault NIDS data source has been configured.

Widgets in the NIDS Dashboard

Widgets Description

Assets with Malware Activity Total number of assets with malware activity for the current day
and for the current week.

Top Categories List of the top categories expressed in total numbers.

Top Signatures List of the top NIDS signatures having more events.

Top Malware Families List of the top malware families expressed in total numbers.

Top Malware Destination List of the top malware ordered by destination country.

Top List of the top categories and subcategories expressed in total

Categories/SubCategories numbers.

97 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the NIDS Dashboard (Continued)

Widgets Description

Top Exploit Activity List of the top exploit activity in your environment.

Top Malware List of the top malware in your environment.

Office 365 Azure Active Directory Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Microsoft Azure Active Directory (AD) dashboard. This dashboard displays a summary of
the events originating from the Azure AD logs, so your environment must have configured
the Azure AD data source.

USM Anywhere™ User Guide 98

Viewing USM Anywhere Dashboards

Widgets in the Office 365 Azure Active Directory Dashboard

Widgets Description

Login Attempts Pie chart displaying, in percentages, the successful and unsuccessful login
attempts to Office 365 Azure Active Directory.

Failed Login By List of the 5 failed login by user.

User

Login Failed Pie chart displaying, in percentages, the reasons of the failed login.
Reasons

Top Events List of top events detected by Office 365 Azure Active Directory.

Failed Login By List of the 5 failed login in Office 365 Azure Active Directory.
Address

Login By List of the 5 login in Office 365 Azure Active Directory.

Country

Login Activity Graph that displays the successful and unsuccessful login attempts to Office
365 Azure Active Directory.

Office 365 OneDrive Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Microsoft OneDrive dashboard. This dashboard displays a summary of the events
originating from the OneDrive logs, so your environment must have configured the Microsoft
SharePoint data source and the OneDrive application.

99 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Office 365 OneDrive Dashboard

Widgets Description

Top Events List of top events detected by Office 365 OneDrive .

Resource Type Pie chart displaying, in percentages the type of resource in Office 365
OneDrive.

File Types Pie chart displaying, in percentages the type of files in Office 365 OneDrive.

Activity Graph that displays the activity in Office 365 OneDrive by periods of time.

Top User Agents List of the top 5 user agents used by Office 365 OneDrive.

User Activity List of the 5 users that have more activity in Office 365 OneDrive.

Office 365 SharePoint Dashboard

USM Anywhere™ User Guide 100

Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Microsoft SharePoint dashboard. This dashboard displays a summary of the events
originating from the SharePoint logs, so your environment must have configured the
Microsoft SharePoint data source and the SharePoint application.

Widgets in the Office 365 SharePoint Dashboard

Widgets Description

Top Events List of top events detected by Office 365 SharePoint.

Resource Type Pie chart displaying, in percentages the type of resource in Office 365
SharePoint.

File Types Pie chart displaying, in percentages the type of files in Office 365 SharePoint.

Activity Graph that displays the activity in Office 365 SharePoint by periods of time.

Top User Agents List of the top 5 user agents used by Office 365 SharePoint.

User Activity List of the 5 users that have more activity in Office 365 SharePoint.

101 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Okta Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Okta dashboard. This dashboard displays data when the Okta data source has been
configured. See The AlienApp™ for Okta for more information.

USM Anywhere™ User Guide 102

Viewing USM Anywhere Dashboards

103 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Okta Dashboard

Widgets Description

Events by Name List of the ten top Okta events by name.

Failed Actions List of the ten top failed actions related with Okta.

Event Outcome Pie chart displaying, in percentages, the successful and failed event
outcomes.

Top Users with List of the top users with failed actions.
Failed Actions

Top Applications List of the ten top applications detected in the events.

Top Users List of the ten top users in Okta.

Top Categories List of the top Okta categories.

User Activity Sankey diagram that displays the Okta user activity.

Open Threat Exchange Dashboard

Role Availability Read-Only Investigator Analyst Manager

The AT&T Alien Labs™ Open Threat Exchange® (OTX™) dashboard displays if raw pulse data
points are received. See Open Threat Exchange® and USM Anywhere for more information.

USM Anywhere™ User Guide 104

Viewing USM Anywhere Dashboards

Sometimes you may see the IP Reputation widgets contain data but the OTX Pulse widgets
do not. This is because IP Reputation widgets include all suspicious IP addresses, but OTX
Pulse widgets only contain data when the suspicious IP is reported as an IOC for a pulse. See
About OTX for the difference between pulses and IP Reputation.

Widgets in the Open Threat Exchange Dashboard

Widgets Description

IP Reputation Activity Graph that displays the IP reputation activity.

IP Reputation by Activity Pie chart displaying, in percentages, the IP Reputation by activity.

IP Reputation Activity By Data Pie chart displaying, in percentages, the IP Reputation by data
Source source.

OTX Activity Graph that displays the OTX activity.

OTX Activity By Data Source Pie chart displaying, in percentages, the OTX activity by data source.

Top OTX Pulse Indicators of List of the top indicators of compromise that identify a specific
Compromise threat.

Top Pulses Top 5 Threat Events

105 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Open Threat Exchange Dashboard (Continued)

Widgets Description

Top Sources with OTX Pulse List of the top 5 source IPs, which are identified by OTX as potential
Activity malicious activity.

Top Destinations with OTX List of the top 5 destinations IPs, which are identified by OTX as
Pulse Activity potential malicious activity.

Overview Dashboard

Role Availability Read-Only Investigator Analyst Manager

This dashboard includes three separate sections.

SIEM Section
SIEM security intelligence combines and correlates collected logs and other data to find
malicious patterns in network traffic and within host activity.

USM Anywhere™ User Guide 106

Viewing USM Anywhere Dashboards

Widgets in the SIEM Section1

Widgets Description

Alarms Total number of alarms for the current day and for the current week.

Alarms by Intent Alarms correlated by intent and related to a range of dates. The size of the
bubbles depends on the number of issues.

Top Alarms by List of the top 5 alarms ordered by the method of attack or infiltration and
Method including the total number of alarms.

Event Data Most seen data sources to normalize events.

Sources

Events Trend Graph that displays the trend in events.

Sensor Activity Top sensor activity by events and alarms.

Asset Discovery Section

Asset Discovery discovers assets in your environment, detects changes in assets, and
discovers malicious assets in the network.

1Some widgets include a filter. You can hover over the filter to see the details.

107 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Asset Discovery Section

Widgets Description

Top List of the top operating systems on assets.

Operating
Systems

Asset Software Inventory refers to the total number of assets having software
Information installed

Assets Discovered refers to the total number of assets discovered by the user.

Top Assets List of the top 5 assets having the most alarms.
with Alarms

Vulnerability Assessment Section

Vulnerability Assessment identify vulnerabilities or compliance by comparing the installed
software on assets with a database of known vulnerabilities.

Widgets in the Vulnerability Assessment Section

Widgets Description

Assets with Total number of assets having vulnerabilities for the current day and for the
Vulnerabilities current week.

Vulnerabilities Total number of vulnerabilities in your environment.

Vulnerabilities by Top vulnerabilities ordered by severity. See About Vulnerability Severity

Severity

Most Vulnerable List of most vulnerable assets.

Assets

Palo Alto Networks Dashboard

USM Anywhere™ User Guide 108

Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Palo Alto Networks dashboard. This dashboard displays data when the Palo Alto PAN-OS
data source has been configured. See The AlienApp™ for Palo Alto Networks for more
information.

Widgets in the Palo Alto Networks Dashboard

Widgets Description

Categories Pie chart displaying, in percentages, the Palo Alto Networks categories.

Applications Pie chart displaying, in percentages, the Palo Alto Networks applications.

Threats Pie chart displaying, in percentages, the threats detected by Palo Alto
Networks.

Top Thread List of the top thread users expressed in total numbers.
Users

Outcomes List of the top Palo Alto Networks outcomes expressed in total numbers.

109 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Palo Alto Networks Dashboard (Continued)

Widgets Description

Top Signatures List of the top Palo Alto Networks signatures.

Top Malware List of the top malware in your environment.

SonicWall UTM Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the SonicWall dashboard. This dashboard displays data when the SonicWall data source has
been configured.

USM Anywhere™ User Guide 110

Viewing USM Anywhere Dashboards

Widgets in the SonicWall Dashboard

Widgets Description

Top 10 Policies Pie chart displaying, in percentages the top ten SonicWall policies.

Severity Pie chart displaying, in percentages the top event severity.

User Activity Pie chart displaying, in percentages the top users by activity.

Top Categories List of the top categories expressed in total numbers.

Top Events List of the top SonicWall events expressed in total numbers.

Top Users List of the top users expressed in total numbers.

Top Web List of the top web categories expressed in total numbers.
Categories

Top Source List of the top source countries expressed in total numbers.
Countries

Top Destination List of the top destination countries expressed in total numbers.
Countries

Sophos UTM Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the Sophos Unified Threat Management (UTM) dashboard. This dashboard displays data when
the Sophos UTM data source has been configured.

111 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the Sophos UTM Dashboard

Widgets Description

Actions Pie chart displaying, in percentages, the actions supported by Sophos UTM.

Protocols Pie chart displaying, in percentages, the protocols used by Sophos UTM.

Top Blocked Pie chart displaying, in percentages, the top blocked categories.
Categories

Categories List of top categories on Sophos UTM.

Content List of top content categories on Sophos UTM.

Categories

Top Blocked List of top hosts blocked by Sophos UTM.

Hosts

Traffic Per Hour Graph that displays the traffic detected by Sophos UTM per hour during the
last 24 hours.

Top Blocked List of top users blocked by Sophos UTM.

Users

USM Anywhere™ User Guide 112

Viewing USM Anywhere Dashboards

VMware Dashboard

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the VMware dashboard. This dashboard displays data when the VMware application
programming interface (API) data source has been configured.

Widgets in the VMware Dashboard

Widgets Description

Top Events List of top events detected by VMware.

Events by Data Pie chart displaying, in percentages, the VMware events by data center.
Center

Events by List of VMware events by resource.

Resource

Logins by List of logins detected by VMware by country.

Country

113 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Widgets in the VMware Dashboard (Continued)

Widgets Description

User Activity Pie chart displaying, in percentages, the VMware user by activity.

Top Denied List of top denied users by VMware.

Users

VMware Assets Total number of VMware assets with alarms and total number of VMware
assets.

VMs by OS List of VMware assets by operating system (OS).

VMware Assets List of VMware assets with the number of detected alarms.
with Alarms

Vulnerabilities Dashboard

Role Availability Read-Only Investigator Analyst Manager

If the dashboard does not contain information and there are not detected vulnerabilities, click
Run Authenticated Vulnerability Scan to run a scan to detect asset vulnerabilities. See
Running Authenticated Asset Scans.

USM Anywhere™ User Guide 114

Viewing USM Anywhere Dashboards

Widgets in the Vulnerabilities Dashboard

Widgets Description

Most Vulnerable List of most vulnerable assets in your environment.

Assets

Vulnerabilities by List of most vulnerable asset groups in your environment.

Asset Groups

Vulnerabilities by Pie chart displaying, in percentages, the severity of vulnerabilities, which can
Severity be Low, High, and Medium. See About Vulnerability Severity.

Top Active List of the top active vulnerabilities by severity. You can see the CVE
Vulnerabilities by Identifier, its severity, and the affected assets. See About Vulnerability
Severity Severity.

Latest Scan Jobs List of the 5 latest scans run in your environment. It includes the scan date
and the number of vulnerabilities found.

Scan Jobs History Graph that displays the total number vulnerability scans on each day in the
current month.

WatchGuard Dashboard

115 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

Depending on the USM Anywhere Sensor you have installed, the widgets might be visible in
the WatchGuard dashboard. This dashboard displays data when the WatchGuard XTM data
source has been configured.

Widgets in the WatchGuard Dashboard

Widgets Description

Access Control Pie chart displaying, in percentages, the access detected by WatchGuard.
Outcomes

Transport Pie chart displaying, in percentages, the protocols detected by WatchGuard.

Protocol

Top Signature List of the top signature categories detected by WatchGuard.

Categories

Top Signatures List of the top categories detected by WatchGuard.

USM Anywhere™ User Guide 116

Viewing USM Anywhere Dashboards

Widgets in the WatchGuard Dashboard (Continued)

Widgets Description

Top Blocked List of the top categories blocked by WatchGuard.

Categories

Top Blocked List of the top hosts blocked by WatchGuard.

Hosts

Traffic Per Hour Graph that displays the traffic detected by WatchGuard per hour during the
last 24 hours.

Windows Authentication Dashboard

Role Availability Read-Only Investigator Analyst Manager

This Windows Authentication dashboard displays data when your environment includes
Microsoft Windows security auditing events.

117 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

USM Anywhere™ User Guide 118

Viewing USM Anywhere Dashboards

Widgets in the Windows Authentication Dashboard

Widgets Description

Logon Session Displays the logon session events like successful logon, user initiated
Events logoff, logon failure, remote desktop session reconnected/disconnected,
workstation locked/unlocked, and screen saver invoked/dismissed.

Logon types Displays the logon types like interactive, network, batch, service, unlock,
network cleartext, remote desktop, and logon with cached credentials.

Domain Controller Top authentication events received by the Domain Controller. For example:
Authentication Kerberos tickets of any type (authentication, services).
Events

Logon Failure Top logon failure reasons in the Active Directory. For example: incorrect
Reasons usernames or bad passwords.

Kerberos Failure Top error codes generated by Kerberos service. For example: errors
Codes received during authentication and service requests.

Ticket Encryption Pie chart containing the different encryption types used in Kerberos. For
Type example: DES, RC4, AES, etc.

Ticket Pre- Pie chart containing the different Pre-Authentication types used in
Authentication Kerberos. For example: timestamp, salt, etc.
Type

Authentication Top Active Directory authentication packet types. For example: Kerberos
Package or NTLM.

User Account Displays the user account changes like created, enabled, disabled, deleted,
Changes etc.

Group Changes Displays the group changes like created, changed, deleted. It also displays if
a member has been added or removed.

Remote Desktop Sankey diagram containing remote connections between the different
Sessions users and destination hosts.

Windows Dashboard

119 USM Anywhere™ User Guide

 Viewing USM Anywhere Dashboards

Role Availability Read-Only Investigator Analyst Manager

The Microsoft Windows dashboard will have data when your environment includes NXLog
Windows events, Microsoft Azure Windows events, Elastic Winlogbeat Windows events, or
AlienVault Agent - Windows EventLog events.

Widgets in the Windows Dashboard

Widgets Description

Events by Pie chart containing the different channels populating the Windows Event
Channel Log. For example: System, Security or Application.

Top Users Pie chart containing percentage of Windows Event Logs per user.

Events by Pie chart containing percentage of Windows Event Log per severity.
Severity

Top Events Displays a list of top Windows Events.

Top Hosts Top Windows hosts based on Windows Event Logs generated.

USM Anywhere™ User Guide 120

USM Anywhere Custom Dashboards

Widgets in the Windows Dashboard (Continued)

Widgets Description

Top Processes Displays a list of the top Windows processes.

Top Security Displays a list of security categories.

Categories

Activity Timeline graph displaying Windows activity by event category.

USM Anywhere Custom Dashboards

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and customize your own dashboards with the widgets
and content you need.

Edition: This feature is available in the Standard and Premium editions of USM
Anywhere.

See the Affordable pricing to fit every budget page for more information about the
features and support provided by each of the USM Anywhere editions.

121 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

To create a custom dashboard

1. Go to any dashboard.
2. Click Create Custom Dashboard.

3. Enter a title for your dashboard.

4. Use the Share Dashboard box for sharing your custom dashboard. This option is disabled
by default. See Sharing your Custom Dashboard for more information.
5. Add the number of rows you need and select the number of columns you want for each
row, between 1 and 4. You can select the row height (small, medium, or large) for each
column.
6. Click Save.

Your custom dashboard is created and displayed. The page appears empty because you
have not selected any widget yet.

USM Anywhere™ User Guide 122

USM Anywhere Custom Dashboards

To configure your custom dashboard

123 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

1. Go to Dashboards > Custom Dashboards and open your dashboard.

USM Anywhere™ User Guide 124

USM Anywhere Custom Dashboards

2. On the widget that you want to configure, click the icon.

3. Choose a widget type between Alarms, Events, Assets, Vulnerabilities, and Configuration
Issues. Every widget has his own widget data.
4. You can change the title of the widget.
5. (Optional.) You can select a saved view filter if you have custom views for the selected
type of widget.
6. Click Save.

125 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

Note: You can move the widgets inside your dashboard. Click the widget that you
want to move and drag it to the space you want to move it to. If it is an empty space,
the widget will display in it. If it is in a space occupied by another widget, the widgets
will replace each other.

To edit your custom dashboard

1. Go to Dashboards > Custom Dashboards and open your dashboard.

2. Select Actions > Edit Dashboard.

3. Modify the information you need to.

4. Click Save.

USM Anywhere™ User Guide 126

USM Anywhere Custom Dashboards

To edit a widget in your custom dashboard

1. Go to Dashboards > Custom Dashboards and open your dashboard.

2. Click the icon and select Edit.

The Edit Widget dialog box opens.

3. Modify the information of the items that need to be modified.

4. Click Save.

To modify the title of a widget in your custom dashboard

1. Go to Dashboards > Custom Dashboards and open your dashboard.

2. Click the icon and select Edit.

The Edit Widget dialog box opens.

127 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

3. Modify the title.

4. Click Save.

USM Anywhere™ User Guide 128

USM Anywhere Custom Dashboards

To clone your custom dashboard

1. Go to Dashboards > Custom Dashboards and open your dashboard.

2. Select Actions > Clone Dashboard.

3. Enter a title for the new dashboard.

4. Click Save.

The new dashboard displays.

Note: If you clone a shared custom dashboard, the cloned dashboard will have the
shared option disabled by default. See Sharing your Custom Dashboard for more
information.

129 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

To delete your custom dashboard

1. Go to Dashboards > Custom Dashboards and open your dashboard.

2. Select Actions > Delete Dashboard to open the delete dashboard dialog box.

3. Click Confirm.

Sharing your Custom Dashboard

USM Anywhere enables you to share the custom dashboards you have created. This option is
disabled by default.

Keep in mind you can not edit or delete a shared dashboard. Shared custom dashboards are
read-only dashboards. If you want to edit a shared custom dashboard, you have to clone it
beforehand. See To clone your custom dashboard for more information.

To share a new custom dashboard

1. Go to any dashboard.
2. Click Create Custom Dashboard.
3. Enter a title for your dashboard.

USM Anywhere™ User Guide 130

USM Anywhere Custom Dashboards

4. Select the Share Dashboard box for sharing your custom dashboard. This option is dis-
abled by default.

5. Add the number of rows you need and select the number of columns you want for each
row, between 1 and 4. You can select the row height (small, medium, or large) for each
column.
6. Click Save.

To share an existing custom dashboard

1. Go to Dashboards > Custom Dashboards and open the custom dashboard you want to
share.
2. Select Actions > Edit Dashboard.
3. Select the Share Dashboard box for sharing your custom dashboard.
4. Click Save.

To stop sharing a custom dashboard

1. Go to Dashboards > Custom Dashboards and open the custom dashboard you want to
stop sharing.
2. Select Actions > Edit Dashboard.

131 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

3. Deselect the Share Dashboard box to remove the option.

4. Click Save.

Example: Creating a Custom Widget on Dashboards

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and customize your own dashboards with the widgets
and content you need. In this example, you will create a dashboard with a widget that displays
events from a specific sensor.

USM Anywhere provides some widgets for events out of the box (for example, Events by
Application, Events by Severity, or Events by Source, to name a few). However, there is no
widget for events from a specific sensor. If you want to show events from a specific sensor on
your dashboard, you can create a custom widget by using a saved event view.

To create a widget for events from a specific sensor, you first need to filter the events and
save them in a view.

To save a view for events from a specific sensor

1. Go to Activity > Events.

2. Locate the Sensor filter on the left and click the sensor you want to view the events.

The page reloads showing the events originated from this sensor.

3. (Optional.) Add or adjust filters to limit the view further.

4. When you are satisfied, select Save View > Save as.
5. Enter a name for this view.
6. Select Share View if you want to share your view with other users.
7. Click Save.

You will use this name in the next procedure.

Edition: Creating custom dashboard isavailable in the Standard and Premium editions
of USM Anywhere.

See the Affordable pricing to fit every budget page for more information about the
features and support provided by each of the USM Anywhere editions.

You can now use the saved view in a widget on a custom dashboard.

USM Anywhere™ User Guide 132

USM Anywhere Custom Dashboards

To create a custom dashboard

1. Go to any dashboard.
2. Click Create Custom Dashboard.
3. Enter a title for your dashboard.
4. Use the Share Dashboard box for sharing your custom dashboard. This option is disabled
by default. See Sharing your Custom Dashboard for more information.
5. Add the number of rows you need and select the number of columns you want for each
row, between 1 and 4. You can select the row height (small, medium, or large) for each
column.

6. Click Save.

Your custom dashboard is created and displayed. The page appears empty because you
have not selected any widget yet.

7. On the widget that you want to configure, click the icon.

The Edit Widget dialog box opens.

8. From the Widget Type list, select Events to display more options.

9. In the Widget Data search field, enter events over time and click the Events over Time
widget.

The title field is automatically populated with the name of the widget. You can change the
title if you want.

10. From the Saved View Filter (Optional) list, select the view you have saved in the previous
procedure.

133 USM Anywhere™ User Guide

 USM Anywhere Custom Dashboards

11. Click Save.

The page reloads displaying the widget you just configured.

USM Anywhere™ User Guide 134

 USM Anywhere Best Practices

USM Anywhere Best Practices

To get the most out of USM Anywhere, you need to optimize the management of your
environment by understanding USM Anywhere best practices and knowing which ones work
best for your setup. The following pages explain USM Anywhere best practices that can help
you to achieve this goal:

l USM Anywhere Scheduler Best Practices explains essential points and performance issues
associated with scheduled jobs that you must keep in mind when scheduling your jobs.

l USM Anywhere Scans Best Practices provides information about scans, types of scans, the
specific ways of doing a scan, the right order for doing scans and avoid asset duplicity, and
so on.

l Orchestration Rules Best Practices is where you can find useful recommendations when
creating an orchestration rule.

USM Anywhere™ User Guide 135

 Asset Management
To get the most out of USM Anywhere, you must provide information about all equipment
included in your environment, which must be identified by a unique identifier, an IP address.

Once the assets have been identified, there are several tasks that you must carry on. This
chapter describes these necessary tasks to manage assets and asset groups. This chapter
covers topics such as asset creation and discovery, asset scans, vulnerability scans, scheduling
scans, asset monitoring, and analysis.

This topic discusses these subtopics:

Asset Administration in USM Anywhere 137

Asset Groups Administration 234

USM Anywhere™ User Guide 136

Asset Administration in USM Anywhere

Asset Administration in USM Anywhere

Through USM Anywhere, you can configure asset management according to your needs.
Proper asset management is necessary to make the most of the entire USM Anywhere
functionality.

In USM Anywhere, an asset is a piece of equipment on the company's network that bears a
unique IP address. An asset can be a server, a router, a firewall, a printer, a PC, or any other
network-enabled device.

Note: You can watch the How to Use Asset Management in USM to Improve Network
Visibility customer training webcast on-demand to learn how to collect an accurate
asset inventory.

This topic includes these subtopics:

l Adding Assets
l Importing Assets from a CSV File
l Asset List View
l Selecting Assets in Asset List View
l Searching Assets
l Running Asset Scans
l Running Authenticated Asset Scans
l Scheduling Asset Scans from Assets
l Scheduling Authenticated Asset Scans from Assets
l Adding AlienApps to an Asset
l Viewing Assets Details
l Events Created When an Asset Stops Sending Data
l Managing Asset Fields
l Deleting the Assets
l Editing Assets
l Create an Assets Report

137 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Adding Assets

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides different ways to add your assets:

l Asset Discovery
l Adding Assets by Using the Setup Wizard
l Adding Assets in the UI
l Adding Assets Through a CSV File

Asset Discovery
USM Anywhere discovers assets automatically if you have a cloud provider (for example,
Amazon Web Services [AWS] or Microsoft Azure) or a hypervisor management API (for
example, VMware ESX). After deploying the sensor and applying the API credentials, USM
Anywhere discovers assets in these environments. See Running an Asset Discovery for more
information.

USM Anywhere™ User Guide 138

Asset Administration in USM Anywhere

Note: Assets discovered automatically may occasionally be labeled "inactive". This label
reflects the asset's state in your environment according to your provider. Please see
your provider's documentation for an explanation of how they define and detect asset
inactivity.

Assets added through other means are always labeled "active".

Note: Asset discovery scans can generate assets for hosts that do not exist when
traversing certain network devices. See the Asset Discovery creates an Asset for each IP
address in a network range article for more information.

Important: Make sure when you use a virtual private network (VPN) using a Cisco
Firewall, that arp-proxy is enabled in the firewall. Otherwise, all the assets will be
reported using the same media access control (MAC) address, and USM Anywhere will
consider all of them to be different interfaces for the same asset.

Adding Assets by Using the Setup Wizard

The Setup Wizard is available on USM Anywhere when the sensor is not configured and is
displayed after each login. This wizard includes the initial tasks for getting USM Anywhere
ready for deployment. As a result, the wizard collects as much data as possible to analyze and
identify threats in your environment.

There are two ways to add assets to scan when using the Setup Wizard: by adding individual
assets, or by using network ranges to add multiple assets.

Adding Individual Assets to Scans

The asset discovery option in the Setup Wizard enables you to add individual assets to scans.

139 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To add individual assets using the Setup Wizard

1. Inside the Setup Wizard, click Asset Discovery.

2. Enter an asset name and either an IP address, or a fully qualified domain name (FQDN).

3. Click Save.

Adding Multiple Assets to Scans Using a Network Range

The asset discovery option in the Setup Wizard enables you to add multiple assets in a
network range to scans.

To add multiple assets in a network range using the Setup Wizard

1. Inside the Setup Wizard, click Asset Discovery.

2. Click Scan Networks.

3. Enter a network name and a Classless Inter-Domain Routing (CIDR) block to specify the
subnet's IP address block that you want to scan.

USM Anywhere™ User Guide 140

Asset Administration in USM Anywhere

4. If you have more than one sensor configured in your environment, you need to select a
sensor.

By default, the Scan this network daily to discover new assets and services checkbox is
selected. This option configures daily network discovery assets when scanning a network
from the wizard.

5. Click Scan.

The length of this process depends on the length of the network range (for example,
longer network ranges have longer processes).

After the process finishes and the scan is completed, the number of assets found is
displayed. These assets are automatically added to USM Anywhere. In addition, a dynamic
asset group is automatically created with these assets.

6. Click Scan Another to start a new scan, or click Next to continue with the following
screen.

141 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To add assets by scanning your network

1. Go to Data Sources > Sensors.

2. Click the USM Anywhere Sensor with which you want to scan the network.
3. Click Asset Discovery.

4. Click Yes to scan the network.

This step may be different depending on the sensor you have installed.

Note: This option is not available for AWS Sensors because the instances are
automatically set.

After the process finishes and the scan completes, you can see the number of assets
found. These assets are automatically added to USM Anywhere. In addition, a dynamic
asset group is automatically created with these assets.

5. Click Scan Another to start a new scan or click Next to continue with the following
screen.

Adding Assets in the UI

Adding assets in the user interface (UI) enables you to manually add an asset. To do this, you
must know the IP addresses of the assets.

There are two methods of manually adding assets through the UI:

l The quick method, by adding the asset name and either an IP Address or FQDN, and then
selecting a USM Anywhere Sensor.
l The advanced method, which requires more data related to the asset that you are adding.

To add a new asset using the quick method

1. Go to Environment > Assets.

2. In the upper right side of the page, select Actions > Quick to display the following fields
above the asset list:

USM Anywhere™ User Guide 142

Asset Administration in USM Anywhere

3. Enter the asset name and either the IP address or FQDN in the text boxes displayed above
the asset list.

Use the icon to display the rules that must satisfy a valid FQDN.

4. If you have more than one USM Anywhere Sensor connected, select the sensor from the
drop-down menu.

By default ,the Scan the newly added asset for asset details checkbox is selected. This
option scans the newly added asset and displays depending on your sensor. See Running
Asset Scans When Creating a New Asset for more information.

5. Click Save.

143 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To add a new asset using the advanced method

USM Anywhere™ User Guide 144

Asset Administration in USM Anywhere

1. Go to Environment > Assets.

2. In the upper-right side of the page, select Actions > Advanced.

145 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Anywhere™ User Guide 146

Asset Administration in USM Anywhere

3. Enter the information in each field.

Add the data of the fields that need to be added, as described in the following table.

Fields in the Create New Asset window

Field Meaning

Name Name that identifies the asset.

Description A short description of the asset.

Sensor Select the sensor you want to associate with the asset.

Logo Symbol that represents the asset.

Asset Type (Optional.) Device type that identifies the asset. Select an option
from the list. See USM Accepted Asset Types for more information.

Time Zone Time zone configured for your USM Anywhere instance (default is
Coordinated Universal Time [UTC]).

Prevent Remote Select this field to avoid remote scanning. This option displays
Scanning depending on your deployed sensor.

Scan the newly added By default, this field is selected. Use it to scan the new added asset.
asset for asset details See Running Asset Scans When Creating a New Asset for more
information. This option displays depending on your deployed
sensor.

Compliance Scope To include the asset in the Payment Card Industry Data Security
Standards (PCI DSS) asset group, the Health Insurance Portability
and Accountability Act (HIPAA) asset group, or both, select the
corresponding checkboxes. See Using USM Anywhere for PCI
Compliance and USM Anywhere Compliance Templates for more
information.

Owner (Optional.) Free text field to add an owner of the asset.

Network Interfaces IP Address. IP address assigned to the asset.

MAC Address. MAC Address assigned to the asset.

FQDN. Fully Qualified Domain Name.

147 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Important: You must enter at least one of the three fields in Network Interfaces.
These fields are highlighted when the values are not valid.

Note: Every hour, USM Anywhere refreshes information about the PCI DSS or HIPAA
asset groups. If you select the Compliance Scope field, you can see the asset inside
the asset group after the following update.

4. Click Save.

Adding Assets Through a CSV File

USM Anywhere enables you to add assets through a CSV file. This option adds assets in large
quantities to your environment. See Importing Assets from a CSV File for more information.

To add assets through a CSV file

1. Go to Environment > Assets.

2. Select Actions > Import Assets.

The import assets dialog box opens.

3. Drop your CSV file or select the file from your desktop.
4. Select a sensor if you have more than one sensor configured in your environment.
5. Click Import.

USM Anywhere™ User Guide 148

Asset Administration in USM Anywhere

Importing Assets from a CSV File

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to import several assets from a comma-separated values (CSV)
file. Use this option to add assets in large quantities to your environment from a single file.
This file needs to follow a specific format.

Warning: If the file does not follow the specific format, the assets will not be imported.
See About the CSV File for more information.

To import assets from a CSV file

1. Go to Environment > Assets.

2. Click Actions > Import Assets to open the Import Assets dialog box.

Note: If there is an asset inside the CSV file that has the same IP address or fully
qualified domain name (FQDN) of an asset that already exists in your environment,
or if there are any fields that are not valid, the new asset is not added.

3. Drop your file or select the file from your desktop.

Once you select a file, the name of the file displays, and the Import button is active.

149 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

If you have more than one sensor configured in your environment, you need to select a
sensor.

4. Click Import, and the process starts.

You can see the status of the process, how many assets have been processed or are
pending, or which assets were not imported. In the About the CSV File section, there is a
table where you can see the import errors and the reasons for which an asset has not
been imported.

Warning: Due to some browser limitations, your CSV file may only successfully import if
it is in a .txt file format. If you click Import and no process begins, you may need to save
your .csv as a .txt file for it to successfully import. This is a known issue for users
operating in Firefox but may impact any browser.

Note: When an import process starts and finishes, USM Anywhere generates system
events. See Searching for System Events Related to an Asset Import Process for more
information.

About the CSV File

The CSV file must use this format; no other fields are allowed:

Asset Name;Description;Asset Type;PCI;HIPAA;IP Address,FQDN;IP Address,FQDN;

[...]

USM Anywhere™ User Guide 150

Asset Administration in USM Anywhere

l The [...] indicates that you can repeat "IP Address,FQDN" as many times as needed.

l If you need to skip a field, leave that field blank (with no value or space). This will result in
two semicolons next to each other.
For example, if you need to skip the PCI value your CSV file will look like the following:

Asset Name;Description;Asset Type;;HIPPA;IP Address,FQND;IP Address

While other fields can be skipped, you must provide at least an IP address or FQDN value
valid for USM Anywhere.

Important: Do not include a header line in the CSV file because it will result in an error of
invalid format.

The following table shows some examples of IP addresses and FQDNs.

Examples of IP Addresses and FQDNs

Example Valid / Invalid

1.1.1.1 Valid

,my.domain.com Valid

1.1.1.1, my.domain.com Valid

my.domain.com Invalid

Please note the following:

l There must be only one asset per row.

l You can import all the files you need, but only one at a time.
l The maximum number of network adapters per asset is limited to 30.
l The maximum number of lines in the CSV file is 200,000.
l The maximum size of the CSV file is 25 MB.

Searching for System Events Related to an Asset Import Process

USM Anywhere generates system events when an import process starts and finishes.

151 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To look for system events related to an import process

1. Go to Settings > System Events.

2. Locate the Event Name filter.

3. Select one of these filters:

l Asset Import Process Finished: This option displays the system events generated
when the assets import process from a CSV file finishes.
l Asset Import Process Started: This option displays the system events generated
when the assets import process from a CSV file starts.

The result of your search displays.

Asset List View

USM Anywhere™ User Guide 152

Asset Administration in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of your assets. Go to Environment > Assets to
see this centralized view.

The Assets page displays asset inventory and information on those assets. These are the
different parts of the Assets page:

l On the left side of the page are the search and filters options. Use filters to delimit your
search.

l At the top of the page, you can see any filters you have applied, and you have the option to
create and select different views of the assets.

l The main part of the page is the list of assets, where each row describes an individual
asset. Click an asset to open its details. See Viewing Assets Details for more information.
Each asset includes a check box that you can use to select it. You can select all assets in
the same page by clicking the check box in the first column of the header row. You can
also select all the assets in the system. See Selecting Assets in Asset List View for more
information.

If you want to analyze the data and see the additional columns without having to scroll left
and right, you can maximize the screen and hide the filter pane. Click the icon to hide the

filter pane. Click the icon to expand the filter pane.

Refreshing the page

USM Anywhere gives you the option of refreshing the page manually by clicking the icon.

153 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Assets List Columns

Role Availability Read-Only Investigator Analyst Manager

For each asset in the asset columns list, USM Anywhere displays useful information to help
you manage that asset.

The following table lists the fields you see on the page.

List of the Default Columns in Assets

Column Field
Description
Name

Asset Name Name of the asset.

Agent Type Platform of the agent. This column displays when you open the Asset List View
page from the Agents page.

Agent Version Version of the agent. This column displays when you open the Asset List View page
from the Agents page.

FQDN Fully qualified domain name.

IP Addresses IP address for the asset.

Sensor USM Anywhere Sensor name associated with the asset. The type of sensor is also
displayed below the sensor name.

Jobs Number of scheduled jobs. This column is not displayed when you open the Asset
List View page from the Agents page.

Asset Type Device type that identifies the asset. Select an option from the list (see USM
Accepted Asset Types for more information). This column is not displayed when
you open the Asset List View page from the Agents page.

Alarm Counter Number of alarms detected on the asset.

Event Counter Number of events related to the asset.

Vulnerabilities Number of vulnerabilities detected on the asset.

Counter

USM Anywhere™ User Guide 154

Asset Administration in USM Anywhere

List of the Default Columns in Assets (Continued)

Column Field
Description
Name

Config Issues Number of configuration issues related to the asset. This option is only available
for Amazon Web Services (AWS) and Microsoft Azure sensors.

Updated Date on which the asset was updated. The displayed date depends on your
computer's time zone.

Important: The alarm and event counts are not updated in real time, but are calculated
every hour. If the counts are not updated, it can happen because new events or alarms
are in your environment after the last count.

Important: The vulnerability and configuration issues counts are updated after every
scan.

From the list of assets, you can click any individual asset row to display more information on
the selected asset, including how many alarms, events, vulnerabilities, or configuration issues
are related to that asset. See Viewing Assets Details for more information.

Each asset includes a check box that you can use to select it. You can select all assets in the
same page by clicking the check box in the first column of the header row. You can also select
all the assets in the system. See Selecting Assets in Asset List View for more information.

The padlock you can see next to the asset indicates whether the asset has a credential
assigned ( ) or not ( ). See Managing Credentials in USM Anywhere for more information.

155 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

Choose the view you want in the Layout page. You can see the assets in a list view or in a grid
view.

USM Anywhere™ User Guide 156

Asset Administration in USM Anywhere

Click Generate Report to open the Configure Report dialog box. See Create an Assets Report
for more information.

Click the icon to access these options:

l Find in Events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.
l Delete Asset: See Deleting the Assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.

157 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Run Scan: This option displays depending on the USM Anywhere Sensor associated with
the asset. See Running Asset Scans for more information.
l Configuration Issues: This option opens the Assets Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selec-
ted in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

In the upper-left corner of the page, there is the Actions button.

Important: You need to select one or more assets if you want to activate the options of
the Actions button. Some options can be gray if there isn't any asset selected. See
Selecting Assets in Asset List View for more information.

The Actions button includes these options:

USM Anywhere™ User Guide 158

Asset Administration in USM Anywhere

l Quick: Use this option to add the asset name and either an IP address or FQDN, and then
select a USM Anywhere Sensor. See Adding Assets in the UI for more information.

l Advanced: Use this option to add an asset. This method requires more data related to the
asset that you are adding. See Adding Assets in the UI for more information.

l Import Assets: Use this option to add several assets through a CSV file. See Importing
Assets from a CSV File for more information.

l Delete selected: See Deleting the Assets for more information.

l Edit Fields: See To assign asset fields to an asset or group of assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Assign Agent Profile: See Assigning AlienVault Agent Configuration Profiles to Assets for
more information. This option is available for users whose role is Manager.
l Set Sensor: See To assign a sensor to an asset or a set of assets for more information.
l Set Compliance Scope: See Working with Assets and PCI DSS for more information.
l Add to Asset Group: See Creating an Asset Group for more information.
l Manage Columns: See Configuring Columns on Assets for more information.
l Configure Filters: See Managing Filters for more information.

Configuring Columns on Assets

Role Availability Read-Only Investigator Analyst Manager

Within the page, you can configure the columns and fields that display in the List view. You
can also save your columns configuration to return to it whenever you need it.

159 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To configure your columns

1. From the assets list view, select Actions > Manage Columns.

The Columns Configuration dialog box opens.

2. Search the columns you want to have in the list view. You can enter your search in the
search field.

Click the icon of an available column to modify the name of the column.

USM Anywhere™ User Guide 160

Asset Administration in USM Anywhere

3. Use the and icons to pass the items from one column to the other and select the

columns you want to see.

4. You can order the columns by clicking one of them and dragging the column to the
desired place.

5. Click Apply.

Note: If you generate a report when you have set custom columns, your report keeps
the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting
Save View > Save as. Otherwise, your custom view is not kept when you move to
another feature. See Assets Views for more information.

Assets Views

Role Availability Read-Only Investigator Analyst Manager

You can configure the view you want for the list of items in the page.

161 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To create a view configuration

1. From the List view, select Actions > Manage Columns.

2. Use the and icons to pass the items from one column to another and select the

columns you want to see.

3. Click Apply.
4. If you want to delimit the search, select the filters you want to apply.

5. Go to Save View > Save As.

The Save Current View dialog box opens.

6. Enter a name for the view.

7. Select Share View if you want to share your view with other users.
8. Click Save.

The created view is already selected.

USM Anywhere™ User Guide 162

Asset Administration in USM Anywhere

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the Assets list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Report Templates in Assets

163 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a wide range of report templates classified according to the
compliance templates for alarms, vulnerabilities, and events collected in the system. The
templates are combined into these two groups:

l NIST CSF: The National Institute of Standards Technology (NIST) Cybersecurity Frame-
work provides a policy framework of computer security guidance for how private sector
organizations can assess and improve their ability to prevent, detect, and respond to cyber
attacks.
l ISO 27001: ISO/IEC 27001 provides guidance for implementing information security con-
trols to achieve a consistent and reliable security program. The ISO and the International
Electrotechnical Commission (IEC) developed 27001 to provide requirements for an inform-
ation security management system (ISMS).

To apply a report template

1. Go to Environment > Assets.

2. From the Assets list view, click View above the filters and select Report Templates.

3. Select a report.

You can use the search field or scroll down the list.

USM Anywhere™ User Guide 164

Asset Administration in USM Anywhere

4. Click Apply.

The result displays with the filters applied.

Selecting Assets in Asset List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to select an asset or multiple assets for export (see Create an
Assets Report), and you can use the options you find under the Actions button (see Asset List
View).

165 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To select a single asset

l Select the check-box to the left of the asset.

To select multiple assets

l Select the check-box of each asset that you want to include.

l You can go to the next page and select more assets. Keep in mind that USM Anywhere
does not preserve the selection on the previous page. If you want to select assets that are
displayed in different pages, you can create an asset group. See Creating an Asset Group
for more information.

To select all the assets on the same page

l Select the check-box in the first column of the header row.

USM Anywhere™ User Guide 166

Asset Administration in USM Anywhere

To select all the assets returned from a search or all the assets in your environment

1. Select all the assets on the page.

Text similar to the following example displays above the asset table:

All 20 assets on this page are selected. Select all 904 related to this
filter
where

904 is the number of assets in the system.

2. To select all the assets, click Select all 904 related to this filter.

Searching Assets

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

167 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. See Managing Filters for more
information.

The following table lists the filters you see on the page.

Filters Displayed by Default in the Main Assets Page

Filter Name Meaning

Advanced Search Use this filter for searching a specific value of a field. See Advanced Search
Filter for more information.

Stats Filter assets having events, alarms, vulnerabilities, or configuration issues.

Sensor Filter assets by the associated USM Anywhere sensor.

Asset Origin Type Filter assets by who added the asset to the system.

Group Membership Filter assets by the associated group.

Instance Type (Only for the Amazon Web Services [AWS] Sensor). Filter assets by AWS
instance type.

Region (Only for the AWS Sensor). Filter assets by AWS region.

Operating System Filter assets by operating system (OS).

Asset Type Filter assets by asset type. See USM Accepted Asset Types for more
information.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

USM Anywhere™ User Guide 168

Asset Administration in USM Anywhere

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

169 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Managing Filters

Role Availability Read-Only Investigator Analyst Manager

There are many more filters available beyond those that are shown on the Assets page by
default. You can configure the filters you want to display by clicking the Configure filters link,
which is located in the upper-left corner of the page.

USM Anywhere™ User Guide 170

Asset Administration in USM Anywhere

To add or delete filters from the Search and Filters area

1. Go to Environment > Assets.

2. In the upper-left side of the page, click the Configure Filters link.

The filters configuration dialog box opens.

171 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

3. Search the filters you want to have in the list view. You can enter your search in the
search field.
4. Use the and icons to pass the items from one column to the other and select the fil-

ters you want to see.

5. Click Apply.

To save a filter configuration

1. From the Asset List view, select the filters you want to see.

2. Select Save View > Save as.

The Save Current View dialog box opens.

USM Anywhere™ User Guide 172

Asset Administration in USM Anywhere

3. Enter a name for the view.

4. Select Share View if you want to share your view with other users.

5. Click Save.

The created view is already selected.

Note: If you have changed the configuration of the assets columns, this
configuration will also be saved together with the filter configuration. See Assets
Views for more information.

Advanced Search Filter

Role Availability Read-Only Investigator Analyst Manager

The Advanced Search filter enables you to enter a search value on a selected field.

The following table shows the filter fields that you can find in the first drop-down list.

Advanced Search Fields (First Drop-Down List)

Filter Name Meaning

Name Filter assets by the name of the asset.

Description Filter assets by the asset description.

UUID Filter assets by the universally unique identifier (UUID).

IP/CIDR Filter assets by IP and Classless Inter-Domain Routing (CIDR). This is a

method for allocating IP addresses and routing IP packets. It is the range of
IP addresses that define the network.

FQDN Filter assets by Fully Qualified Domain Name (FQDN).

Asset Type Filter assets by asset type.

Instance Type Filter assets by instance type.

Region Filter assets by region.

Operating System Filter assets by operating system.

Service Filter assets by service.

Software Filter assets by software.

173 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Advanced Search Fields (First Drop-Down List) (Continued)

Filter Name Meaning

Associated Plugin Filter assets by the plugin associated to the asset.

Alarm Counter Filter assets by the number of alarms.

Event Counter Filter assets by the number of events.

Vulnerability Counter Filter assets by the number of vulnerabilities.

Configuration Issue Filter assets by the number of configuration issues.

Counter

PCI Asset Filter assets by Payment Card Industry (PCI) Asset, if the asset is included
or not in the PCI Data Security Standards (DSS) Asset Group. See Asset
Group List View and Working with Assets and PCI DSS for more
information.

HIPAA Asset Filter assets by Health Insurance Portability and Accountability Act (HIPAA)
Asset, whether the asset is included in the HIPAA Asset Group. See Asset
Group List View for more information.

Custom User Fields Filter assets by the fields you have created. If you have not created fields,
this filter does not display.

Note: The result of a search when you use the Alarm Counter filter or the Event Counter
filter depends on if an alarm or an event can identify the source or destination as an
asset in the inventory. Your environment can have alarms or events associated with
assets both included in the inventory and those not included in the inventory. Assets
included in the inventory display their names in blue, and assets not included in the
inventory display their names in gray. The alarm and event counter filters only count the
identified (blue) assets.

USM Anywhere™ User Guide 174

Asset Administration in USM Anywhere

Important: The alarm and event counts are not updated in real time but are calculated
every hour. If the counts are not updated, it can happen because new events or alarms
are in your environment after the last count.

The following table shows the operators that you can find in the second drop-down list.

Advanced Search Fields (Second Drop-Down List)

Operator Meaning

> Greater than.

>= Greater than or equal to.

< Less than.

<= Less than or equal to.

Equal Equal to.

IP Range Range of IP addresses.

Is Empty Include assets with no IP addresses. This operator is available only for
IP/CIDR.

Is Not Empty Include assets with IP addresses. This operator is available only for IP/CIDR.

175 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Advanced Search Fields (Second Drop-Down List) (Continued)

Operator Meaning

Like Search for the specified pattern.

Not Equal Not equal to.

Important: Some filters don't include the NOT operator (for

example, Services or Software).

Not Like Not true.

The following table shows the operators that you can include in your query string.

Use the search field to enter queries and refine your search. You can enter free text, use
wildcards, and use advanced search syntax. When searching, keep in mind the accepted query
string syntax list in this table.

Accepted Query String Syntax

Type of Query Meaning Example

Standard query By default, a space between query terms is denylist malicious

with a blank space considered an implicit “OR”.
between terms

Literal, using Matches fields that contain the full term. "Event from asset not received"
double quotes Literal searches are case-sensitive.

"" Note: This type of query will not

match any searches in the raw log
unless the phrase included in double
quotes is an exact and complete
match to the contents of the raw log.

Note: IP addresses and FQDNs are

considered literal searches, so they
don't require quotation marks.

USM Anywhere™ User Guide 176

Asset Administration in USM Anywhere

Accepted Query String Syntax (Continued)

Type of Query Meaning Example

Boolean Including AND or OR between two search (http OR tcp) AND ftp
operators or terms will search for results that match
using parentheses both of those terms.

AND, OR, NOT, ( ) Including NOT between two search terms

will exclude results that match the second
term, even though they otherwise match
your query.

Parentheses can be used to group terms

for higher precedence relative to the rest
of your query. Parentheses are also used to
designate subsearches.

Wildcards, Appending an asterisk to the end of a term instance*

asterisk within your query will search for results
that begin with your search term.
*
An asterisk cannot be used at the
beginning of a search query.

Wildcards, Embedding a question mark in the middle qu?ck

question mark of a term will search for results that
otherwise match your query, no matter the
? value in the position held by the question
mark in your search term.

A question mark cannot be used at the

beginning of a search query.

177 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Accepted Query String Syntax (Continued)

Type of Query Meaning Example

Regular Regular expression inside forward slash /Describe.*Instances/

expression characters. A dialog box opens to confirm
(regex), using the search.
/expression/
Note: The characters ", *, ?, (, and )
are special characters included in
expressions. If you want to search by
these characters, you need to
manually escape them by preceding
them with a backslash.

OTX pulse Pulses are collections of Indicators of pulse:59432536c1970e343ce61bf0

Compromise (IOCs). You need to insert the
word pulse followed by a colon and the
pulse ID or URL.

Any characters may be used in a query, but certain characters are reserved and must be
escaped. The reserved characters are these:

+-=&|><!{}[]^"~:\/

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

USM Anywhere™ User Guide 178

Asset Administration in USM Anywhere

To search assets using the advanced search filter

1. Go to Environment > Assets.

2. Below Advanced Search filter, click Add Filter.

3. Select a field from the first drop-down list.

179 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

See Advanced Search Fields (First Drop-Down List) for more information.

4. Select an operator from the drop-down list.

Important: Depending on the field you have chosen in the first drop-down list, the
operators vary.

USM Anywhere™ User Guide 180

Asset Administration in USM Anywhere

See Advanced Search Fields (Second Drop-Down List) for more information.

5. Enter the search value.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

6. Click the icon.

7. Click Add Filter if you want to add a new search.

8. Click the icon.

9. Click Apply.

The result of your search displays with the assets identified.

Standard and Advanced Modes on Assets

181 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode

This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

1. Go to Environment > Assets.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

Advanced Mode

Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Environment > Assets.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Environment > Assets.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

USM Anywhere™ User Guide 182

Asset Administration in USM Anywhere

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

To search using the NOT operator

1. Go to Environment > Assets.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

183 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Anywhere™ User Guide 184

Asset Administration in USM Anywhere

185 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Anywhere™ User Guide 186

Asset Administration in USM Anywhere

187 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Anywhere™ User Guide 188

Asset Administration in USM Anywhere

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Environment > Assets.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

Running Asset Scans

Role Availability Read-Only Investigator Analyst Manager

Use an asset scan to discover hosts and services in the deployed network. To accomplish this
goal, the scanner sends crafted packets to the target asset and analyzes the responses. This
is not an authenticated scan. You can run scans on individual assets.

Important: This option is available if the sensor associated with the asset allows it.

The asset for which you are scanning must be visible by the sensor through the network. This
means that both the sensor and the asset should be able to see each other through at least
Layer 3 (network) protocols. If the sensor and the asset are in the same network segment
(Layer 2), use Address Resolution Protocol (ARP) requests to discover the asset.

The USM Anywhere Sensor sends ARP, Internet Control Message Protocol (ICMP), and TCP
requests to discover hosts on the network to which the sensor is connected. A new asset is
created if the sensor receives an acknowledgment from any of the previously mentioned
protocols.

Note: If a scan is suspended or otherwise running for more than two hours, it will time
out. You can see the timeout result in the asset's Scan History, as well as in the system
event generated for that scan.

Important: You cannot scan USM Anywhere Sensors.

189 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Enabling the Asset Scanner App

To enable the Asset Scanner App

1. Go to Data Sources > Sensors to open the Sensors page.

2. Click the USM Anywhere Sensor for which you want to enable the asset scanner app.

3. Click the Asset Scanner tab.

Note: This item is not available on Amazon Web Services (AWS) sensors.

4. Click Enable.

Running Asset Scans from Assets

To run an asset scan from Assets

1. Go to Environment > Assets.

2. Complete one of these options to open the Scan Asset dialog box:

l Next to the asset name that you want to scan, click the icon, select Full Details,

and then select Actions > Asset Scan.

l Next to the asset name that you want to scan, click the icon, and then select Asset

Scan.

The Asset Scan dialog box opens.

USM Anywhere™ User Guide 190

Asset Administration in USM Anywhere

3. Select the scan profile that you want to run:

l Discovery: This profile scans the known ports and services searching for the most-
used ports. (There are 4571 ports.)
l Complete: This profile scans all TCP and UDP ports to find the possible ports in a
deployment. (There are 65535 ports.)
l Vulnerability Discovery: Performs general network discovery and checks for specific
known vulnerabilities. It only reports results if they are found.
l Extended Vulnerability Discovery: Performs a Vulnerability Discovery scan, which act-
ively discovers more about the network.

191 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

l Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities,

which uses a significant number of resources on the targeted machine. Because of
this, sensitive targets may perceive a brief disruption on their services.

4. Select Set Debug Mode if you want to log the results of the scan or if you have a problem
with a scan.

This option is disabled by default.

Note: The Set Debug Mode option must be used only for debugging purposes
because it needs a large amount of disk space for the file or files that it generates.
Only AT&T Cybersecurity Technical Support should review these files. You can
contact this department for more information.

5. Click Scan.

6. In the Asset details page, click Scan History in the table area to display the results of the
scan.

You can see the status of each scan and the details. USM Anywhere also creates a system
event named Asset Scanner Result with the same details.

Important: Make sure the Asset Scanner app is enabled. See Enabling the Asset Scanner
App for more information.

Note: See Scheduling Asset Scans from Assets and Scheduling Asset Scans from the
Job Scheduler Page for more information about how to schedule an asset scan.

Running Asset Scans When Creating a New Asset

To run an asset scan when you are creating a new asset

1. Go to Environment > Assets.

2. Select Actions > Advanced to open the Create New Asset dialog box.

See Adding Assets in the UI for more information.

3. The Scan the newly added asset for asset details field is selected by default. Use it for
scanning the newly added asset.

Important: The Asset Scan options are available only for the VMware Sensor and

USM Anywhere™ User Guide 192

Asset Administration in USM Anywhere

Hyper-V Sensor. USM Anywhere uses the Discovery profile to conduct the scans.

4. Click Save.

A message displays at the top of the page to inform you that the scan has been launched
and is running. When the scan is complete, the results are visible in the tab Scan History
of the asset details page. See Viewing Assets Details for more information.

193 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Running Asset Scans Using an AlienApp

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to select an asset and run an asset scan through an AlienApp.

The asset for which you are scanning must be visible by the sensor through the network. This
means that both the sensor and the asset should be able to see each other through at least
Layer 3 (network) protocols. If the sensor and the asset are in the same network segment
(Layer 2), use Address Resolution Protocol (ARP) requests to discover the asset.

USM Anywhere Sensor sends ARP, Internet Control Message Protocol (ICMP), and TCP
requests to discover hosts on the network to which the sensor is connected. A new asset is
created if the sensor receives an acknowledgment from any of the previously mentioned
protocols.

To run an asset scan through an AlienApp

1. Go to Environment > Assets.

2. Complete one of these options to open the Select Scan Action dialog box:

l Next to the asset name that you want to scan, click the icon, select Full Details,

and then select Actions > Scan with AlienApp.

l Next to the asset name that you want to scan, click the icon that you want to scan,

and then select Scan with AlienApp.

The Select Scan Action dialog box opens.

USM Anywhere™ User Guide 194

Asset Administration in USM Anywhere

Important: The available AlienApps on this dialog box are those that have been
configured with the Asset Discovery capability. See Advanced AlienApps for more
information.

3. Select one of the options.

These are the options you can see in the example:

l AT&T Cybersecurity: See Configuring the AlienApp for DDI Frontline VM for more
information.
l Digital Defense: See AlienApp for DDI Frontline VM Orchestration for more inform-
ation.
l Qualys: See AlienApp for Qualys Actions for more information.
4. Fill out the details for the scan action you selected.
5. Click Run.

Running Authenticated Asset Scans

Role Availability Read-Only Investigator Analyst Manager

An authenticated asset scan verifies scanned Internet Protocol (IP) addresses and detects
vulnerabilities. Log in as administrator or root to perform an authenticated scan. See
Managing Credentials in USM Anywhere for more information.

195 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Warning: An authenticated scan may fail if the local mail exchanger, which applies to
Linux hosts, is enabled in the target asset.

You cannot scan USM Anywhere Sensors.

You can scan an instance or network, but first you need to check these points:

l The sensor reaches the targets

l The sensor is able to scan their ports

If your USM Anywhere Sensor is deployed in Amazon Web Services (AWS) to a virtual private
cloud (VPC), see Amazon VPC-to-Amazon VPC connectivity options for more information.

The following table shows the asset scan credentials and escalation options.

Asset Scan Credentials and Escalation Options

Operating System Method and Credentials Escalation

Linux, BSD, Solaris, or macOS SSH password or public key sudo or su

authentication

Microsoft Windows Windows username and None

password through WinRM

Note: If a scan is suspended or otherwise running for more than two hours, it will time
out. You can see the timeout result in the asset's Scan History, as well as in the system
event generated for that scan.

To run an authenticated asset scan from Assets

1. Go to Environment > Assets.

2. Complete one of these options:

l Next to the asset name that you want to scan, click the icon select Full Details, and

then select Actions > Authenticated Scan.

or

l Next to the asset name you want to scan, click the icon and select Authenticated

Scan to directly start the asset scan. If the option is not enabled, you need to add a cre-
dential. See Managing Credentials in USM Anywhere for more information.

USM Anywhere™ User Guide 196

Asset Administration in USM Anywhere

A message displays at the top of the page to inform you that the authenticated scan is in
progress.

Important: Credentials assigned directly to an asset have higher priority than those
assigned to an asset group.

3. In the asset details page, click Scan History in the table area to display the results of the
scan.

You can see the status of each scan and its details, which informs you if the scan is
unsuccessful due to bad credentials or a connectivity issue between the USM Anywhere
Sensor and the asset you are attempting to scan. USM Anywhere also creates a system
event named Authenticated Asset Scanner Result for the scan and for testing the
credentials.

Each asset has a Scan Details link you can click to download a zip file containing the
details of the recent scan. The link is only present for the most recent scan of each asset,
and is available for one week after the scan has been run.

Below the Vulnerabilities tab, you can see the vulnerabilities that the scan has found.

You can also see the vulnerabilities that the scan has found by going to Environment >
Vulnerabilities. While the scan is running, a Scanning button displays. When the scan
finishes, the message Scan finished. Refresh to view scan results displays. Click
Refresh Scan Results to update the list.

Note: See Scheduling Authenticated Asset Scans from Assets and Scheduling Asset
Scans from the Job Scheduler Page for more information about how to schedule an
authenticated asset scan.

Scheduling Asset Scans from Assets

197 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include scans for scheduling using its web user
interface (UI). See USM Anywhere Scheduler for more information.

To schedule an asset scan job from the asset details window

1. Go to Environment > Assets.

2. Next to the asset name that you want to include in an asset scan, click the icon and

select Full Details.

3. Select Actions > Schedule Scan Job.

The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 198

Asset Administration in USM Anywhere

1. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. In the Action Type field, select Asset Scanner.

Depending on the USM Anywhere Sensor that you have installed, this field can include
different options.

3. Select a sensor in case you have more than one installed.

4. In the App Action field, leave Scan, which is the default option.

199 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

This option discovers services, operating systems (OSes), hostnames, IP and media access
control (MAC) addresses, and vulnerabilities of known hosts.

5. The Asset field displays the name of the asset to scan. You can't modify this field.

6. Select the scan profile that you want to run:

l Discovery: This profile scans the known ports and services searching for the most-
used ports. (There are 4572 ports.)
l Complete: This profile scans all TCP and UDP ports to find the possible ports in a
deployment. (There are 65535 ports.)
l Vulnerability Discovery: Performs general network discovery and checks for specific
known vulnerabilities. It only reports results if they are found.
l Extended Vulnerability Discovery: Performs a Vulnerability Discovery scan, which act-
ively discovers more about the network.
l Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities,
which uses a significant number of resources on the targeted machine. Because of
this, sensitive targets may perceive a brief disruption on their services.

7. Select Set Debug Mode if you want to log the results of the scan or if you have a problem
with a scan.

This option is disabled by default.

Note: The Set Debug Mode option must be used only for debugging purposes
because it needs a large amount of disk space for the file or files that it generates.
Only AT&T Cybersecurity Technical Support should review these files. You can
contact this department for more information.

8. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

USM Anywhere™ User Guide 200

Asset Administration in USM Anywhere

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

9. Click Save.

The job now displays in the job scheduler list.

Note: See USM Anywhere Scheduler for more information.

Scheduling Authenticated Asset Scans from Assets

201 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include authenticated scans for scheduling using its
web user interface (UI). See USM Anywhere Scheduler for more information.

To schedule an authenticated asset scan job from the asset details window

1. Go to Environment > Assets.

2. Next to the asset name that you want to include in an asset scan, click the icon and

select Full Details.

3. Select Actions > Schedule Scan Job.

The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 202

Asset Administration in USM Anywhere

1. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. In the Action Type field, select Authenticated Asset Scanner.

Depending on the USM Anywhere Sensor that you have installed, this field can include
different options.

3. Select a sensor in case you have more than one installed.

4. In the App Action field, Scan is the default option. This option discovers services, oper-
ating systems, hostnames, IP and MAC addresses, and vulnerabilities of known hosts.

203 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

5. The Asset field displays the name of the asset to scan. You can't modify this field.

6. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

USM Anywhere™ User Guide 204

Asset Administration in USM Anywhere

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

7. Click Save.

The job now displays in the job scheduler list.

Note: See USM Anywhere Scheduler for more information.

Adding AlienApps to an Asset

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere receives syslog log data from external data sources: devices, applications, or
operation systems. If that data is not automatically matched with an AlienApp through hints
(see Auto-discovered AlienApps), you must manually associate the AlienApp with an asset in
USM Anywhere. There are two methods for creating these associations:

l By assigning one or more assets to the AlienApp. See Assign Assets to AlienApps for
details.
l By adding one or more AlienApps to the asset (this document).

You can use a combination of these methods to ensure that USM Anywhere can identify the
correct AlienApps for the log data it receives from an asset.

Important: Assigning an AlienApp to an asset disables the usage of hints for the logs
coming from this asset; therefore, USM Anywhere only uses the assigned AlienApps to
parse and normalize those logs.

If you use a log-forwarding software (such as Splunk or Loggly) to send logs to USM
Anywhere, AT&T Cybersecurity recommends that you use at least two such forwarders:
one forwarder for all the auto-discoverable AlienApps, and the other for the non-auto-
discoverable AlienApps. In the latter case, you must create an asset in USM Anywhere to
denote the forwarder and assign it to the non-auto-discoverable AlienApps. This
ensures that USM Anywhere uses the correct AlienApp to parse your logs.

205 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Adding an AlienApp to an asset requires that you know what log data that the USM Anywhere
Sensor receives from the asset and which AlienApp(s) are the best match for parsing and
normalizing that data to produce meaningful events for your needs.

You can add an AlienApp on the Asset Details page. The Asset Details page provides access to
all of the available information and tools for managing an individual asset. See Asset
Management for more information about managing discovered assets in USM Anywhere.

To add an AlienApp from the Asset Details page

1. Go to Environment > Assets.

2. (Optional.) Use the Search & Filters option to filter the list and help you to locate the
asset you want.

3. Click the icon next to the asset name and select Full Details.

This displays the Asset Details.

4. At the bottom of the expanded page, select the AlienApps tab and click Add AlienApp.

USM Anywhere™ User Guide 206

Asset Administration in USM Anywhere

5. In the dialog box, select the AlienApp you want to assign to the asset. Enter full or part of
the name in the Set a New AlienApp field and select one from the displayed list.

The system displays this message at the top of the page:

AlienApp added successfully.

6. (Optional.) Repeat the previous step to add another AlienApp.

7. Click the icon to close the dialog box.

On the AlienApps tab, you can see the list of AlienApps added.

207 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

AlienVault Generic Data Source Events

For logs where a matching AlienApp is not identified, USM Anywhere parses it using a generic
data source. You can review the generated events in the AlienVault Generic Data Source
events view. If the reporting device for the event is defined in the USM Anywhere asset
inventory, you can manually assign an AlienApp directly from this view.

See AlienVault Generic Data Source in the USM Anywhere User Guide for more information
about the information and tools available in this view.

To assign an AlienApp from a AlienVault Generic Data Source event

1. Go to Activity > Events.

2. Click View > Saved views > AlienVault Generic Data Source.
3. Click Apply.
4. Review the listed events and locate an event where the reporting device is displayed in
blue and you want to manually assign a known AlienApp to the asset.

5. In the Reporting Device column, click the icon next to the asset name and select

Assign AlienApp.

The Add AlienApp to an asset dialog box opens.

USM Anywhere™ User Guide 208

Asset Administration in USM Anywhere

6. In the dialog box, select the AlienApp to use for log data from the asset.

Enter part of the AlienApp name in the Set a New AlienApp field and select the AlienApp
from the displayed list.

209 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

7. (Optional.) Repeat the previous step to add another AlienApp for the asset.
8. Click the icon to close the dialog box.

Viewing Assets Details

Role Availability Read-Only Investigator Analyst Manager

To view the details of an asset

1. Go to Environment > Assets.

2. Next to the name of the asset whose details you want to review, click the icon .

3. Select Full Details.

USM Anywhere™ User Guide 210

Asset Administration in USM Anywhere

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

In the upper left side of the page is the name and IP address of the asset, along with
additional attributes that describe the particular asset. One of these fields is the Create
event if asset stops sending data. Use this field to configure the amount of time after
which you want USM Anywhere to generate events if the asset has not received messages.
See Events Created When an Asset Stops Sending Data for more information.

On the right is the status summary for your asset. It displays the total number of alarms,
events, vulnerabilities, and configuration issues. The circle can be orange (for alarms and
configuration issues), blue for events, and red for vulnerabilities. The number inside each
circle indicates the number of alarms, events, vulnerabilities, and configuration issues related
to the asset. You can click each circle to view the full list of issues represented by that
number.

Note: Configuration Issues are only shown on AWS and Azure Sensors.

211 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Important: The alarms and events counts are not updated in real time but instead are
calculated every hour. If the counts are not updated, it can happen because new events
or alarms are in your environment after the last count.

The vulnerabilities and configuration issues counts are updated after every scan.

Below the status summary, you can see this information:

l Agent Status. If there is a deployed agent, it displays the connection status of the Ali-
enVault Agent. You can deploy an agent from here.
l Credentials. If the credential has been associated to the asset, it displays its name. You
can assign and create the credential from here. See Managing Credentials in USM Any-
where for more information.
l Last Scanned. If it exists, the date of the latest scan. You can schedule jobs from here. See
Scheduling Asset Scans from Assets, Scheduling Authenticated Asset Scans from Assets,
and Scheduling Asset Scans from the Job Scheduler Page for more information.

In the lower side of the page, there is a table area with tabs, some of them correspond to the
circles. Each tab contains a table with records, if present, for your asset.

The following table lists the tabs you see on the page.

Asset Details View Tabs Description

Tab Name Description

Asset Groups Asset groups on which the asset is included.

Software Software that is installed on the asset.

Note: You need to run an authenticated asset scan to have a

complete list of installed software.

Services Services that are available on the asset.

Note: You need to run an authenticated asset scan to have a

complete list of available services.

AlienApps AlienApps enabled for the asset.

USM Anywhere™ User Guide 212

Asset Administration in USM Anywhere

Asset Details View Tabs Description (Continued)

Tab Name Description

Alarms Alarms related to the asset. There is a bubble graph that provides a
graphical representation of alarms by intent. Blue circles indicate the
number of times that an alarm in an intent showed. A bigger circle indicates
a higher number of alarms. You can hover over each of the circles to get the
actual number of different types of intent. In addition, if you click any of the
blue circles, they display only the alarms corresponding to that circle. You
can change the displayed period of time by clicking the Last 24 Hours filter.

Events Events related to the asset. Click an event to see its details.

Vulnerabilities Vulnerabilities related to the asset. You can filter the active or inactive
vulnerabilities by clicking the specific radio button. Click a vulnerability to
see its details.

Note: Multiple rows may display for the same vulnerability if it has
been reported by more than one source. This may result in a
discrepancy between the numbers displayed on the Vulnerabilities tab
at the bottom and in the Vulnerabilities counter at the upper right of
this page.

Configuration Issues Information about operational processes. You can filter the active or
inactive configuration issues by clicking the specific radio button. Click a
configuration issue to see its details.

Scan History List of the asset scans already run. It includes a time-stamp of the scan, the
scan type, the status, and the details of each scan. You can also click the
Scan Details link here to download a file containing the details of the most
recent authenticated asset scan here for up to a week after the scan was
run.

File Integrity This tab is available if the AlienVault Agent has been deployed in the asset. It
displays stats about File Integrity Monitoring Events. You can configure a
time slot on which the events were received. These slots can be last hour, 24
hours, 7 days, 30 days, or 90 days.

Agent This tab is available if the AlienVault Agent has been deployed in the asset. It
displays information about the agent. You can see the status of the agent
(connected or not) and the current version. You can configure a time slot on
which the events were received. These slots can be last hour, 24 hours, 7
days, 30 days, or 90 days. You can also see the query history. Users whose
role is Manager, can also change the configuration profile. See Assigning
AlienVault Agent Configuration Profiles for more information.

213 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

In the upper right corner of the page is the Actions button. Use this button to perform
actions on the asset. These are the actions:

l Configure Asset: See Editing Assets for more information.

l Delete Asset: See Deleting the Assets for more information.
l Add to Asset Group: See Creating an Asset Group for more information.
l Agent Query: See The AlienVault Agent Events and Queries for more information. This
option is available for users whose role is Analyst or Manager.
l Asset Scan: This option displays or not depending on the sensor associated with the asset.
See Running Asset Scans for more information.
l Assign credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: See Running Asset Scans Using an AlienApp for more information.
l Schedule Scan Job: See Scheduling Asset Scans from Assets, Scheduling Authenticated
Asset Scans from Assets, and Scheduling Asset Scans from the Job Scheduler Page for
more information.

Events Created When an Asset Stops Sending Data

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere gives you the option of configuring a threshold after which asset inactivity is a
concern. When your environment is not receiving events from an asset within the configured
period of time, USM Anywhere generates monitoring events that display in the Events List
View page. Since these events are not tied to any USM Anywhere Sensor that you have
deployed, you will see a new sensor with the name of your USM Anywhere subdomain listed
for these events. USM Anywhere will generate new monitoring events until the asset starts
reporting again. You can see two types of monitoring events:

l Event from asset not received: Event details include the asset name, the total
disconnected time, and when the last message was received.

Warning: Currently, the Event from asset not received event is generated at the same
time as the regular event and system event. Soon, this event will be generated only
as a system event. See Regular Events and System Events and Orchestration Rule for

USM Anywhere™ User Guide 214

Asset Administration in USM Anywhere

the "Event from Asset Not Received" System Event for more information.

l Event from asset received: Event details include the asset name.

Warning: Monitoring events are generated when your environment is not receiving
events from an asset either because the asset is not sending events or because of a
filtering rule. If you have a rule that filters events coming from an asset, from the
perspective of USM Anywhere that asset is not sending events.

Note: If your sensor is collecting logs using anything other than syslog (like scheduled
log scans), your logs may not include enough data to inform these events. To ensure
that you are receiving events when your asset stops sending data, ensure that the
Reporting Device field is present and populating accurately.

To configure the period of time for a single asset

1. Go to Environment > Assets.

2. Next to the asset name whose details you want to review, click the icon.

3. Select Full Details.

4. In the upper-left side of the page, set a period of time in the Create Event If Asset Stops
Sending Data field by clicking the icon.

You can select a predefined value between None, 1 hour, 6, 12, 24, or 72 hours, 1 week, or 2
weeks.

Note: By default, this field is configured to None.

Important: The Create event if asset stops sending data field is based on the
Reporting Device Address field, not the Source field. When a device reports
information about its state, the Reporting Device Address field will display the same
data as the Source or Destination fields. If the device reports information that is
different from its state, for example issues in its network, the Reporting Device
Address field will display different information from the Source or Destination fields.

215 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

5. Click the icon to set the value.

The events are displayed in the Events List View page.

To configure the period of time for multiple assets

1. Go to Environment > Assets.

2. Select the checkbox of each asset you want to include.
3. Select Actions > Edit Fields.

USM Anywhere™ User Guide 216

Asset Administration in USM Anywhere

4. At the bottom of the Configure Assets dialog box, set a period of time in the Create Event
If Asset Stops Sending Data field by clicking the icon.

You can select a predefined value between None, 1 hour, 6, 12, 24, 72 hours, 1 week, or 2
weeks.

Note: By default, this field is configured to None.

Important: The Create event if asset stops sending data field is based on the
Reporting Device Address field, not the Source field. When a device reports
information about its state, the Reporting Device Address field will display the same
data as the Source or Destination fields. If the device reports information that is
different from its state, for example issues in its network, the Reporting Device
Address field will display different information from the Source or Destination fields.

5. Click the icon to set the value.

The events are displayed in the Events List View page.

217 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To see events created when an asset stops sending data

1. Go to Activity > Events.

2. Locate the Event Name filter, and then select the filter Event from Asset Not Received.

USM Anywhere™ User Guide 218

Asset Administration in USM Anywhere

The result displays with the filtered events.

3. Click the event to see its details.

Managing Asset Fields

Role Availability Read-Only Investigator Analyst Manager

All assets include several fields for identifying and classifying each asset. You can add all fields
you need, modify them or delete them when you do not need them.

Note: It is not possible to modify or delete the fields that are system defaults.

219 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

Creating Asset Fields

To create an asset field

1. Go to Settings > System.

2. In the left navigation panel, click Asset Fields to open the page.

3. Click New Asset Field.

The Create Asset Field dialog box opens.

4. Enter a display name.

5. (Optional.) Enter a description.
6. Select a display priority. You can choose Summary, Detail, or Hidden. Choose Hidden if you
do not want to see this field in the details of the assets.

7. Select a type.

USM Anywhere™ User Guide 220

Asset Administration in USM Anywhere

See the options in the table.

Options in the Type field (Create an asset field)

Denomination Description

Text Text in the default field.

Select Enter the choices. You can add more than one by clicking the icon.

Numeric Enter a numerical data to identify the field. You can use the icon to increase
or decrease the number ( ).

IP Enter an IP address.

Boolean Select one of the options: No Default, True, or False.

8. Click Save.

Modifying Asset Fields

To modify an asset field

1. Go to Settings > System.

2. In the left navigation panel, click Asset Fields to open the page.
3. Locate the asset field you want to modify. You can filter the search by name, user, pri-
orities, and type of field.
4. In the line of the asset field you want to modify, click the icon. This icon displays in the

line of the editable fields that are not in the system by default.
5. Modify the information of the items that need to be modified.
6. Click Save.

Deleting Asset Fields

To delete an asset field

1. Go to Settings > System.

2. In the left navigation panel, click Asset Fields to open the page.
3. Locate the asset field that you want to delete. You can filter the search by name, user, pri-
orities, and type of field.

221 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

4. Click the icon.

5. Click Accept to confirm.

Assign Asset Fields to an Asset or Group of Assets

To assign asset fields to an asset or group of assets

1. Go to Environment > Assets.

2. Select the asset or the group of assets. See Selecting Assets in Asset List View for more
information.

3. Select Actions > Edit Fields.

USM Anywhere™ User Guide 222

Asset Administration in USM Anywhere

4. Select the asset fields you want to assign the selected assets.
5. Click Save.

Displaying Asset Fields from Assets

To display asset fields

1. Go to Environment > Assets.

2. Next to the asset name whose asset fields you want to review, click the icon and

223 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

select Full Details.

3. Below the main data of the asset, click More.

USM Anywhere™ User Guide 224

Asset Administration in USM Anywhere

Deleting the Assets

Role Availability Read-Only Investigator Analyst Manager

Keep in mind these points when you are deleting assets and your environment has an
Amazon Web Services (AWS) Sensor, Microsoft Azure Sensor, Google Cloud Platform (GCP)
Sensor, or a VMware Sensor installed:

l If you delete an asset, but it is still active/visible in your network environment, the asset is
automatically added to your asset inventory for any asset discovery jobs that run after the
deletion action.
l If you delete an asset that has alarms or vulnerabilities associated to it, the asset state will
be marked as "terminated”. All saved data associated to the asset is maintained in its cur-
rent state.
l If you delete a sensor, all assets on the sensor will be removed from USM Anywhere.
However, if you redeploy the sensor, asset configurations that point to the replaced
sensor will have the universally unique identifier (UUID) information in that configuration
updated to the new sensor UUID.

To delete an asset from the list view

1. Go to Environment > Assets.

2. Next to the asset name that you want to delete, click the icon and select Delete

Asset.

The Delete Asset dialog box opens.

3. Click Delete to delete the asset.

225 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

To delete an asset from the asset details page

1. Go to Environment > Assets.

2. Next to the asset name that you want to delete, click the icon and select Full Details.

3. Click Actions > Delete Asset.

4. Click Delete to delete the asset.

To bulk delete assets

1. Go to Environment > Assets.

2. Select the assets you want to delete. See Selecting Assets in Asset List View for more
information.
3. Click Actions > Delete Selected.

4. Click Delete.

Editing Assets

Role Availability Read-Only Investigator Analyst Manager

If you want to change, delete, or add information regarding assets that have been identified
by your USM Anywhere Sensor, follow the guidelines on this page to edit your assets.

1. Go to Environment > Assets.

2. Next to the asset name that you want to edit, click the icon and select Configure

Asset.

USM Anywhere™ User Guide 226

Asset Administration in USM Anywhere

The configure asset dialog box opens.

227 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Anywhere™ User Guide 228

Asset Administration in USM Anywhere

3. Modify the data of the items that need to be modified, as described in the Field Descrip-
tions table below.

Field Descriptions for the Edit Asset Details page

Field Name Description

Name Name identifying the asset. This field is required.

Description (Optional.) A short description for the asset.

Sensor Sensor to associate with the asset.

Logo Symbol that represents the asset.

Asset Type (Optional.) Device type that identifies the asset. Select an option
from the list. See USM Accepted Asset Types for more
information.

Time Zone Time zone assigned to the asset. The default value is System
Default, which causes the asset to inherit the sensor's time zone.
Changing the asset's time zone automatically applies the new
time zone to all new logs collected from the asset.

Compliance Scope Add the asset to Payment Card Industry (PCI) and/or Health
Insurance Portability and Accountability Act (HIPAA). See
Working with Assets and PCI DSS and USM Anywhere
Compliance Templates for more information.

Owner (Optional.) Free text field to add an owner of the asset.

Custom Fields Asset fields created by the user. The fields that are system
defaults will not be displayed. See Managing Asset Fields for
more information.

Network Interfaces IP Address. IP address assigned to the asset.

MAC Address. MAC Address assigned to the asset.

FQDN. Fully Qualified Domain Name.

Important: You must enter at least one of the three fields in Network Interfaces.
These fields are highlighted when the values are not valid.

4. Click Save.

229 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Accepted Asset Types

The Asset Type field drop-down list includes a wide list of asset types from which to choose,
which are defined in this table.

USM Accepted Asset Types

Asset Type Name Description

Bridge A bridge combines two or more subnetworks into one. With a bridge this
happens at a lower level than with a router. This category also includes
things like Ethernet-to-serial bridges.

Broadband router Devices in this category connect a network to the Internet through
cable, asymmetric digital subscriber line (ADSL), and fiber optics. Some
of these devices provide network address translation, a firewall, port
forwarding, or other services.

Cloud Model of computer data storage in which the digital data is stored in
logical pools.

Database Device that provides network-based data storage services.

Firewall A firewall controls what traffic is allowed into or out of a network. Some
also have additional capabilities. This category does not include general-
purpose operating systems (OSes) that happen to come with a firewall,
but it does include OS distributions purpose-built to work only as a
firewall.

Game console A video game console like the Microsoft Xbox or Sony PlayStation.

General purpose General-purpose operating systems like Linux and Microsoft Windows.

Hub A hub joins network segments by re-broadcasting all traffic. Hubs are
distinct from switches, which selectively transmit packets only to
relevant destinations.

Laptop Small and portable personal computer.

Load balancer A device that distributes inbound traffic to multiple devices to ease the
load on those devices.

Media device This category includes all kinds of audiovisual equipment, including
portable music players, home audio systems, TVs, and projectors.

PBX A private branch exchange (PBX) routes telephone calls within a private
organization and connects them to the public telephone network or
Voice over Internet Protocol (VoIP).

USM Anywhere™ User Guide 230

Asset Administration in USM Anywhere

USM Accepted Asset Types (Continued)

Asset Type Name Description

PDA A personal digital assistant (PDA) is a handheld computer. Devices that

are also telephones go in the "phone" category.

Phone A network-capable telephone that is not a VoIP phone. Devices in this

category are typically mobile phones.

Power-device Miscellaneous power devices like uninterruptible power supplies (UPSes)

and surge protectors.

Printer Network-enabled printers, including printers with an embedded print

server.

Print server A print server connects a printer to a network. Printers that contain their
own print server go in the "printer" category instead.

Proxy server Any kind of proxy, including web proxies and other servers that cache
data or understand high-level protocols.

Remote management Devices that allow servers or other equipment to be monitored or

managed remotely.

Router Routers connect multiple networks. They are distinct from hubs and
switches because they route packets between different networks as
opposed to extending one network.

Security-misc Any security device that doesn't fall into the “firewall” category belongs
in this category. This includes intrusion detection and prevention
systems.

Server Device that provides functionality for other programs or devices.

Specialized The catch-all category. If a device doesn't fall into one of the other
categories, it is specialized. Examples in this category are diverse and
include such things as clocks, oscilloscopes, climate sensors, and more.

Storage-misc Data storage devices like tape decks and network-attached storage
appliances.

Switch A device that extends a network by selectively re-broadcasting packets.

Switches are distinct from hubs, which broadcast all packets.

Telecom-misc Devices used by telephone systems that are not PBXs, like voicemail and
Integrated Services Digital Network (ISDN) systems.

231 USM Anywhere™ User Guide

 Asset Administration in USM Anywhere

USM Accepted Asset Types (Continued)

Asset Type Name Description

Terminal A device with a keyboard and monitor with the primary purpose of
communicating directly with a terminal server or mainframe.

Terminal server A device providing terminal facilities to clients over a network.

VoIP adapter A device that converts between VoIP protocols and normal telephone
traffic. Also may convert different VoIP protocols.

VoIP phone A phone capable of a VoIP protocol.

WAP Wireless access points (WAPs) offer a wireless connection to a network.

Most work with radio technology like 802.11b. but some use infra-red or
something else. Devices that could also be put in another category, like
wireless broadband routers, are put in the WAP category because WAPs
require special network considerations.

Web server Device that provides contents to the World Wide Web. A web server
processes incoming network requests over HTTP and several other
related protocols.

Webcam Any kind of camera that stores or transmits pictures or video. This
includes everything from consumer webcams to security system
cameras.

Create an Assets Report

Role Availability Read-Only Investigator Analyst Manager

You can create a PDF or CSV report of the assets directly from the assets page.

Important: AT&T Cybersecurity recommends Google Chrome as the preferred browser

for generating reports. The use of alternative browsers may result in poor formatting.

USM Anywhere™ User Guide 232

Asset Administration in USM Anywhere

To create an assets report

1. Go to Environment > Assets.

2. You can use filters to define the assets content you want to display in your report, or
select the assets you want to include in your report.

3. Click Generate Report to open the Configure Report dialog box.

The filters selected and displayed for the page view are the ones that are populated in the
report.

4. Click Edit Filters if you want to modify the selected filters, and then click Continue to Fil-
ters. Do the modifications you need, and then click Edit Report.
5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and then choose Never, Daily, Weekly,
Bi-weekly, or Monthly.
7. Enter an email address to send the report.
Select the Send to my Email Address option to add your email automatically.
8. Select the Enable Link Expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report.
This name will be displayed in the Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report. For CSV the options are 20, 50, 100, 500, 1000, or 50 K. For PDF the options
are 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views.
You can add or remove graphs included in the report by clicking the and icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

233 USM Anywhere™ User Guide

 Asset Groups Administration

Asset Groups Administration

Asset groups are administratively created objects that group similar assets for specific
purposes. Assets are grouped based on IP addresses, and USM Anywhere monitors these
groups. Grouping based on IP addresses facilitates an easier search and management of
assets.

This topic discusses these subtopics:

l Creating an Asset Group

l How to Create a PCI Dynamic Asset Group
l Asset Group List View
l Searching Asset Groups
l Running Asset Groups Scans
l Running Authenticated Asset Groups Scans
l Scheduling Asset Group Scans from Asset Groups
l Scheduling Authenticated Asset Group Scans from Asset Groups
l Configuring an Asset Group
l Viewing Asset Group Details
l Deleting an Asset Group

USM Anywhere™ User Guide 234

Asset Groups Administration

Creating an Asset Group

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere supports static and dynamic asset groups. A static group consists of assets
that you manually assign to the group. A dynamic group is defined using rules that
automatically add or remove assets from the group, based on the criteria you have defined.

By default, AT&T Cybersecurity creates these dynamic asset groups:

l Assets with Agents: Asset group containing assets with agents.

l Assets with Alarms: Asset group containing assets with alarms.
l Assets with Vulnerabilities: Asset group containing assets with vulnerabilities.
l Database Servers: Asset group containing database servers.
l HIPAA: Asset group containing Health Insurance Portability and Accountability Act (HIPAA)
assets. HIPAA is a standard for protecting sensitive patient data.
l Linux Assets: Asset group containing Linux systems.
l PCI DSS: Asset group containing Payment Card Industry (PCI) assets.
l Web Servers: Asset group containing web servers.
l Windows Assets: Asset group containing Microsoft Windows systems.

USM Anywhere also creates a default asset group for each Amazon Web Services (AWS)
Elastic Load Balancing (ELB) instance in your environment. The AWS Sensor ELB group
includes the ELB instance and any AWS Sensor instance connected to the load balancer and
registered with the ELB service. USM Anywhere automatically discovers and enables you to
collect ELB access logs if you have ELB access logging enabled.

Important: AT&T Cybersecurity recommends that you limit your asset groups to 1024
or fewer assets. While asset groups can be larger, selecting an asset group for any
searching or filtering will only return data for the most recent 1024 assets. To see more
data, create multiple asset groups each with 1024 or fewer assets.

Creating a Static Asset Group

USM Anywhere enables you to create a static asset group.

235 USM Anywhere™ User Guide

 Asset Groups Administration

To create a static asset group from the asset groups main window

1. Go to Environment > Asset Groups.

2. Select Actions > Static.

3. Enter the name of the asset group.

This field is required.

Note: The valid characters for the asset group name are uppercase letters (A-Z),
lowercase letters (a-z), numerical digits (0-9), hyphens ( - ), underscore (_), and blank
space. You can enter up to 64 characters.

Important: You can not use special characters like forward slash (/), backslash (\) or
ampersand (&). When a special character is not valid, the Save button remains
inactive.

4. (Optional.) Enter a description for identifying this group.

5. Locate the assets that you want to add to the group, and click Add Asset or Scan Net-
work.

USM Anywhere™ User Guide 236

Asset Groups Administration

If you click Scan Network, enter the name for a network and the Classless Inter-Domain
Routing (CIDR) block to specify the subnet's IP address block that you want to scan.

6. (Optional.) Delete assets from the group by clicking the icon. You can view a specific

asset by clicking the icon, and use Cancel to discard the changes.

7. Click Save.

Creating a Dynamic Asset Group

USM Anywhere enables you to create a dynamic asset group.

237 USM Anywhere™ User Guide

 Asset Groups Administration

To create a dynamic asset group from the asset groups main window

1. Go to Environment > Asset Groups.

2. Select Actions > Dynamic.

3. Enter the name of the asset group.

This field is required.

Note: The valid characters for the asset group name are uppercase letters (A-Z),
lowercase letters (a-z), numerical digits (0-9), hyphens ( - ), underscore (_), and blank
space. You can enter up to 64 characters.

USM Anywhere™ User Guide 238

Asset Groups Administration

Important: You can not use special characters like forward slash (/), backslash (\) or
ampersand (&). When a special character is not valid, the Save button remains
inactive.

4. (Optional.) Enter a description for identifying this group.

5. Add the search criteria for the assets you want to be part of this group:
l Select a field: You can choose between fields, custom user fields, tags, and sensor
apps fields. You can use the same field multiple times in a group. The table below
includes the available fields:

Search Criteria to Create a Dynamic Asset Group

Field Name Meaning

Alarm Counter Search asset groups by the number of alarms.

Asset State Search asset groups by asset state. Depending on your installed
sensor, this state can vary:

l AWS:
l Running: Asset (AWS instance) is running.
l Available: RDS instance is running.
l Stopped: Asset is not running.
l VmWare /Hyper-V:
l PoweredOn : Asset is running.
l PoweredOff : Asset is not running. This state can be used for
correlation.
l Suspended: Asset is not running. This state can be used for
correlation.
l GCP / Azure:
l Running: Asset is running.
l Stopped: Asset is not running.

Asset Type Search asset groups by asset type.

Associated Plugin Search asset groups by the plugin associated to the asset.

Configuration Issue Search asset groups by the number of configuration issues.

Counter

239 USM Anywhere™ User Guide

 Asset Groups Administration

Search Criteria to Create a Dynamic Asset Group(Continued)

Field Name Meaning

Description Search asset groups by the asset description.

Event Counter Search asset groups by the number of events.

FQDN Search asset groups by Fully Qualified Domain Name (FQDN).

HIPAA Asset Search asset groups by Health Insurance Portability and

Accountability Act (HIPAA) Asset, if the asset is included or not in
the HIPAA Asset Group. See Asset Group List View for more
information.

Instance Type Search asset groups by instance type.

IP/CIDR Search asset groups by IP and Classless Inter-Domain Routing

(CIDR). This is a method for allocating IP addresses and routing IP
packets. It is the range of IP addresses that define the network.

Name Search asset groups by the name of the asset.

Operating Service Search asset groups by operating system.

PCI Asset Search asset groups by Payment Card Industry (PCI) Asset, if the
asset is included or not in the PCI Data Security Standards (DSS)
Asset Group. See Asset Group List View and Working with Assets
and PCI DSS for more information.

Region Search asset groups by region.

Sensor Search asset groups by sensor.

Service Search asset groups by service.

Software Search asset groups by software.

UUID Search asset groups by the universally unique identifier (UUID).

Vulnerability Counter Search asset groups by the number of vulnerabilities.

Custom User Fields Search asset groups by the fields you have created. If you have not
created fields, this filter does not display.

USM Anywhere™ User Guide 240

Asset Groups Administration

Search Criteria to Create a Dynamic Asset Group(Continued)

Field Name Meaning

Tags (Only for Amazon Web Services [AWS] Sensors). Identify asset
groups by the tag assigned to an AWS resource.

Sensor Apps Fields (Only for AWS Sensors). Identify asset groups by parameters of the
AWS instance.

Note: The result of a search when you use the Alarm Counter filter or the Event
Counter filter depends on if an alarm or an event can identify the source or
destination as an asset in the inventory. Your environment can have alarms or
events associated with assets both included in the inventory and those not
included in the inventory. Assets included in the inventory display their names in
blue, and assets not included in the inventory display their names in gray. The
alarm and event counter filters only count the identified (blue) assets.

Important: The alarm and event counts are not updated in real time, but are
calculated every hour. If the counts are not updated, it can happen because new
events or alarms are in your environment after the last count.

l Select an operator: Depending on the selected field, you can choose different oper-
ators. The table below shows the available operators:

Operators to Create a Dynamic Asset Group

Operator Meaning

> Greater than

>= Greater than or equal to

< Less than

<= Less than or equal to

Equal Equal to

IP Range Range of IP addresses

Like Search for the specified pattern

241 USM Anywhere™ User Guide

 Asset Groups Administration

Operators to Create a Dynamic Asset Group(Continued)

Operator Meaning

Not Equal Not equal to

Not Like Not true

l Enter a search criteria: Enter the value you want to search.

Note: You can use the same field multiple times in a group.

6. Click the icon to add your search criteria.

You click this icon to add several fields. You can use the same field multiple times in a
group.
7. Click Apply Criteria.

USM Anywhere™ User Guide 242

Asset Groups Administration

8. Click Save.

Note: You can also add a dynamic asset group from the Setup Wizard, by scanning a
network.

How to Create a PCI Dynamic Asset Group

Role Availability Read-Only Investigator Analyst Manager

In this example we are going to create a PCI Dynamic Asset Group for tagging instances in
AWS as PCI compliant. This asset group helps you to tag all instances automatically. You do
not have to mark them manually; the compliance scanners work with auto-scaling.

To create a PCI Dynamic Asset Group for tagging instances in AWS

1. Go to Environment > Asset Groups.

2. Select Actions > Dynamic.
3. Enter the name of the asset group, for example PCI Dynamic Asset Group.
4. (Optional.) Enter a description for identifying this group.
5. Add the search criteria for the assets you want to be part of this group. Select AWS Tag
aws:autoscaling:groupName.
6. Select Equal and enter PCI.
7. Click the icon.

243 USM Anywhere™ User Guide

 Asset Groups Administration

8. Click Apply Criteria.

9. Click Save.

How to Create a Dynamic Asset Group Based on a Sensor

Role Availability Read-Only Investigator Analyst Manager

In this example we are going to create a dynamic asset group based on a sensor. This is
helpful when you have more than one USM Anywhere Sensor deployed in your environment.
The asset group tags all assets monitored by the same sensor automatically. You do not have
to mark them manually.

To create a dynamic asset group based on a sensor

1. Go to Environment > Asset.

2. From the Sensor filter on the left, select the USM Anywhere Sensor you want to create
the asset group for.

The page reloads showing only the assets monitored by the selected sensor.

USM Anywhere™ User Guide 244

Asset Groups Administration

3. (Optional.) If desired, add filters to limit the assets to more specific criteria.

4. Select Actions > Add to Asset Group.

The Add Assets to Group dialog box displays.

5. Enter a name and description for the asset group.

6. Click Save.

The asset group is created. You can find it under Environment > Asset Groups.

245 USM Anywhere™ User Guide

 Asset Groups Administration

Asset Group List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of managing your asset groups. Go to

Environment > Asset Groups to see this centralized view. It has the same look and feel as
the asset list view and the functionalities are the same as well. The difference is that in this
view, you are managing asset groups instead of assets.

By default, AT&T Cybersecurity creates these dynamic asset groups:

l Assets with Agents: Asset group containing assets with agents.

l Assets with Alarms: Asset group containing assets with alarms.
l Assets with Vulnerabilities: Asset group containing assets with vulnerabilities.
l Database Servers: Asset group containing database servers.
l HIPAA: Asset group containing Health Insurance Portability and Accountability Act (HIPAA)
assets. HIPAA is a standard for protecting sensitive patient data.
l Linux Assets: Asset group containing Linux systems.
l PCI DSS: Asset group containing Payment Card Industry (PCI) assets.
l Web Servers: Asset group containing web servers.
l Windows Assets: Asset group containing Microsoft Windows systems.

USM Anywhere also creates a default asset group for each Amazon Web Services (AWS)
Elastic Load Balancing (ELB) instance in your environment. The AWS Sensor ELB group
includes the ELB instance and any AWS Sensor instance connected to the load balancer and
registered with the ELB service. USM Anywhere automatically discovers and enables you to
collect ELB access logs if you have ELB access logging enabled.

Note: It is not possible to edit or delete a dynamic asset group created by default.

The asset groups page displays asset groups inventory and information on those asset
groups. On the left you can find the search and filter options. In the upper side of the page,
you can see any filters you have applied, and you have the option to create and select
different views of the asset groups. The main part of the page is the actual list of asset
groups. Each row describes an individual asset group.

If you want to analyze the data, you can maximize the screen and hide the filter pane. Click
the icon to hide the filter pane. Click the icon to expand the filter pane.

USM Anywhere™ User Guide 246

Asset Groups Administration

USM Anywhere creates by default static and dynamic asset groups. See Creating an Asset
Group.

Asset Group List field descriptions

Column Field
Description
Name

Group Name Name of the group.

Group Text identifying the group.

Description

Assets Number of assets in the group.

Asset Grouping Type of asset grouping: static or dynamic.

Created Exact date of creation of the asset group. The displayed date depends on your
computer's time zone.

Next to the asset group name, click the icon to access these options:

l Full Details: See Viewing Assets Details for more information.

l Asset Group Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Asset Groups Scans for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.
l Configuration Issues: This option opens the Asset Group Details page. The Configuration
Issues tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Asset Group Details page. The Vulnerabilities tab is
selected in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Asset Group Details page. The Alarms tab is selected in the
page. See Viewing Assets Details for more information.
l Events: This option opens the Asset Group Details page. The Events tab is selected in the
page. See Viewing Assets Details for more information.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

247 USM Anywhere™ User Guide

 Asset Groups Administration

Click Generate Report to open the Configure Report dialog box. The management of this
feature is similar to the one for assets, see Create an Assets Report for more details.

Select Actions > Static or Actions > Dynamic to create an asset group. See Creating a Static
Asset Group and Creating a Dynamic Asset Group for more details.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

Views
You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, select the filters you want to apply.

2. Go to Save View > Save As.

The Save Current View dialog box opens.

3. Enter a name for the view.

4. Select Share View if you want to share your view with other users.
5. Click Save.

The created view is already selected.

USM Anywhere™ User Guide 248

Asset Groups Administration

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the Asset Groups list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Searching Asset Groups

Role Availability Read-Only Investigator Analyst Manager

249 USM Anywhere™ User Guide

 Asset Groups Administration

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. The management of filters is similar to
that for assets. See Managing Filters for more information.

Filters Displayed by Default in the Main Asset Groups Page

Filter Name Meaning

Asset Grouping Filter asset groups by "Static" and "Dynamic".

Advanced Search Use this filter to search for a specific value of a field. The advanced search is
similar to that for assets. See Advanced Search Filter for more information.

Sensor Filter asset groups by the associated sensor.

Asset Origin Type Filter asset groups by who added the asset group to the system.

Instance Type (Only for the AWS Sensor). Filter asset groups by AWS instance type.

Region (Only for the AWS Sensor). Filter asset groups by AWS region.

Operating System Filter asset groups by Operating System.

Asset Type Filter asset groups by asset type. See USM Accepted Asset Types for more
information.

Associated Plugin Filter asset groups by assets that have plugins manually enabled.

Service Filter asset groups by service.

Software Filter asset groups by software.

Note: Keep in mind that the "Enter search phrase" box and the "Asset Grouping" filter
make the search in the asset groups. The rest of the filters make the search in the
members of the asset group. So long as a member of the asset group matches the
selected filter, USM Anywhere will display the asset group, even if there is only a
member matching that filter.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

USM Anywhere™ User Guide 250

Asset Groups Administration

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

251 USM Anywhere™ User Guide

 Asset Groups Administration

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

USM Anywhere™ User Guide 252

Asset Groups Administration

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

1. Go to Environment > Asset Groups.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

253 USM Anywhere™ User Guide

 Asset Groups Administration

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Environment > Asset Groups.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Environment > Asset Groups.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

To search all values of a filter

1. Go to Environment > Asset Groups.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

USM Anywhere™ User Guide 254

Asset Groups Administration

Searching Asset Groups by Using the Search Field

Use the search field to enter queries and refine your search. You can enter free text, use
wildcards, and use advanced search syntax. When searching, keep in mind the accepted query
string syntax list in this table.

Accepted Query String Syntax

Type of Query Meaning Example

Standard query By default, a space between query terms is denylist malicious

with a blank space considered an implicit “OR”.
between terms

Literal, using Matches fields that contain the full term. "Event from asset not received"
double quotes Literal searches are case-sensitive.

"" Note: This type of query will not

match any searches in the raw log
unless the phrase included in double
quotes is an exact and complete
match to the contents of the raw log.

Note: IP addresses and FQDNs are

considered literal searches, so they
don't require quotation marks.

Boolean Including AND or OR between two search (http OR tcp) AND ftp
operators or terms will search for results that match
using parentheses both of those terms.

AND, OR, NOT, ( ) Including NOT between two search terms

will exclude results that match the second
term, even though they otherwise match
your query.

Parentheses can be used to group terms

for higher precedence relative to the rest
of your query. Parentheses are also used to
designate subsearches.

255 USM Anywhere™ User Guide

 Asset Groups Administration

Accepted Query String Syntax (Continued)

Type of Query Meaning Example

Wildcards, Appending an asterisk to the end of a term instance*

asterisk within your query will search for results
that begin with your search term.
*
An asterisk cannot be used at the
beginning of a search query.

Wildcards, Embedding a question mark in the middle qu?ck

question mark of a term will search for results that
otherwise match your query, no matter the
? value in the position held by the question
mark in your search term.

A question mark cannot be used at the

beginning of a search query.

Regular Regular expression inside forward slash /Describe.*Instances/

expression characters. A dialog box opens to confirm
(regex), using the search.
/expression/
Note: The characters ", *, ?, (, and )
are special characters included in
expressions. If you want to search by
these characters, you need to
manually escape them by preceding
them with a backslash.

OTX pulse Pulses are collections of Indicators of pulse:59432536c1970e343ce61bf0

Compromise (IOCs). You need to insert the
word pulse followed by a colon and the
pulse ID or URL.

Any characters may be used in a query, but certain characters are reserved and must be
escaped. The reserved characters are these:

+-=&|><!{}[]^"~:\/

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

USM Anywhere™ User Guide 256

Asset Groups Administration

To search for Asset Groups using the search field

1. Go to Environment > Asset Groups.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the items identified.

Advanced Search Filter on Asset Groups

The Advanced Search filter enables you to enter a search value on a selected field.

The following table shows the filter fields that you can find in the first drop-down list.

Advanced Search Fields (First Drop-Down List)

Filter Name Meaning

Name Filter asset groups by the name of the asset.

Description Filter asset groups by the asset description.

UUID Filter asset groups by the universally unique identifier (UUID).

257 USM Anywhere™ User Guide

 Asset Groups Administration

Advanced Search Fields (First Drop-Down List) (Continued)

Filter Name Meaning

IP/CIDR Filter asset groups by IP and Classless Inter-Domain Routing (CIDR). This is
a method for allocating IP addresses and routing IP packets. It is the range
of IP addresses that define the network.

FQDN Filter asset groups by Fully Qualified Domain Name (FQDN).

Asset Type Filter asset groups by asset type.

Instance Type Filter asset groups by instance type.

Region Filter asset groups by region.

Operating System Filter asset groups by operating system.

Service Filter asset groups by service.

Software Filter asset groups by software.

Associated Plugin Filter asset groups by the plugin associated to the asset.

Alarm Counter Filter asset groups by the number of alarms.

Event Counter Filter asset groups by the number of events.

Vulnerability Counter Filter asset groups by the number of vulnerabilities.

Configuration Issue Filter asset groups by the number of configuration issues.

Counter

PCI Asset Filter asset groups by Payment Card Industry (PCI) Asset, if the asset is
included or not in the PCI Data Security Standards (DSS) Asset Group. See
Asset Group List View and Working with Assets and PCI DSS for more
information.

HIPAA Asset Filter asset groups by Health Insurance Portability and Accountability Act
(HIPAA) Asset, whether the asset is included in the HIPAA Asset Group. See
Asset Group List View for more information.

Custom User Fields Filter asset groups by the fields you have created. If you have not created
fields, this filter does not display.

USM Anywhere™ User Guide 258

Asset Groups Administration

Note: The result of a search when you use the Alarm Counter filter or the Event Counter
filter depends on if an alarm or an event can identify the source or destination as an
asset in the inventory. Your environment can have alarms or events associated with
assets both included in the inventory and those not included in the inventory.

The following table shows the operators that you can find in the second drop-down list.

Advanced Search Fields (Second Drop-Down List)

Operator Meaning

> Greater than.

>= Greater than or equal to.

< Less than.

<= Less than or equal to.

Equal Equal to.

IP Range Range of IP addresses.

Is Empty Include assets with no IP addresses. This operator is available only for
IP/CIDR.

Is Not Empty Include assets with IP addresses. This operator is available only for IP/CIDR.

Like Search for the specified pattern.

Not Equal Not equal to.

Important: Some filters don't include the NOT operator (for

example, Services or Software).

Not Like Not true.

The following table shows the operators that you can include in your query string.

Use the search field to enter queries and refine your search. You can enter free text, use
wildcards, and use advanced search syntax. When searching, keep in mind the accepted query
string syntax list in this table.

259 USM Anywhere™ User Guide

 Asset Groups Administration

Accepted Query String Syntax

Type of Query Meaning Example

Standard query By default, a space between query terms is denylist malicious

with a blank space considered an implicit “OR”.
between terms

Literal, using Matches fields that contain the full term. "Event from asset not received"
double quotes Literal searches are case-sensitive.

"" Note: This type of query will not

match any searches in the raw log
unless the phrase included in double
quotes is an exact and complete
match to the contents of the raw log.

Note: IP addresses and FQDNs are

considered literal searches, so they
don't require quotation marks.

Boolean Including AND or OR between two search (http OR tcp) AND ftp
operators or terms will search for results that match
using parentheses both of those terms.

AND, OR, NOT, ( ) Including NOT between two search terms

will exclude results that match the second
term, even though they otherwise match
your query.

Parentheses can be used to group terms

for higher precedence relative to the rest
of your query. Parentheses are also used to
designate subsearches.

Wildcards, Appending an asterisk to the end of a term instance*

asterisk within your query will search for results
that begin with your search term.
*
An asterisk cannot be used at the
beginning of a search query.

USM Anywhere™ User Guide 260

Asset Groups Administration

Accepted Query String Syntax (Continued)

Type of Query Meaning Example

Wildcards, Embedding a question mark in the middle qu?ck

question mark of a term will search for results that
otherwise match your query, no matter the
? value in the position held by the question
mark in your search term.

A question mark cannot be used at the

beginning of a search query.

Regular Regular expression inside forward slash /Describe.*Instances/

expression characters. A dialog box opens to confirm
(regex), using the search.
/expression/
Note: The characters ", *, ?, (, and )
are special characters included in
expressions. If you want to search by
these characters, you need to
manually escape them by preceding
them with a backslash.

OTX pulse Pulses are collections of Indicators of pulse:59432536c1970e343ce61bf0

Compromise (IOCs). You need to insert the
word pulse followed by a colon and the
pulse ID or URL.

Any characters may be used in a query, but certain characters are reserved and must be
escaped. The reserved characters are these:

+-=&|><!{}[]^"~:\/

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

261 USM Anywhere™ User Guide

 Asset Groups Administration

To search asset groups using the advanced search filter

1. Go to Environment > Asset Groups.

2. Below Advanced Search filter, click Add Filter.

3. Select a field from the first drop-down list.

USM Anywhere™ User Guide 262

Asset Groups Administration

See Advanced Search Fields (First Drop-Down List) for more information.

4. Select an operator from the drop-down list.

Important: Depending on the field you have chosen in the first drop-down list, the
operators vary.

263 USM Anywhere™ User Guide

 Asset Groups Administration

See Advanced Search Fields (Second Drop-Down List) for more information.

5. Enter the search value.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

6. Click the icon.

7. Click Add Filter if you want to add a new search.

8. Click the icon.

9. Click Apply.

The result of your search displays with the assets identified.

Running Asset Groups Scans

USM Anywhere™ User Guide 264

Asset Groups Administration

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to run a scan against assets included in an asset group. To
accomplish this, the scanner sends crafted packets to the target asset group and analyzes
the responses. This is not an authenticated scan.

Note: If you want to discover new assets, you can run an asset discovery scan. See
Running an Asset Discovery for more information.

To run an asset group scan from Asset Groups

1. Go to Environment > Asset Groups.

l Next to the asset group name that you want to scan, click the icon, select Full

Details, and then select Actions > Asset Group Scan.

or

l Next to the asset group name that you want to scan, click the icon and select

Asset Group Scan to directly start the asset group scan.

2. Select the scan profile that you want to run:

l Discovery: This profile scans the known ports and services searching for the most-
used ports. (There are 4573 ports.)
l Complete: This profile scans all TCP and UDP ports to find the possible ports in a
deployment. (There are 65535 ports.)
l Vulnerability Discovery: Performs general network discovery and checks for specific
known vulnerabilities. It only reports results if they are found.
l Extended Vulnerability Discovery: Performs a Vulnerability Discovery scan, which act-
ively discovers more about the network.
l Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities,
which uses a significant number of resources on the targeted machine. Because of
this, sensitive targets may perceive a brief disruption on their services.

3. Select Set Debug Mode if you want to log the results of the scan or if you have a problem
with a scan.

This option is disabled by default.

265 USM Anywhere™ User Guide

 Asset Groups Administration

Note: The Set Debug Mode option must be used only for debugging purposes
because it needs a large amount of disk space for the file or files that it generates.
Only AT&T Cybersecurity Technical Support should review these files. You can
contact this department for more information.

4. Click Scan.

5. In the Asset Groups details page, click Scan History in the table area to display the results
of the scan.

You can see the status of each scan and the details. USM Anywhere also creates a system
event named Asset Scanner Result with the same details.

Note: See Scheduling Asset Group Scans from Asset Groups and Scheduling Asset
Groups Scans from the Job Scheduler Page for more information about how to
schedule an asset group scan.

Running an Asset Discovery

Asset Discovery finds and provides you visibility into the assets in your environments. You can
discover all the IP-enabled devices on your network, determining what software and services
are installed on them, how they are configured, and which active threats are being executed
against them.

To run an asset discovery from Settings

1. Go to Data Sources > Sensors to open the Sensors page.

2. Click the sensor you want to run an asset discovery.
3. Click the Asset Discovery tab to open the Asset Discovery window.

Important: Make sure when you use a virtual private network (VPN) using a Cisco
Firewall, that arp-proxy is enabled in the firewall. Otherwise, all the assets will be
reported using the same media access control (MAC) address, and USM Anywhere
will consider all of them to be different interfaces for the same asset.

4. Click Yes to scan the network.

This step may be different depending on the sensor you have installed.

Note: In Amazon Web Services (AWS) Sensors, this option is not available because
the instances are automatically set.

5. Click Scan Another to start a new scan or click Next to continue with the following step.

USM Anywhere™ User Guide 266

Asset Groups Administration

6. In the Asset Groups details page, click Scan History in the table area to display the results
of the scan.

You can see the status of each scan and the details. USM Anywhere also creates a system
event named Asset Scanner Result with the same details.

Important: If you run Asset Discovery in an environment that discovers assets using
a native application (AWS, Google Cloud Platform [GCP], Microsoft Azure, VMware,
etc.), or in a Dynamic Host Configuration Protocol (DHCP) network environment,
then you could potentially duplicate assets in USM Anywhere. You can configure
local DNS Nameservers to avoid duplicate assets from being created and update
existing assets with the new and correct IP Address. See Defining the DNS
Nameservers for more information.

Running Authenticated Asset Groups Scans

Role Availability Read-Only Investigator Analyst Manager

An authenticated asset scan verifies scanned IPs within an Asset Group and detects
vulnerabilities. Log in as administrator or root to perform an authenticated scan. See
Managing Credentials in USM Anywhere for more information.

Warning: Keep in mind that an authenticated scan may fail if the local mail exchanger,
which applies to Linux hosts, is enabled in the target asset.

Asset Scan Credentials and Escalation Options

Operating System Method and Credentials Escalation

Linux, BSD, Solaris, or macOS SSH password or public key sudo or su

authentication

Windows Windows username and None

password through Windows
Remote Management

267 USM Anywhere™ User Guide

 Asset Groups Administration

To run an authenticated asset scan from Asset Groups

1. Go to Environment > Asset Groups.

l Next to the asset group name that you want to scan, click the icon , select Full

Details, and then click Actions > Authenticated Scan.

or

l Next to the asset group name that you want to scan, click the icon and select

Authenticated Scan to directly start the asset group scan. If the option is not enabled,
you will need to add a credential. See Managing Credentials in USM Anywhere.

Important: Credentials assigned directly to an asset have higher priority than those
assigned to an asset group.

2. In the asset group details page, click Scan History in the table area to display the results
of the scan.

You can see the status of each scan and its details, which informs you if the scan has been
successful or not. You can also click a line to expand the asset group row to check the
individual asset results.

Each asset group has a Scan Details link you can click to download a zip file containing
the details of the recent scan. The link is only present for the most recent scan of each
asset, and is available for one week after the scan has been run.

Click Scan Details to download the zip file:

l If you click Scan Details located in the asset group job row, the downloaded file will
include one file per scanned asset.
l If you click Scan Details located in the individual asset results, the downloaded file will
include the information for just that asset.

Note: You can see the vulnerabilities that the scan has found below the
Vulnerabilities Events tab.

Scheduling Asset Group Scans from Asset Groups

USM Anywhere™ User Guide 268

Asset Groups Administration

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include scans for scheduling using its web user
interface (UI). See USM Anywhere Scheduler for more information.

Scheduling Asset Group Scans

To schedule an asset group scan job from the asset group details window

1. Go to Environment > Asset Groups.

2. Click the icon you want to include in an asset group scan and select Full Details.

3. Click Actions > Schedule Scan Job.

The Schedule New Job dialog box opens.

269 USM Anywhere™ User Guide

 Asset Groups Administration

1. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. In the Action Type field, select Asset Scanner.

Depending on the USM Anywhere Sensor that you have installed, this field can include
different options.

3. Select a USM Anywhere sensor in case you have more than one installed.
4. Select the App Action:

USM Anywhere™ User Guide 270

Asset Groups Administration

Asset Discovery

Discovers assets in your environment, detects changes in assets, and discovers malicious
assets in the network.

l Select Existing Asset Group: In the Enter asset group name field, search for the asset
groups to scan. These asset groups are already existing, and you can search for them
by entering the name of the asset group or by browsing for them.
l Create New Asset Group to Scan Using CIDR Block: You can create a new asset
group from a Classless Inter-Domain Routing (CIDR) block. You need to indicate the
CIDR block and the network name you want to scan. This option discovers new assets
and scans the discovered assets.

Important: Use the Create New Asset Group to Scan Using CIDR Block option for
creating new CIDR-based asset groups without leaving the scheduler form. After
clicking Save, a new asset group based on the selected CIDR is created.

Your scan job will have the Select Existing Asset Group option selected and the
CIDR-based asset group assigned automatically.

Important: Make sure when you use a virtual private network (VPN) using a Cisco
Firewall, that arp-proxy is enabled in the firewall. Otherwise, all the assets will be
reported using the same media access control (MAC) address, and USM
Anywhere will consider all of them to be different interfaces for the same asset.

271 USM Anywhere™ User Guide

 Asset Groups Administration

Asset Group Scan

Discovers services, operating systems, hostnames, IP and MAC addresses, and

vulnerabilities of known hosts. This option scans the assets that are already in the group.

The Asset Group field displays the name of the asset group to scan. You can't modify this
field.

5. In the App Action field, the Asset Group Scan is the default option.

6. Select the scan profile that you want to run:

l Discovery: This profile scans the known ports and services searching for the most-
used ports. (There are 4574 ports.)
l Complete: This profile scans all TCP and UDP ports to find the possible ports in a
deployment. (There are 65535 ports.)
l Vulnerability Discovery: Performs general network discovery and checks for specific
known vulnerabilities. It only reports results if they are found.
l Extended Vulnerability Discovery: Performs a Vulnerability Discovery scan, which act-
ively discovers more about the network.
l Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities,
which uses a significant number of resources on the targeted machine. Because of
this, sensitive targets may perceive a brief disruption on their services.
7. (Optional.) Select the assets you want to exclude from the scan.

8. Select Set Debug Mode if you want to log the results of the scan or if you have a problem
with a scan.

This option is disabled by default.

Note: The Set Debug Mode option must be used only for debugging purposes
because it needs a large amount of disk space for the file or files that it generates.
Only AT&T Cybersecurity Technical Support should review these files. You can
contact this department for more information.

9. In the Schedule section, specify when USM Anywhere runs the job:

USM Anywhere™ User Guide 272

Asset Groups Administration

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

273 USM Anywhere™ User Guide

 Asset Groups Administration

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

10. Click Save.

The job now displays in the job scheduler list.

Note: See USM Anywhere Scheduler for more information.

Scheduling Authenticated Asset Group Scans from Asset Groups

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include authenticated scans for scheduling using its
web user interface (UI). See USM Anywhere Scheduler for more information.

To schedule an authenticated asset group scan job from the asset group details
window

1. Go to Environment > Asset Groups.

2. Click the icon you want to include in an asset scan and select Full Details.

3. Select Actions > Schedule Scan Job.

4. The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 274

Asset Groups Administration

1. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. In the Action Type field, select Authenticated Asset Scanner.

3. Select a sensor in case you have more than one installed.
4. In the App Action field, Asset Group Scan is the default option.
5. In the Asset Group field, you can either enter the asset group name or browse asset
groups.

6. In the Schedule section, specify when USM Anywhere runs the job:

275 USM Anywhere™ User Guide

 Asset Groups Administration

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

USM Anywhere™ User Guide 276

Asset Groups Administration

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

7. Click Save.

The job now displays in the job scheduler list.

Note: See USM Anywhere Scheduler for more information.

Configuring an Asset Group

Role Availability Read-Only Investigator Analyst Manager

Configuring a Static Asset Group

To configure a static asset group

1. Go to Environment > Asset Groups.

2. Click the icon you want to configure and select Configure Asset Group.

3. Modify the name of the asset group if you need to. This field is required.
4. (Optional.) Modify the description if you need to.
5. You can add search criteria to the group. Click Apply Criteria if you want to add the
searched criteria.
6. You also can modify or delete assets from the group by clicking the or icons.

7. Use Delete to delete the group or Cancel to discard changes.

8. Click Save.

Configuring a Dynamic Asset Group

To configure a dynamic asset group

1. Go to Environment > Asset Groups.

2. Click the icon you want to configure and select Configure Asset Group.

3. Modify the name of the asset group if you need to. This field is required.
4. (Optional.) Modify the description.

277 USM Anywhere™ User Guide

 Asset Groups Administration

5. Search the assets you want to add to the group and click Add Asset or Scan Network.

If you click Scan Network, type the name of a network and the CIDR block to specify the
subnet's IP Address block that you want to scan.

6. You can also delete assets from the group by clicking the icon. You can view a specific

asset by clicking the icon.

7. Use Cancel to discard the changes and Delete to delete the group.
8. Click Save.

Viewing Asset Group Details

Role Availability Read-Only Investigator Analyst Manager

From the Asset Group List view, you can display the details of an asset group.

To view the details of an asset group

1. Go to Environment > Asset Groups.

2. Click the icon whose details you want to view.

3. Select Full Details.

In the asset groups details, on the upper left side of the page, you see the name, the
description, the type of grouping, the number of assets that are part of that group, and the
criteria of grouping.

On the right, you see the status summary for your asset group. It displays the total number of
configuration issues, vulnerabilities, alarms, and events. The circle can display in orange (for
alarms and configuration issues), blue for events, and red for vulnerabilities. There is a number
inside each circle to indicate the number of alarms, events, vulnerabilities and configuration
issues associated with the members of the asset group. You can click each circle to explore
the information of each one.

Note: Configuration Issues are only available for AWS and Azure Sensors.

At the bottom, there is a table area with tabs, some of which correspond to the circles. Each
tab contains a table with records, if present, for your asset group.

USM Anywhere™ User Guide 278

Asset Groups Administration

Asset Groups Details view tab description

Tab Information Shown

Assets Assets that are part of the group. Click View to go to the details
of the asset.

Software Software installed on the assets of the group.

Services Services available on the assets of the group.

Alarms Alarms related to the assets of the group. There is a bubble

graph that provides a graphical representation of alarms by
intent. Blue circles indicate the number of times that an alarm in
an intent showed. A bigger circle indicates a higher number of
alarms. You can hover over each of the circles to get the actual
number of different types of intent. In addition, if you click any of
the blue circles, they display only the alarms corresponding to
that circle. You can change the displayed period of time by
clicking the Last 24 Hours filter.

Events Events related to the assets of the group. Click an event to see
its details.

Vulnerabilities Vulnerabilities related to the assets of the group. You can filter
the active or inactive vulnerabilities by clicking the specific radio
button. Click a vulnerability to see its details.

Note: Multiple rows may display for the same vulnerability

if it has been reported by more than one source. This may
result in a discrepancy between the numbers displayed on
the Vulnerabilities tab at the bottom and in the
Vulnerabilities counter at the upper right of this page.

Configuration Issues Information about operational processes. You can filter the
active or inactive configuration issues by clicking the specific
radio button. Click a configuration issue to see its details.

History Additions and removals to the group.

Scan History List of the asset scans already run. It includes a time-stamp of
the scan, the scan type, the status, and the details of each scan.
You can also click the Scan Details link here to download a file
containing the details of the most recent authenticated asset
group scan here for up to a week after the scan was run.

279 USM Anywhere™ User Guide

 Asset Groups Administration

The button Actions, located in the upper right side of the page, enables you to access these
options:

l Configure Asset Group, see Configuring an Asset Group for more details.
l Delete Asset Group, see Deleting an Asset Group for more details.
l Edit Fields. This option is similar to the one for Assets, see To assign asset fields to an asset
or group of assets for more details.

Note: Keep in mind if you assign an asset field to an asset group, you assign the asset
field to its members, not to the asset group.

l Assign Credentials to Group Members. This option assigns credentials to the members of
the asset group. This option is similar to the one for Assets, see Managing Credentials in
USM Anywhere for more details.
l Assign Agent Profile. This option assigns a specific agent profile to the members of the
asset group. See Assigning AlienVault Agent Configuration Profiles to Asset Groups for
more information.
l Set Sensor, see To assign a sensor to an asset group for more details.
l Asset Group Scan, see Running Asset Groups Scans.
l Assign Credentials. This option assigns credentials to current members of the Asset Group
and Assets added to the group later. See Managing Credentials in USM Anywhere for more
details.
l Authenticated Scan, see Running Authenticated Asset Groups Scans.
l Schedule Scan Job, see Scheduling Asset Group Scans from Asset Groups, Scheduling
Authenticated Asset Group Scans from Asset Groups, and Scheduling Asset Groups Scans
from the Job Scheduler Page for more details.

Deleting an Asset Group

Role Availability Read-Only Investigator Analyst Manager

There are two ways to delete an asset group:

l From the asset groups list view

l From the edit asset group details page

Note: It is not possible to edit or delete a dynamic asset group created by default.

USM Anywhere™ User Guide 280

Asset Groups Administration

To delete an asset group from the list view

1. Go to Environment > Asset Groups.

2. Next to the asset group you want to delete,click the icon.

3. Select Delete Asset Group to display a new window and confirm the deletion.

4. Click Delete.

To delete an asset group from the edit asset group details page

1. Go to Environment > Asset Groups.

2. Click the icon you want to delete and select Full Details.

3. Select Actions > Delete Asset Group to open a new window and confirm the deletion.
4. Click Delete.

281 USM Anywhere™ User Guide

 User Behavior Analytics

User Behavior Analytics

User behavior analytics (UBA) extends your USM Anywhere Sensor's awareness by enabling it
to track actors as well as assets within your environment. With UBA, USM Anywhere can help
you identify malicious or compromised users, and enable you to better prioritize alarms with
the addition of user data.

In addition to analyzing users, UBA also analyzes each of a user's separate accounts, and
enables you to manually combine detected users to ensure that your user analytics are
accurate. Events and alarms can thus be enhanced with user data, including user entities and
their individual accounts, as either the source user or the destination user.

To incorporate UBA into your USM Anywhere instance, you must provide information about
all users acting in your environment. Each user must be identified by a unique username and
account type.

Once users have been identified, there are several tasks that you must complete to ensure
that complete and actionable data is being captured and acted upon. This chapter describes
these necessary tasks, and covers topics such as user discovery and merging, user scans, user
monitoring, and configuration.

This topic discusses these subtopics:

User List View 283

User Discovery 285

Understanding User Status in User Data Sources 288

Viewing Full User Details 289

Events, Alarms, and Notifications Created When a User's Status Changes 292

Merging Users 294

Deleting Users 297

Importing Users from a CSV File 299

USM Anywhere™ User Guide 282

User List View

User List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of users in your environment. To view the user list,
go to Environment > Users.

The Users main page displays user inventory and information on those users. On the left side
of the page, you can find the search and filter options. At the top of the page, you can see any
filters you have applied. The main part of the page is the list of users, where each row
describes an individual user.

If you want to analyze the data and see the additional columns without having to scroll left
and right, you can maximize the screen and hide the filter pane. Click the icon to hide the

filter pane. Click the icon to expand the filter pane.

283 USM Anywhere™ User Guide

 User List View

Note: User entities with no name or service account in their name field appear as
"Unspecified".

The following table lists the default columns that appear in the user list view, and their
descriptions.

List of the Default User List Fields

Column Field Name Description

User An actor (person or service account) active in your environment

(sometimes referred to as the user entity).

Last Seen The date and time on which that user was last active in your
environment.

Email A list of the email addresses associated with that user entity.

Origins The name of each sensor in which one of this user's accounts was
discovered.

Click the icon to access these options:

l Full Details: Navigate to this user's Full Details page.

l Configure User: Open the Configure User dialog box.
l Merge User: Open the Merge User dialog box.
l Delete User: Delete this user.

Important: Deleting a user is a permanent action and cannot be undone.

USM Anywhere™ User Guide 284

User Discovery

User Discovery

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere automatically discovers users in your environment with the user discovery
jobs you have configured. See Scheduling User Discovery Jobs from the Job Scheduler Page
to learn about these jobs and how to configure them.

Users Discovered in Your Environment

USM Anywhere uses the user discovery jobs you have configured to extract and maintain an
updated list of the users who are active in your environment. User accounts are discovered
and matched by comparing specific fields from your environment, that differ between user
authentication mechanisms. This means that the fields USM Anywhere uses to detect and
resolve discovered users in Amazon Web Services (AWS) will differ from the fields used in
Google Cloud Platform (GCP) or Okta. The following table outlines which fields are used in
each user source.

Possible User Entity and Account States

User Source User Account Data

AWS SOURCE_USERNAME and SOURCE_ACCOUNT

AD SOURCE_USERNAME

DESTINATION_USERNAME

SOURCE_USERNAME and SOURCE_NTDOMAIN

DESTINATION_USERNAME and DESTINATION_NTDOMAIN

Azure AD and Office 365 SOURCE_USERNAME

DESTINATION_USERNAME

285 USM Anywhere™ User Guide

 User Discovery

Possible User Entity and Account States(Continued)

User Source User Account Data

Okta SOURCE_USERNAME

DESTINATION_USERNAME

G Suite and GCP SOURCE_USERNAME

SOURCE_USER_EMAIL

DESTINATION_USERNAME

DESTINATION_USER_EMAIL

To see a list of the users active in your environment and their accounts

1. Go to Environment > Users.

All of your discovered users are listed here.

Note: By default, inactive users are not shown. You can use this list's filters to view
them.

2. Click the name (or the chevron next to the name) of a user whose accounts you want to
view, and then click Full User Details.
This user's accounts are listed under the Accounts tab.

USM Anywhere™ User Guide 286

User Discovery

Active and Inactive Users

In addition to detecting which users are active in each environment, USM Anywhere carefully
tracks users and user accounts that have become inactive. This enables USM Anywhere
advanced threat detection capabilities, which take a user's activity and account status into
consideration in generating and prioritizing alarms.

While different user authentication mechanisms each approach users' active status
differently, USM Anywhere normalizes all of those disparate approaches to present one
unified and unambiguous reporting of the status of each user entity and all of its accounts.

Note: See Understanding User Status in the User Data Source to read more about how
each user authentication mechanism handles users' statuses.

To view a user entity's or account's status, check the dot next to the username or account
name. When the dot is green, the user or account it represents is active. If it is gray, the user
or account it represents is in a status other than active.

These are the possible user entity and account states:

Possible User Entity and Account States

State Description

User Entity Active If any of the user's accounts are active, the
user is active.

Inactive If all of the user's accounts are in a status

other than active, the user is inactive.

287 USM Anywhere™ User Guide

 Understanding User Status in User Data Sources

Possible User Entity and Account States(Continued)

State Description

User Account Active A user account is active when it's validated

and reported by the provider API.

Disabled When a user account is disabled by the

provider but still reported by the provider
API, that user account is considered
disabled.

Retired When a user account no longer exists in the

provider system, that account is considered
retired.

Note: Due to the information

provided by AWS, AWS user accounts
are marked "retired" when they have
not appeared in any scans for 30 days.

Understanding User Status in User Data Sources

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere detects the status of user entities and their accounts, and normalizes those
statuses for you under Environment > Users. To understand how USM Anywhere normalizes
these statuses, review the following table. This table lists the normalized states for each data
source next to the unique states that map to them in the data source.

Note: See Managing Users to read more about how USM Anywhere uses and displays
the normalized states for users and their accounts.

User Account States by User Data Source

Data Source State Description

AWS Retired The user is no longer listed in Identity and

Access Management (IAM).

Disabled Unsupported.

USM Anywhere™ User Guide 288

Viewing Full User Details

User Account States by User Data Source(Continued)

Data Source State Description

Azure Retired The user is deleted from Microsoft Azure

Active Directory (AD).

Disabled The "Block sign in" value is "Yes".

Active directory and Retired The user is sent to the Microsoft Windows
Office 365 Recycle Bin using the delete action.

Disabled "disabled" is flagged in the properties dialog

box.

GCP Retired The "deletionTime" field has any value.

Disabled The account is flagged as "suspended".

Okta Retired The user is deleted from the directory

screen.

Disabled "userStatus" is set to any value other than

"Active".

Viewing Full User Details

289 USM Anywhere™ User Guide

 Viewing Full User Details

Role Availability Read-Only Investigator Analyst Manager

To view a user's full details

1. Go to Environment > Users.

2. Next to the user-name whose details you want to review, click the icon.

3. Select Full Details.

In the upper left side of the page, you see the details for the user entity, including their
description, last seen datestamp, location, manager, phone number, and emails. On any user
that has been merged, you will see a list of emails.

Across the bottom of the page, you see the accounts, alarms, and events for your asset.

User Accounts
You will find all of this user's accounts listed under the Accounts tab.

l Application: The application in which this user account is active.

l Status: The status of the user account. A green circle indicates that the account is active,
while a gray circle indicates that the account is inactive. See Understanding User Status in
User Data Sources for more information about these statuses.
l Origin: The name of the sensor in which this user account was discovered.
l User Name: The username or service account name associated with this user account.
l Account Name: The organizational account in which this user account exists.
l Description: This description comes from the user account source and is not editable in
USM Anywhere.

USM Anywhere™ User Guide 290

Viewing Full User Details

User Alarms
You will find all of the alarms related to this user account under the Alarms tab. An alarm may
be related to a user if that user was the source of the action (the source user) or was acted
upon (the destination user).

Note: You can filter the alarms list by limiting the Created Date using the dropdown on
the right.

To view a user's alarms

1. Go to Environment > Users.

2. Next to the name of the user whose events or alarms you want to view, click the icon.

3. Select Full User Details.

4. Click the Alarms tab to view this user's alarms.

The columns in the Alarms table are automatically populated from the alarms. See Alarm
Management for more information about these alarm details.

User Events
You will find all of the events related to this user account under the Eventstab. An event may
be related to a user if that user was the source of the action (the source user) or was acted
upon (the destination user).

Note: You can filter the events list by limiting the Created Date using the drop-down on
the right.

291 USM Anywhere™ User Guide

 Events, Alarms, and Notifications Created When a User's Status Changes

To view a user's events

1. Go to Environment > Users.

2. Next to the name of the user whose events or alarms you want to view, click the icon.

3. Select Full User Details.

4. Click the Events tab to view this user's events.

The columns in the Events table are automatically populated from the events. See Event
Management for more information about these event details.

Events, Alarms, and Notifications Created When a User's

Status Changes

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to configure alarms to alert you when a user's entity or account
status changes. USM Anywhere generates monitoring events that display in the Events List
View page. See Events List View for more information. You can see two types of monitoring
events related to User Behavior Analytics (UBA) user status: user status changed and account
status changed. From these events, you may configure alarm rules to alert you when these
status changes trigger events.

USM Anywhere™ User Guide 292

Events, Alarms, and Notifications Created When a User's Status Changes

To see events created when a user entity or account status changes

1. Go to Settings > System Events.

2. Locate the Event Name filter and select either User Status Changed or Account Status
Changed.

The result displays the filtered events.

3. Click the event to see its details.

293 USM Anywhere™ User Guide

 Merging Users

To create alarm rules when a user entity or account status changes

1. Go to Settings > Rules and either:

l Click Create Orchestration Rule > Create Alarm Rule.
l Or click Alarm Rules, and then click Create Alarm Rule.
2. Populate the new alarm rule as described in Alarm Rules.
3. Under Rule Condition, use the Match drop-down list to select system_events.

4. Click Add Condition.

5. Select Event Name, then Equals, and then either User Status Changed or Account
Status Changed.

6. Click Save Rule.

The alarm rule has been created. You can see it from Settings > Rules. See Alarm Rules
from the Orchestration Rules Page for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Merging Users

USM Anywhere™ User Guide 294

Merging Users

Role Availability Read-Only Investigator Analyst Manager

If there are user entities in your user list who all represent the same user in your environment,
you have the option of manually merging the entities together. The resulting single user
entity retains associations with all user accounts connected to any of the former user
entities, and after the merge will behave in every way as one single user entity.

When two users are merged, all of the user accounts, activity, and associated alarms and
events from each user entity are unified under a single merged user entity. User details (like
"Description", "Location", and "Phone") are merged using the Primary User principle. During
the merge process, User Behavior Analytics (UBA) will look for user details in your primary
user entity first, and populate the newly merged user entity with those details. If the primary
user has a blank detail field, UBA will use data from the secondary user to populate that field
in the merged user.

Important: Any data from the secondary user that is not included in the resulting
merged user entity will be deleted after the merge process is complete.

The one exception to this rule is a user's email address. If both of your user entities have email
addresses, instead of keeping the primary and discarding the secondary, the resulting merged
user will retain both emails in a comma-separated list. Similarly, every email associated with a
user entity is preserved through the merge process.

Note: While secondary user entities are deleted as part of the merge process, if you
search for a user who has been merged and deleted, your search will automatically
return the user entity into which your searched user was merged.

To merge two users

1. Go to Environment > Users.

2. Next to the user-name of one of the two users you wish to merge, click the icon.

3. Select Full Details.

4. Click Actions, and then click Merge User.

The merge users dialog box opens.

Note: You can also access this dialog by click the icon on the User List view.

295 USM Anywhere™ User Guide

 Merging Users

5. Use the search bar on the right to search for the other user you wish to merge, and select
it from the list.

6. Use the radio buttons to identify one of two entities as the primary.
7. Click Review.

USM Anywhere™ User Guide 296

Deleting Users

The review window opens. This is where you can preview all of the user accounts that will
be united under your new merged user entity.

8. If all of the accounts are correct, click Merge.

When the merge process completes, you will see a new Full User Details page displaying the
details of your newly merged user.

Deleting Users

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides different ways to delete users from your user behavior monitoring:

297 USM Anywhere™ User Guide

 Deleting Users

l Deleting users from the List view

l Deleting users from the User Details page
l Deleting user accounts from the User Details page

Important: Deleting a user is an action that cannot be undone.

To delete a user from the list view

1. Go to Environment > Users.

2. Next to the username you want to delete, click the icon and select Delete User.

The delete user dialog box opens.

3. Click Delete.

To delete a user from the User Details Page

1. Go to Environment > Users.

2. Next to the username you want to delete, click the icon and select Full Details.

3. Click Actions > Delete User.

The delete user dialog box opens.

4. Click Delete.

USM Anywhere™ User Guide 298

Importing Users from a CSV File

To delete a user account

1. Go to Environment > Users.

2. Next to the name of the user whose account you want to delete, click the icon and

select Full Details.

3. Under the Accounts tab, click the icon.

The delete user dialog box opens.

4. Click Delete.

Importing Users from a CSV File

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to import users from a CSV or text file. Use this option to add
users in large quantities to your environment from a single file. User information added this
way supersedes user information from other sources but will not remove any preexisting
information about any users in your environment.

Warning: If the file does not follow the specific format, the users will not be successfully
imported. See About the CSV File for more information.

To import users from a CSV file

1. Go to Environment > Users.

2. Click Actions > Import Users to open the Import Users dialog box.

Note: If a user in your CSV or text file shares an email address with an existing user
behavior analytics (UBA) user, then all fields from your file will be added to that existing
user's entry. Where both the existing user and your file's entry have information in a
field, the fields will be combined, with the file's information becoming the new primary.

299 USM Anywhere™ User Guide

 Importing Users from a CSV File

3. Drop your file or select the file from your desktop.

Once you select a file, the name of the file displays and the Import button is active.
4. Click Import to start the process.
You can see the status of the process, how many users have been processed or are
pending, or which users were not imported. In the About the CSV File section, there is a
table where you can see the import errors and the reasons for which a user has not been
imported.

Note: When an import process starts and finishes, USM Anywhere generates system
events. See Searching for System Events Related to a User Import Process for more
information.

About the CSV File

The CSV file must use this format; no other fields are allowed:

User Name;User Email;Manager Name;Office Location;Phone Number;Description

Important: Do not include a header line in the CSV file because it will result in an error of
invalid format.

You need to provide at minimum a username and user email valid for USM Anywhere. All
other fields are optional.

Please note the following:

l There must be only one user per row.

l You can import all the files you need, but only one at a time.
l The maximum number of lines in the CSV file is 100,000.
l The maximum size of the CSV file is 25 MB.

Searching for System Events related to a User Import Process

USM Anywhere generates system events when an import process starts and finishes.

USM Anywhere™ User Guide 300

Importing Users from a CSV File

To look for system events related to an import process

1. Go to Settings > System Events.

2. Locate the Event Name filter.
3. Select one of these filters:
l User Import Process Finished: This option displays the system events generated
when the user import process from a CSV file finishes.
l User Import Process Started: This option displays the system events generated
when the user import process from a CSV file starts.

The result of your search is displayed.

301 USM Anywhere™ User Guide

 Alarms Management
An alarm in USM Anywhere consists of one or more events, based on one of the following:

l One or more rules performed by the correlation engine of USM Anywhere, which analyzes
these events for behavioral patterns. These rules look at and connect events to assess
their priority and reliability. When the engine identifies a pattern, it generates an alarm,
which requires attention and investigation. See Correlation Rules for more information.

Important: The "Suspicious Behavior - OTX Indicators of Compromise" correlation

rule generates alarms if the pulse comes from the AlienVault OTX account.

l One orchestration rule, which is designed to raise an alarm when a particular type of event
is found. See Orchestration Rules for more information.

Note: USM Anywhere stores 10 of the events which have generated the alarm, for 365
days. If the alarm was generated by more than 10 events, USM Anywhere stores the first
and the last 9 events.
Alarms themselves are stored for 365 days.

USM Anywhere enables you to drive actions in response to incoming alarms. Perhaps the
most common action is sending an email to administrators to provide real-time notification
of a critical security incident. Each user can decide if they want to receive alarm notifications.
See Managing Your Profile Settings for more information.

Note: You can watch the Conducting Security Analysis with AT&T Cybersecurity USM
Anywhere customer training webcast on-demand to learn how to leverage USM
Anywhere to perform security analyst duties.

This topic discusses these subtopics:

Alarms List View 304

Selecting Alarms in Alarm List View 319

Searching Alarms 321

Viewing Alarm Details 338

Labeling the Alarms 358

USM Anywhere™ User Guide 302

Alarms Management

Alarm Status 362

Create an Alarms Report 365

303 USM Anywhere™ User Guide

 Alarms List View

Alarms List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of your alarms. Go to Activity > Alarms to see
this centralized view.

Note: You can watch the Conducting Security Analysis with AT&T Cybersecurity USM
Anywhere customer training webcast on-demand to learn how to leverage USM
Anywhere to perform security analyst duties.

The Alarms page displays information on alarms. These are the different parts of the Alarms
page:

l On the left side of the page are the search and filters options. Use filters to delimit your
search.
l At the top of the page, you can see any filters you have applied, and you have the option to
create and select different views of the alarms.
l The main part of the page is the list of alarms, where each row describes an individual
alarm. Click an alarm to open a summary view. See Viewing Alarm Details for more inform-
ation. Each alarm includes a check box that you can use to select it. You can select all
alarms in the same page by clicking the check box in the first column of the header row.
You can also select all the alarms in the system. See Selecting Alarms in Alarm List View for
more information.

Important: An alarm is created when USM Anywhere receives the event, which may
appear later than the time when the event was created. You can verify by comparing the
Time Created and Time Received field of an event.

If you want to analyze the data, you can maximize the screen and hide the filter pane. Click
the icon to hide the filter pane. Click the icon to expand the filter pane.

Refreshing the page

USM Anywhere gives you the option of refreshing the page automatically in a period of time
that you can configure.

USM Anywhere™ User Guide 304

Alarms List View

Following the name of the view, you can click the icon to stop the auto-refresh

countdown and refresh the page manually.

There is an auto-refresh countdown that refreshes the page at a regular interval. The number
inside the blue circle indicates the remaining time until the next refresh. See Managing Your
Profile Settings to configure this interval.

To enable the auto refresh option

1. At the bottom of the expanded pane of the USM Anywhere web user interface (UI), hover
over the profile settings options, and select Profile Settings.

2. Click the Alarms Auto Refresh field and select Every 15 Minutes, Every 30 Minutes,
Every Hour, or Every 2 Hours. Select is Disabled if you don't want the alarms to

305 USM Anywhere™ User Guide

 Alarms List View

automatically refresh.

3. Click Save.

USM Anywhere™ User Guide 306

Alarms List View

Alarm Summary Graph

The section above the page includes provides a graphical representation of alarms by intent.
Blue circles indicate the number of times that an alarm in an intent showed. A bigger circle
indicates a higher number of alarms. You can hover over each of the circles to get the actual
number of different types of intent. In addition, if you click any of the blue circles, they display
only the alarms corresponding to that circle. You can change the displayed period of time by
clicking the Last 24 Hours filter.

Alarms graphed by intent are sorted into five different categories, which are represented by
the graphic icons in the display:

l
Delivery & Attack ( )

l
Environmental Awareness ( )

l
Exploitation & Installation ( )

l
Reconnaissance & Probing ( )

l
System Compromise ( )

If you want to analyze the data and see the additional columns without having to scroll left
and right, you can maximize the screen and hide the filter pane. Click the icon to hide the

filter pane. Click the icon to expand the filter pane.

307 USM Anywhere™ User Guide

 Alarms List View

Use the icon to change the alarms view, which is by default Alarms by Intent.

The icon accesses these options:

l Alarms by Intent: This view is a bubble graph that provides a graphical representation of
alarms by intent.
l Count / Time: The Count/Time view is a graph that provides a graphical representation of
the number of alarms in a period of time.

USM Anywhere™ User Guide 308

Alarms List View

Important: The period of time is mapped with the timestamp_occurred field. This
field can be overwritten by the current sensor UTC timestamp if, when processing
events, a delay is detected up to 15 minutes or the timestamp_occurred field is not
provided.

l MITRE ATT&CK: The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Know-
ledge) is a framework for understanding attackers' behaviors and actions.
l Alarm Strategies by Intent: This view is a table that provides a representation of alarms
strategies by intent.

The MITRE ATT&CK View

USM Anywhere and AT&T Alien Labs™ Open Threat Exchange® (OTX™) include MITRE
ATT&CK information. The alarms view incorporates a table with tactics and techniques to
describe adversarial actions and behaviors. Techniques are specific actions an attacker might
take and tactics are phases of attacker behavior. This view includes the alarms mapping to
their corresponding ATT&CK techniques and helps you to understand the context and the
scope of an attack. See MITRE ATT&CK for more information.

The headers of the table are the 11 ATT&CK tactics, and each tactic has numerous techniques,
which are the rows. The tooltips match the identification (ID) technique provided by MITRE
ATT&CK. Some techniques display in several tactics. If you click in one of the techniques, the
specific filters are added and the list shows the result.

309 USM Anywhere™ User Guide

 Alarms List View

USM Anywhere includes MITRE ATT&CK Dashboard to display MITRE ATT&CK information.

The Alarm Strategies by Intent view displays a table that lists the purposes of the alarm. The
table headers represent the intent of the alarms. The table rows display the strategies.

Columns within List Views

USM Anywhere™ User Guide 310

Alarms List View

Role Availability Read-Only Investigator Analyst Manager

For each alarm in the alarm columns list, USM Anywhere displays useful information to help
you determine the best response.

The following table lists the fields you see on the page.

Default Columns Found in the List View

Column Field Name Description

Alarm Summary It displays several fields, which are the type of attack, the method of
attack, and how long the alarm happened in the past.

Priority Impact of the detected attack. It can be Low, Medium, or High. See
Priority Field for Alarms for more information.

Alarm Status Status applied to the alarm. By default, it can be Open, In Review, and
Closed. See Alarm Status for more information. The alarms that have
the status "Closed" are not displayed in the list.

Sources Hostname or IP address of the source, (including a national flag icon if

the country is known) for an event creating the alarm.

Destinations Hostname or IP address of the destination, (including a national flag icon

if the country is known) that received the events generating the alarm.

Source Users Name of the user entity that was the source for an event creating the
alarm.

Destination Users Name of the user entity that was the destination of an event creating
the alarm.

Investigations Identification (ID) of the investigation associated to the alarm. See

Adding an Alarm to an Investigation and USM Anywhere Investigations
for more information.

Sensors The sensor name associated with the alarm. The type of sensor is also
displayed below the sensor name.

Labels Labels applied to the alarm. By default, it can be In Progress, False

Positive, Open, and Closed. You can create and manage labels. See
Labeling the Alarms for more information.

311 USM Anywhere™ User Guide

 Alarms List View

From the list of alarms, you can click any individual alarm row to display more information on
the selected alarm, including individual events that triggered the alarm. See Viewing Alarm
Details for more information.

To select an alarm, select the checkbox to the left of the alarm. You can select all alarms at
the same time by selecting the first checkbox in the column. These buttons display when you
select an alarm:

l Remove Alarm Labels: This button displays if there are labels associated to any alarm. Use
this button to remove a label or labels from an alarm. See Labeling the Alarms for more
information.
l Apply Labels: You can add a label to an alarm, which enables you to have classified alarms.
See Labeling the Alarms for more information.
l Add To Investigation: You can create an investigation for an alarm or associate an invest-
igation to an alarm. See Adding an Alarm to an Investigation and USM Anywhere Invest-
igations for more information.
l Alarm Status: You can add a status to an alarm. See Alarm Status for more information.

See Differences between Statuses and Labels to distinguish between label and status.

The asset name includes a chevron icon that can be gray ( ) if the asset is not in the system,

or blue ( ) if the asset has been added to the system.

Click the gray chevron icon ( ) to access these options:

l Add to current filter: Use this option to add the asset name as a search filter. See Search-
ing Events for more information.
l Find in events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the source asset in the AT&T
Cybersecurity Alien Labs Open Threat Exchange® (OTX™) page. See Using OTX in USM Any-
where for more information.
l Add asset to system: Use this option to create the asset in the system. See Adding Assets
for more information.

Click the blue chevron icon ( ) to access these options:

USM Anywhere™ User Guide 312

Alarms List View

l Add to Current Filter: Use this option to add the asset name as a search filter. See Search-
ing Events for more information.
l Find in Events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.
l Delete Asset: See Deleting the Assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Configuration Issues: This option opens the Assets Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selec-
ted in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

You can configure the view you want for the list of alarms. See Alarms Views for more
information.

Click Generate Report to open the Configure Report dialog box. See Create an Alarms
Report for more information.

Click the icon to change the graph to a Count/Time, MITRE ATT&CK (Adversarial Tactics,

Techniques, and Common Knowledge) or Alarms Strategies by Intent view. See Alarms List
View for more information.

Click the icon to bookmark an item for quick access.

313 USM Anywhere™ User Guide

 Alarms List View

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

Click the icon to filter your search by row fields. See Filtering Alarms by Row Fields for

more information.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Configuring Columns within List View

Role Availability Read-Only Investigator Analyst Manager

Within the page, you can configure the columns and fields that display in the List view. You
can also save your columns configuration to return to it whenever you need it.

To configure your columns

1. From the alarms list view, click the icon.

The Manage Columns dialog box opens.

USM Anywhere™ User Guide 314

Alarms List View

2. Search the columns you want to have in the list view. You can enter your search in the
search field.

3. Use the and icons to pass the items from one column to the other and select the

columns you want to see.

4. You can order the columns by clicking one of them and dragging the column to the
desired place.

5. Click Apply.

Note: If you generate a report when you have set custom columns, your report keeps
the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting
Save View > Save as. Otherwise, your custom view is not kept when you move to
another feature. See Alarms Views for more information.

Priority Field for Alarms

Role Availability Read-Only Investigator Analyst Manager

In USM Anywhere, all alarms have a Priority field, which indicates the importance of the alarm.
This is a measurement to determine the impact of the alarm in the network.

The priority field can display Low, Medium, or High. This text comes from correlation and
orchestration rules. When you create an orchestration rule, you must enter a priority value
between 0 and 100. AT&T Alien Labs™ creates the correlation rules and include a value. The
Alien Labs team sets the value for the correlation rules depending on how critical the alarm is.

The displayed text in the column of alarms depends on the value that the rule has according
to this table:

Priority Field for Alarms

Displayed text Value in the rule

Low Between 0 and 33

Medium Between 34 and 66

High Between 67 and 100

315 USM Anywhere™ User Guide

 Alarms List View

Open the details of an alarm to learn the exact value of the priority level. See Viewing Alarm
Details for more information. After you are in the Alarm Details page, hover over the priority
text and a dialog box will show you the exact value.

See Correlation Rules and Orchestration Rules for more information.

Alarms Views

Role Availability Read-Only Investigator Analyst Manager

The main part of the Alarms page is the list of the most recent alarms triggered. You can
configure the displayed columns by creating a view configuration.

You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, click the icon.

2. Use the and icons to pass the items from one column to another and select the

columns you want to see.

3. Click Apply.
4. If you want to delimit the search, select the filters you want to apply.

USM Anywhere™ User Guide 316

Alarms List View

5. Go to Save View > Save As.

The Save Current View dialog box opens.

6. Enter a name for the view.

7. Click Save.

The created view is already selected.

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

3. Click Apply.

To delete a configured view

1. From the Alarms list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Report Templates in Alarms

317 USM Anywhere™ User Guide

 Alarms List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a wide range of report templates classified according to the
compliance templates for alarms, vulnerabilities, and events collected in the system. The
templates are combined into these two groups:

l NIST CSF: The National Institute of Standards Technology (NIST) Cybersecurity Frame-
work provides a policy framework of computer security guidance for how private sector
organizations can assess and improve their ability to prevent, detect, and respond to cyber
attacks.
l ISO 27001: ISO/IEC 27001 provides guidance for implementing information security con-
trols to achieve a consistent and reliable security program. The ISO and the International
Electrotechnical Commission (IEC) developed 27001 to provide requirements for an inform-
ation security management system (ISMS).

To apply a report template

1. Go to Activity > Alarms.

2. From the Alarms list view, click View above the filters and select Report Templates.

3. Select a report.

You can use the search field or scroll down the list.

USM Anywhere™ User Guide 318

Selecting Alarms in Alarm List View

4. Click Apply.

The result displays with the filters applied.

Selecting Alarms in Alarm List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to select an alarm or multiple alarms to add a label, an
investigation, or a status to the selected alarms.

To select a single alarm

l Select the check-box to the left of the alarm.

319 USM Anywhere™ User Guide

 Selecting Alarms in Alarm List View

To select multiple alarms

l Select the check-box of each alarm that you want to include.

Note: If you go to the next page to select more alarms, USM Anywhere does not
preserve the selection on the previous page.

To select all the alarms on the same page

l Select the check-box in the first column of the header row.

You can apply labels to all the alarms on the page, or add them to an investigation, or
change their alarm status.

To select all the alarms returned from a search or all the alarms in your environment

1. Select all the alarms on the page.

Text similar to the following example displays above the alarm table:

All 20 alarms on this page are selected. Select all 3572 related to this
filter
where

3572 is the number of alarms related to the selected filter in your environment.

USM Anywhere™ User Guide 320

Searching Alarms

2. To select all the alarms, click Select all 3572 related to this filter.

Important: Keep in mind that when you select all the alarms in your environment,
the Alarms Status button is the only active button. This means that you cannot
apply the same labels to all the alarms related to the filter, nor can you add all of
them to an investigation.

Searching Alarms

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

321 USM Anywhere™ User Guide

 Searching Alarms

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. The management of filters is similar to
that for assets. See Managing Filters for more information.

The following table lists the filters you see on the page.

Filters Displayed by Default in the Main Alarms Page

Filter Name Meaning

Last 24 Hours Identify alarms triggered in the last hour, 24 hours, 7 days, 30 days, or 90
days. You can also configure your own period of time by clicking the
Custom Range option. This option enables you to customize a range.
When you click Custom Range, a calendar opens. You can choose the first
and last day to delimit your search by clicking the days on the calendar or
entering the days directly. Then select the hours, minutes, and seconds by
clicking the specific box. Finally, select AM or PM.

Open/In Filter alarms by Alarm Status. See Alarm Status for more information.
Review/Closed

Suppressed Filter suppressed alarms. See Creating Suppression Rules from the Alarms
Page for more information.

Not Suppressed Filter hidden suppressed alarms. The suppressed alarms are hidden by
default.

Labels Filter alarms by the applied labels. See Labeling the Alarms for more
information.

Intent Filter alarms by the purpose of the alarm. It can be Delivery & Attack,
Environmental Awareness, Exploitation & Installation, Reconnaissance &
Probing, and System Compromise. See Intent for more information.

Strategy Filter alarms by the type of attack. See Strategy for more information.

Method If known, filter alarms by the method of attack or infiltration associated

with the indicator that generated the alarm. See Method for more
information.

Sensors Filter alarms by the associated USM Anywhere Sensor. See USM Anywhere
Sensor Management for more information.

Asset Groups Filter alarms by asset group.

Priority Filter alarms by low, medium, or high priority. See Priority Field for Alarms
for more information.

USM Anywhere™ User Guide 322

Searching Alarms

Note: Filtering large asset groups will only return data from the most recent 1024
assets. See Creating An Asset Group for more information about this limitation.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

323 USM Anywhere™ User Guide

 Searching Alarms

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

Filtering Alarms by Row Fields

USM Anywhere includes a column with the icon in the list view in the alarms page. Use this

icon to add filters to your search. When you click this icon, a dialog box opens with the specific
fields of that row.

USM Anywhere™ User Guide 324

Searching Alarms

To filter alarms by row fields

1. Click the icon of the row to which you want to add the filters.

The Add Filters dialog box opens.

2. Select the fields that you want to filter during your search and click Equals or Not to limit
your search.
3. Click Apply.

The result of your search displays with the filters applied.

Searching Alarms by Using the Search Field

Use the search field to enter queries and refine your search. You can enter free text, use
wildcards, and use advanced search syntax. When searching, keep in mind the accepted query
string syntax list in this table.

325 USM Anywhere™ User Guide

 Searching Alarms

Accepted Query String Syntax

Type of Query Meaning Example

Standard query By default, a space between query terms is denylist malicious

with a blank space considered an implicit “OR”.
between terms

Literal, using Matches fields that contain the full term. "Event from asset not received"
double quotes Literal searches are case-sensitive.

"" Note: This type of query will not

match any searches in the raw log
unless the phrase included in double
quotes is an exact and complete
match to the contents of the raw log.

Note: IP addresses and FQDNs are

considered literal searches, so they
don't require quotation marks.

Boolean Including AND or OR between two search (http OR tcp) AND ftp
operators or terms will search for results that match
using parentheses both of those terms.

AND, OR, NOT, ( ) Including NOT between two search terms

will exclude results that match the second
term, even though they otherwise match
your query.

Parentheses can be used to group terms

for higher precedence relative to the rest
of your query. Parentheses are also used to
designate subsearches.

Wildcards, Appending an asterisk to the end of a term instance*

asterisk within your query will search for results
that begin with your search term.
*
An asterisk cannot be used at the
beginning of a search query.

USM Anywhere™ User Guide 326

Searching Alarms

Accepted Query String Syntax (Continued)

Type of Query Meaning Example

Wildcards, Embedding a question mark in the middle qu?ck

question mark of a term will search for results that
otherwise match your query, no matter the
? value in the position held by the question
mark in your search term.

A question mark cannot be used at the

beginning of a search query.

Regular Regular expression inside forward slash /Describe.*Instances/

expression characters. A dialog box opens to confirm
(regex), using the search.
/expression/
Note: The characters ", *, ?, (, and )
are special characters included in
expressions. If you want to search by
these characters, you need to
manually escape them by preceding
them with a backslash.

OTX pulse Pulses are collections of Indicators of pulse:59432536c1970e343ce61bf0

Compromise (IOCs). You need to insert the
word pulse followed by a colon and the
pulse ID or URL.

Any characters may be used in a query, but certain characters are reserved and must be
escaped. The reserved characters are these:

+-=&|><!{}[]^"~:\/

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

To search for Alarms using the search field

1. Go to Activity > Alarms.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for

327 USM Anywhere™ User Guide

 Searching Alarms

example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the items identified.

Searching Alarms by Using the Pulse ID

You can use the search field to search alarms by pulse identification (ID). Pulses are
collections of IOCs, reported by the AT&T Alien Labs™ Open Threat Exchange® OTX™
community, on which other community members review and comment. Pulses provide you
with a summary of the threat, a view into the software targeted, and the related IOCs,
reported by the OTX community worldwide. See Open Threat Exchange® and USM Anywhere
for more information.

To search alarms by using the pulse ID

1. Go to Activity > Alarms.

2. Enter your query in the Enter search field. Either paste the full URL or insert the word
pulse followed by a colon and the pulse. For example, enter: https://otx.ali-
envault.com/pulse/59432536c1970e343ce61bf0 or pulse:59432536c1970e343ce61bf0.
3. Click the icon.

USM Anywhere™ User Guide 328

Searching Alarms

4. The Query Submission dialog box opens.

5. Click Confirm to continue.

The result of your search displays with the items identified. This result matches entries
containing IOCs in your environment.

Standard and Advanced Modes on Alarms

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

329 USM Anywhere™ User Guide

 Searching Alarms

To activate the standard mode when the advanced mode is on

1. Go to Activity > Alarms.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Activity > Alarms.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Activity > Alarms.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

USM Anywhere™ User Guide 330

Searching Alarms

To search using the NOT operator

1. Go to Activity > Alarms.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

331 USM Anywhere™ User Guide

 Searching Alarms

USM Anywhere™ User Guide 332

Searching Alarms

333 USM Anywhere™ User Guide

 Searching Alarms

USM Anywhere™ User Guide 334

Searching Alarms

335 USM Anywhere™ User Guide

 Searching Alarms

USM Anywhere™ User Guide 336

Searching Alarms

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Activity > Alarms.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

Note: This option searches all filter values that are not empty. If the filter includes
the [No Value], this value will not be checked not displayed. See Searching Alarms
for more information.

About the No Value Option

Role Availability Read-Only Investigator Analyst Manager

The [No Value] option is a special value available for some filters. Use this value when you
want to filter items that do not have the filter property defined or do not match the other
defined property values in the filter. You can use the No Value option with other filter criteria
and apply this value to an individual filter. (For example, you can use this filter for filtering
alarms without labels.)

337 USM Anywhere™ User Guide

 Viewing Alarm Details

Viewing Alarm Details

Role Availability Read-Only Investigator Analyst Manager

The alarm details page provides in-depth information on an alarm, what caused it, and how to
resolve the situation.

USM Anywhere™ User Guide 338

Viewing Alarm Details

To view the details of an alarm

1. Go to Activity > Alarms.

2. Click the alarm to display a summary view, and then click the alarm name to open the full
details of the alarm.

Click the icon to bookmark an item for quick access.

339 USM Anywhere™ User Guide

 Viewing Alarm Details

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

Not all alarms found during monitoring are necessary in managing your environment
because they do not pose a security threat. It is common for low priority alarms to create
noise, which can make it difficult to monitor alarms that require more attention. You can
identify these alarms and suppress them by using a rule.

The Alarms Details Page includes alarm management functions that are supported for
your assigned user role:

l Select Action: See Applying Actions to Alarms for more information.

l Create Rule: See Creating Rules from Alarms for more information.
l Generate Report: See Create an Alarms Report for more information.

The alarm details include the main fields that identify an alarm. You can edit or add values
into these fields:

l Status: This field indicates the status for the alarm: open, in review, or closed. You can
click the icon to edit the field and apply a status. See Alarm Status for more inform-

ation.
l Labels: This field indicates if the alarm has been classified by using a label. You can
click the icon to manage the labels of the alarm. See Labeling the Alarms for more

information.
l Investigations: This field indicates if the alarm has been associated to an invest-
igation. You can click the icon to edit the field and enter the title or the number

that identifies each investigation. See Adding an Alarm to an Investigation for more
information.

l
Notes: This field allows you to enter notes regarding this alarm. You can click the

icon to enter text into this field.

l HTTP Hostname: If the alarm includes this field, you can search for events by using it.
See Searching Events from the Details of an Alarm for more information.
l DNS RR Name: If the alarm includes this field, you can search for events by using it.
See Searching Events from the Details of an Alarm for more information.

USM Anywhere™ User Guide 340

Viewing Alarm Details

Below the alarm details you can see the source, the destination, the associated alarm if it
exists, the associated events, a description, and, in the case of an alarm with a high
priority, a recommendation to fix the problem.

Your environment can have sources and destinations included in the inventory and those
not included in the inventory. Assets included in the inventory display their names in blue,
and assets not included in the inventory display their names in gray.

The icon located next to the source and destination fields allows you to access these

options:

l Search Pivot: Identify alarms triggered in the last hour, 24 hours, 7 days, 30 days, or 90
days. You can also configure your own period of time by clicking the Custom Range
option. When you click the icon, a calendar opens. You can choose the first and last day
to delimit your search by clicking the days on the calendar or entering the days
directly. Then select the hours, minutes, and seconds by clicking the specific box.
Finally, select AM or PM.

l Find Source or Destination in Events: Use this link to search events having the same
source or destination as the alarm.

l Find Source & Destination in Events: Use this link to search events having the same
source and destination as the alarm.

The icon located next to the asset enables you to access these options:

l Add to current filter: Use this option to add the asset name as a search filter. See
Searching Alarms for more information.
l Find in events: Use this option to execute a search of the asset name in the Events
page. See Events List View for more information.
l Look up in OTX: This option searches the IP address of the source asset in the Open
Threat Exchange page. See Using OTX in USM Anywhere for more information.
l Add asset to system: Use this option to create the asset in the system, see Adding
Assets for more information.

Note: The value in the FQDN field comes from the event itself (raw log). This field
can have a real FQDN, an IP address, or be empty.

The icon located next to the asset enables you to access these options:

341 USM Anywhere™ User Guide

 Viewing Alarm Details

l Add to Current Filter: Use this option to add the asset name as a search filter. See
Searching Events for more information.
l Find in Events: Use this option to execute a search of the asset name in the Events
page. See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.
l Delete Asset: See Deleting the Assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more inform-
ation.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor
associated with the asset. See Running Authenticated Asset Scans for more inform-
ation.
l Scan with AlienApp: This option enables you to run an asset scan through an Ali-
enApp. See Running Asset Scans Using an AlienApp for more information.
l Configuration Issues: This option opens the Assets Details page. The Configuration
Issues tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is
selected in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the
page. See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the
page. See Viewing Assets Details for more information.

3. Click the link of an associated event to open its details page.

The Associated Events list displays all events associated with the alarm.

4. In the upper right corner, click previous and next to navigate between items.
5. Click the icon to close the dialog box.

Note: See the Searching Events from the Details of an Alarm page for more
information about the options in the HTTP Hostname, DNS RR Name, Source, and
Destination fields.

Applying Actions to Alarms

USM Anywhere™ User Guide 342

Viewing Alarm Details

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to respond to the alarm. Use this button to associate the item
with an action. Depending on the USM Anywhere Sensor you have installed, you will see
different actions:

l Get Forensics Information: This option enables you to run pre-defined Linux and Win-
dows scripts to get more info from the system. These scripts are already defined in USM
Anywhere. The Basic, Moderate, and Full Forensic Info options get elemental, limited, and
complete forensic information from assets. Keep in mind that the Full Forensic Info option
will take more time for including all options. See Scheduling a Forensics and Response Job
in the USM Anywhere AlienApps Guide for more information.
l Scan (unauthenticated): You can launch an unauthenticated scan of an asset. See Run-
ning Asset Scans for more information.
l Scan (authenticated): You can launch an authenticated scan of an asset. See Performing
Vulnerability Scans for more information.
l Report Domain: See AlienApp for Cisco Umbrella Actions in the USM Anywhere AlienApps
Guide for more information.
l Agent Query: You can run an agent query in response to any alarm. See for more inform-
ation.

Creating Rules from Alarms

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and manage your own orchestration rules from the
Alarms Details Page, which is the easiest way to configure an orchestration rule.

Warning: Orchestration rules only apply to future events and alarms.

Suppression rules using the Contains, Match and Match, case insensitive
operators apply to future events and alarms, not to events and alarms received in the
current day.

You can create these rules:

343 USM Anywhere™ User Guide

 Viewing Alarm Details

l Suppression rule: You can create a rule to suppress alarms that match a particular set of
criteria. See Creating Suppression Rules from the Alarms Page and Suppression Rules from
the Orchestration Rules Page for more information.
l Notification rule: You can create a notification rule according to a method. See Creating
Notification Rules from the Alarms Page and Notification Rules from the Orchestration
Rules Page.

Creating Suppression Rules from the Alarms Page

Role Availability Read-Only Investigator Analyst Manager

There are cases where the alarms in USM Anywhere are false positives, and you may want to
suppress these kinds of alarms to prevent the false positives from flooding your system. To
suppress an alarm, you need to create a suppression rule. USM Anywhere applies the
suppression rule to similar alarms from the current day (up to 10 K alarms) and to future
alarms. Existing alarms are suppressed but kept open, while future alarms are suppressed and
closed.

Warning: Orchestration rules only apply to future events and alarms.

Suppression rules using the Contains, Match and Match, case insensitive
operators apply to future events and alarms, not to events and alarms received in the
current day.

To create a suppression rule from the Alarms page

1. Go to Activity > Alarms.

2. Locate the alarm that you want to include in the suppression rule.

See Searching Alarms for more information.

3. Click the alarm that you want to suppress.

4. Click Create Rule > Create Event Suppression Rule or Create Rule > Create Alarm
Suppression Rule.

5. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

USM Anywhere™ User Guide 344

Viewing Alarm Details

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
7. You have already suggested property values to create a matching condition, but if you
want to add new property values, click Add Condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

345 USM Anywhere™ User Guide

 Viewing Alarm Details

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

8. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

9. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

10. Enter a name for the rule.

11. (Optional.) Enter a description for identifying this rule.

12. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.

USM Anywhere™ User Guide 346

Viewing Alarm Details

l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

13. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Suppressed alarms remain in the system but are hidden in the web user interface (UI) by
default. If you want to see these alarms, click Suppressed in the Search & Filters area. The
table displays suppressed alarms along with the other alarms. Use the following instructions if
you want to display just the suppressed alarms.

To only display the suppressed alarms

1. Go to Activity > Alarms.

2. In the Search & Filters area, click Not Suppressed to remove the Suppressed: False filter,
and then click Suppressed to add the Suppressed: True filter.
3. Click Closed to include the closed alarms.
4. In the upper-left corner of the page, click the Configure Filters link to see alarms sup-
pressed by a certain rule.
5. In the Search filters field, enter Suppress.
6. Select the Suppress Rule Name filter.

347 USM Anywhere™ User Guide

 Viewing Alarm Details

7. Click the icon to pass the selected filter from the available filters to the selected ones.

8. Click Apply.

The page reloads, and the Suppress Rule Name filter is added at the lower-left corner.

9. Search the Suppress Rule Name filter and click the rule.

If no rule name displays, it is because the rules are not suppressing the alarms or the
Suppressed filter is not enabled

See Searching Alarms for more information about the icons below the filters.

Note: You can save the view for later use. See Alarms Views for more information about
how to create a configuration view.

To show triggered alarms rules

1. Go to Settings > Rules to open the All Orchestration Rules page.

2. In the Create an Alarm row, click the icon.

The Alarms List View page opens. The page includes Rules Name as a filter so that you
can see how many alarms match the selected rule.

Creating Notification Rules from the Alarms Page

Role Availability Read-Only Investigator Analyst Manager

You can create your own notification rules from the Orchestration Rules page or the Alarms
details page, which is the easiest way to configure the matching conditions.

To create a notification rule from the Alarms page

1. Go to Activity > Alarms.

2. Search the alarms that you want to include in the notification rule and click one of them.

See Searching Alarms for more information.

3. Select Create Rule > Create Notification Rule.

4. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

USM Anywhere™ User Guide 348

Viewing Alarm Details

5. Select a packet type in the Match drop-down list.

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
6. You have already suggested property values to create a matching condition, but if you
want to add new property values, click Add Condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

349 USM Anywhere™ User Guide

 Viewing Alarm Details

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

7. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

8. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

9. Enter a name for the rule.

10. (Optional.) Enter a description for identifying this rule.
11. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for

USM Anywhere™ User Guide 350

Viewing Alarm Details

more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

12. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

351 USM Anywhere™ User Guide

 Viewing Alarm Details

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

13. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Adding an Alarm to an Investigation

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to associate alarms with an investigation.

Important: You can link up to 100 alarms to each investigation.

To add an alarm to an investigation from the Alarms Details page

1. Go to Activity > Alarms.

2. Locate the alarm you want to add to the investigation. See Searching Alarms for more
information.
3. In the Investigation field, click the icon to edit it and enter the title or the number

that identifies the investigation.

USM Anywhere™ User Guide 352

Viewing Alarm Details

Note: Click Create New Investigation if you want to start a new investigation. See
Creating a New Investigation for more information.

4. Click Apply.

The connection has been done and you can see it from Investigations. See Evidence on
Investigations for more information.

Searching Events from the Details of an Alarm

USM Anywhere enables you to search for events from the details of an alarm using the
selected value as a filter in the search.

The HTTP Hostname or the DNS RR Name fields

All alarms that include the fields HTTP Hostname or the DNS RR Name give you the option of
searching for events by using these fields. The alarm needs to include these fields.

353 USM Anywhere™ User Guide

 Viewing Alarm Details

USM Anywhere™ User Guide 354

Viewing Alarm Details

To configure the HTTP Hostname or the DNS RR Name filters

1. Go to Activity > Alarms.

2. In the upper-left side of the page, click the Configure Filters link.

3. In the search filters box, enter HTTP or DNS and select the desired filter.
4. Use the and icons to pass the items from one column to the other.

355 USM Anywhere™ User Guide

 Viewing Alarm Details

5. Click Apply.

The selected filters display.

To use the search pivot in the HTTP Hostname or the DNS RR Name fields

1. Go to Activity > Alarms.

2. Click an alarm that includes the fields HTTP Hostname or the DNS RR Name to see its
details.
3. Click the icon located next to the asset name in one of these fields.

USM Anywhere™ User Guide 356

Viewing Alarm Details

4. Choose a date range:

l Last 24 hours: Run the search in the last 24 hours.
l Custom Range: Customize a range and narrow it to delimit your search per minutes
and seconds.
5. Click Find in events to display the events list page with the specific events.

Searching for Events by Using the Source or Destination Fields

USM Anywhere gives you the option of searching for events by using the Source or the
Destination fields.

To search for events using the Source field

1. Go to Activity > Alarms.

2. Click an alarm to see its details.
3. Click the icon next to the Source field.

357 USM Anywhere™ User Guide

 Labeling the Alarms

4. Choose a date range:

l Last 24 hours: Run the search in the last 24 hours.
l Custom Range: Customize a range and narrow it to delimit your search per minutes
and seconds.
5. Click one of these links:
l Find Source in Events: Use this link to search events having the same source as the
alarm.
l Find Source & Destination in Events: Use this link to search events having the same
source and destination as the alarm.

The result of your search displays with the filters applied.

Labeling the Alarms

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a set of labels to further classify your alarms. See Searching Alarms
for more information.

You can't edit or delete the set of default labels:

l Closed
l False Positive
l In Progress
l Open

USM Anywhere™ User Guide 358

Labeling the Alarms

USM Anywhere enables you to create, edit, and delete your own labels. You can apply a label
to one or more alarms. You can also apply multiple labels to the same alarm. To distinguish
between labels and statuses, see Differences between Statuses and Labels.

Note: Users in the Investigator role can apply and remove labels but cannot create, edit,
or delete labels.

To label an alarm from the Alarms main page

1. Go to Activity > Alarms.

2. Search for the alarm or alarms to which you want to apply a label. See Searching Alarms,
for more information.

3. Complete one of these options:

l Click the icon in the labels column of the alarm you want to label, select the label,

and click Save.

359 USM Anywhere™ User Guide

 Labeling the Alarms

l Select the checkbox to the left of an alarm, click Apply Labels, select the label, and
click Save.

To label an alarm from the Alarms Details page

1. Go to Activity > Alarms.

2. Search for the alarm to which you want to apply a label.

See Searching Alarms for more information.

3. Click the alarm.

4. Click Apply Labels and select a label.
5. Click Save.

To create a new label

1. Go to Activity > Alarms.

2. Select the checkbox to the left of an alarm.

You can also select several alarms or select all alarms at the same time by selecting the
first checkbox in the column.

3. Click Apply Labels.

4. Click Manage Custom Labels.

5. Click Create New Label.

USM Anywhere™ User Guide 360

Labeling the Alarms

6. Enter a name for the label.

7. Click Save.

To edit a label

1. Go to Activity > Alarms.

2. Select the checkbox to the left of an alarm.

You can also select several alarms or select all alarms at the same time by selecting the
first checkbox in the column.

3. Click Apply Labels.

4. Click Manage Custom Labels.
5. Click the icon next to the label you want to edit.

6. Modify the name of the label.

7. Click the icon to apply the changes.

To delete a label

1. Go to Activity > Alarms.

2. Select the checkbox to the left of an alarm.

You can also select several alarms or select all alarms at the same time by selecting the
first checkbox in the column.

3. Click Apply Labels.

4. Click Manage Custom Labels.

361 USM Anywhere™ User Guide

 Alarm Status

5. Click the icon next to the label you want to delete.

6. Click Delete to confirm the deletion.

To remove a label from an alarm

1. Go to Activity > Alarms.

2. Do one of these options:

l Select the checkbox to the left of an alarm. You can also select several alarms or select
all alarms at the same time by selecting the first checkbox in the column. Then click
Remove Alarm Labels, click the label, and click Remove.

l Locate the alarm from which you want to remove the label, and click the icon next

to the label.

Alarm Status

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a set of statuses, which you can use to classify your alarms, track
alarm status, and search alarms using statuses as a filter. See Searching Alarms for more
information on how to search alarms.

You can't edit or delete the set of default statuses:

USM Anywhere™ User Guide 362

Alarm Status

l Open
l In Review
l Closed

USM Anywhere enables you to apply just one status to an alarm. You can't apply multiple
statuses to the same alarm. See Differences between Statuses and Labels to distinguish
between label and status.

Note: The alarms that have the "closed" status will not display in the Alarm list view.

To apply a status to an alarm from the Alarms main page

1. Go to Activity > Alarms.

2. Search for the alarm you want to apply a status.

See Searching Alarms for more information.

3. Select the checkbox to the left of the alarm.

363 USM Anywhere™ User Guide

 Alarm Status

4. Click Alarm Status and select a status.

5. Click Apply.

To apply a status to an alarm from the Alarms Details page

1. Go to Activity > Alarms.

2. Search for the alarm you want to apply a status.

See Searching Alarms for more information.

3. Click the alarm.

4. In the Status field, click the icon to edit it.

5. Select a status and click the icon.

To bulk set the alarm status

1. Go to Activity > Alarms.

2. Select all of the alarms to which you want to apply a status by selecting the checkbox to
the left of an alarm.

See Searching Alarms for more information. You can also select several alarms or select
all alarms at the same time by selecting the first checkbox in the column. You can also
select all the alarms in the system. See Selecting Alarms in Alarm List View for more
information.

3. Click Alarm Status and select a status.

4. Click Apply.

USM Anywhere™ User Guide 364

Create an Alarms Report

To search for alarms having a status

1. Go to Activity > Alarms.

2. Click the filter to select the name of the status on the left pane.

The alarm list displays the alarms that have the selected status.

Differences between Statuses and Labels

USM Anywhere includes several statuses and labels you can use to classify your alarms. A
status is a property of the alarm and a label is a tag you can assign to an alarm.

These are the main differences:

l You can add all the labels you need, but you are not able to create a new alarm status.
l You can apply a label to more than one alarm, but you are not able to apply more than one
status to an alarm.
l Alarms that have the "Closed" status will not display in the List view in the Alarms page.

Create an Alarms Report

Role Availability Read-Only Investigator Analyst Manager

You can create a PDF or CSV report of the alarms directly from the alarms page.

Important: AT&T Cybersecurity recommends Google Chrome as the preferred browser

for generating reports. The use of alternative browsers may result in poor formatting.

To create an alarms report

1. Go to Activity > Alarms.

2. You can use filters to define the alarms content you want to display in your report, or
select the alarms you want to include in your report.

3. Click Generate Report to open the Configure Report dialog box.

365 USM Anywhere™ User Guide

 Create an Alarms Report

The filters selected and displayed for the page view are the ones that are populated in the
report.

4. Click Edit Filters if you want to modify the selected filters, and then click Continue to Fil-
ters. Do the modifications you need, and then click Edit Report.

5. Click the Date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
to set a particular date range.

Note: This option is not available when generating reports for assets or asset
groups.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and then choose Never, Daily, Weekly,
Bi-weekly, or Monthly.
8. Enter an email address to send the report.
Select the Send to my Email Address option to add your email automatically.
9. Select the Enable Link Expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report.
This name will be displayed in the Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report. For CSV the options are 20, 50, 100, 500, 1000, or 50 K. For PDF the options
are 20, 50, 100, 500, 1000, or 2500.

USM Anywhere™ User Guide 366

Create an Alarms Report

14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views.
You can add or remove graphs included in the report by clicking the and icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

367 USM Anywhere™ User Guide

 Events Management
An event is a record of activity, which contains information and that resides in a log file. USM
Anywhere collects, normalizes, and enriches logs with additional metadata, which are called
events.

After USM Anywhere is installed in your environment, events start flowing through your
system, so you can start gaining visibility into the type of events that are occurring, what
natural or non-threatening activity is taking place, and what activity can be a possible attack.

This topic discusses these subtopics:

Events List View 369

Searching Events 386

Viewing Event Details 406

Create an Events Report 426

Protecting Your Sensor's Performance with EPS Adaptive Response 428

Raw Logs in Events 430

USM Anywhere™ User Guide 368

Events List View

Events List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of your events. Go to Activity > Events to see
this centralized view.

The Events page displays information on events. These are the different parts of the Events
page:

l On the left side of the page are the search and filters options. Use filters to delimit your
search. See Searching Events for more information.
l At the top of the page, you can see any filters you have applied, and you have the option to
create and select different views of the events.
l The main part of the page is the list of events, where each row describes an individual
event. Click an event to open a summary view. See Viewing Event Details for more inform-
ation.

Your environment can display events when an asset has not received messages within a
configured period of time. To see this kind of events, you previously need to configure a
period of time that indicates when the asset has to start generating events. See Events
Created When an Asset Stops Sending Data for more information.

If you want to analyze the data and see the additional columns without having to scroll left
and right, you can maximize the screen and hide the filter pane. Click the icon to hide the

filter pane. Click the icon to expand the filter pane.

The following table lists the fields you see on the page.

List of the Default Columns in Events

Column / Field Name Description

Event Name Name of the event.

Time Created The date and time of the creation of the event. The displayed date
depends on your computer's time zone.

OTX Indicate if it is an OTX event or not. If the icon displays active, click it to
go to OTX.

369 USM Anywhere™ User Guide

 Events List View

List of the Default Columns in Events (Continued)

Column / Field Name Description

Source Asset Hostname or IP address of the host (with the national flag if the country
is known) that initiates the event.

Important: If you want to create a rule, instead of using this field,

use the Source Name or Source Asset ID fields.

Destination Asset Hostname or IP address of the host (with the national flag if the country
is known) that receives the event.

Important: If you want to create a rule, instead of using this field,

use the Destination Name or Destination Asset ID fields.

Sensor Name of the USM Anywhere Sensor detecting the event. The type of
sensor is also displayed below the sensor name.

Username Username associated with the event.

The asset name includes the icon if the asset is not in the system, or the icon if the

asset has been added to the system.

Click the icon to access these options:

l Add to current filter: Use this option to add the asset name as a search filter. See Search-
ing Events.
l Look up in OTX: This option searches the IP address of the source asset in the Open
Threat Exchange page. See Using OTX in USM Anywhere
l Add asset to system: Use this option to create the asset in the system. See Adding
Assets.

Click the icon to access these options:

l Add to Current Filter: Use this option to add the asset name as a search filter. See Search-
ing Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.

USM Anywhere™ User Guide 370

Events List View

l Delete Asset: See Deleting the Assets for more information.

l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Run Scan: This option displays depending on the USM Anywhere Sensor associated with
the asset. See Running Asset Scans for more information.
l Configuration Issues: This option opens the Assets Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selec-
ted in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

You can configure the view you want for the list of events. See Event Views for more
information.

Click Generate Report to open the Configure Report dialog box. See Create an Events Report
for more details.

The graph above the events list displays the amount of events in a period of time. You can
change this period by clicking Last 24 Hours filter.

Click the icon to access these options:

l Actions / User: Reports USM Anywhere account activity based on specific account users
and summarized by Create, Read, Update, and Delete categories.
l Count / Time: The Count/Time view is a graph that provides a graphical representation of
the number of events in a period of time.

Important: The period of time is mapped with the timestamp_occurred field. This
field can be overwritten by the current sensor UTC timestamp if, when processing
events, a delay is detected up to 15 minutes or the timestamp_occurred field is not
provided.

371 USM Anywhere™ User Guide

 Events List View

l Auth / User: Reports authorization actions.

l Source Map: Provides the number of events associated with each country on a global
map.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

Click the icon to filter your search by row fields. See Filtering Events by Row Fields for

more information.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Configuring Columns
Within the page, you can configure the columns and fields that display in the List view. You
can also save your columns configuration to return to it whenever you need it.

USM Anywhere™ User Guide 372

Events List View

To configure your columns

1. From the events list view, click the icon.

The Manage Columns dialog box opens.

2. Search the columns you want to have in the list view. You can enter your search in the
search field.

3. Use the and icons to pass the items from one column to the other and select the

columns you want to see.

4. You can order the columns by clicking one of them and dragging the column to the
desired place.

5. Click Apply.

Note: If you generate a report when you have set custom columns, your report keeps
the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting
Save View > Save as. Otherwise, your custom view is not kept when you move to
another feature. See Event Views for more information.

Event Views

373 USM Anywhere™ User Guide

 Events List View

Role Availability Read-Only Investigator Analyst Manager

You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, click the icon.

2. Use the and icons to pass the items from one column to another and select the

columns you want to see.

3. Click Apply.
4. If you want to delimit the search, select the filters you want to apply.

5. Go to Save View > Save As.

The Save Current View dialog box opens.

6. Enter a name for the view.

7. Select Share View if you want to share your view with other users.
8. Click Save.

The created view is already selected.

USM Anywhere™ User Guide 374

Events List View

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the Events list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Predefined Views
USM Anywhere includes several predefined views of events based on usual environments and
technologies. These views have pre-defined column headers that show the most relevant
event fields. You can see a summarized event view without having to spend the time creating
a custom view.

375 USM Anywhere™ User Guide

 Events List View

These predefined views operate the same way as the views you can create yourself. Some of
these views have also predefined filters.

To open the predefined views

1. Go to Activity > Events.

2. Open the View option and select Saved Views.

3. Select a view and click Apply.

Predefined Views for Events

View Meaning

AlienVault Displays log data when the USM Anywhere Sensor is unable to match them with
Generic Plugin AlienApps based on hints and manual associations.

AWS Cloud Displays the most relevant event fields for AWS CloudTrail, AWS S3 Access, and
Activity ELB Access.

USM Anywhere™ User Guide 376

Events List View

Predefined Views for Events (Continued)

View Meaning

Azure Cloud Displays the most relevant event fields for Azure environmental logs.
Activity

Firewall Events Displays the most relevant fields for firewall events. For instance request URL,
source username, destination username, etc. depending on the set of fields that is
most common to the list of supported firewall AlienApps.

Linux Events Displays the most relevant fields for Linux Events generated by the Linux CRON,
SSH, and SUDO AlienApps.

Network IDS Displays the most relevant event fields for NIDS.

Open Threat Displays the most relevant feeds that the pulse has matched.
Exchange

Web Server Displays the most relevant fields for Web Server Events, which include Apache,
Events NGinx, and Windows IIS.

Windows Events Displays the most relevant fields for Windows Events forwarded by NXLog.

Report Templates in Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a wide range of report templates classified according to the
compliance templates for alarms, vulnerabilities, and events collected in the system. The
templates are grouped into:

l PCI. Payment Card Industry Data Security Standards (PCI DSS) is a set of security stand-
ards designed to ensure that all companies that accept, process, store, or transmit credit
card information maintain a secure environment. These reports are identified and based
on specific PCI DSS requirements to provide the auditor with the specific information
requested. For example, PCI DSS requirement 10.7.a: Retain audit trail history for at least
one year, with a minimum of three months immediately available for analysis.
l NIST CSF. The National Institute of Standards Technology (NIST) Cybersecurity Frame-
work provides a policy framework of computer security guidance for how private sector
organizations can assess and improve their ability to prevent, detect, and respond to cyber
attacks.

377 USM Anywhere™ User Guide

 Events List View

l HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard
for protecting sensitive patient data. Any company that deals with protected health
information (PHI) must ensure that all the required physical, network, and process security
measures are in place and followed. This includes covered entities, anyone who provides
treatment, payment and operations in healthcare, and business associates, anyone with
access to patient information and provides support in treatment, payment, or operations.
Subcontractors, or business associates of business associates, must also be in compliance.
l ISO 27001. ISO/IEC 27001 provides guidance for implementing information security con-
trols to achieve a consistent and reliable security program. The ISO and the International
Electrotechnical Commission (IEC) developed 27001 to provide requirements for an inform-
ation security management system (ISMS).
l Type of Data Source. Event Type Templates enable you to easily run a general firewall,
authentication, and other types of normalized queries that do not require you to build com-
plex filters based on specific data source or event types. USM Anywhere supports these
reports: Anomaly Detection, Antivirus, Application, Application Firewall, Authentication,
Authentication and DHCP, Cloud Application, Cloud Infrastructure, DNS Server, Data Pro-
tection, Database, Endpoint Protection, Endpoint Security, Firewall, IDS, Infrastructure Mon-
itoring, Intrusion Detection, Intrusion Prevention, Load Balancer, Mail Security, Mail Server,
Management Platform, Network Access Control, Operating System, Other Devices, Proxy,
Router, Router/Switch, Server, Switch, Unified Threat Management, VPN, Web Server, Wire-
less Security/Management.
l Data Sources. You can find templates based on the most commonly used data sources
including NIDS, AWS, Amazon DynamoDB, Amazon S3, AWS VPC Flow Logs, AWS Load Bal-
ancers, Azure, Cisco Umbrella, Cylance, FireEye, Fortigate, G Suite, McAfee ePO, Office 365,
Okta, Palo Alto, SonicWall, Sophos UTM, Watchguard, VMware, Windows, AlienVault Agent.
There is also a template for the AlienVault Generic Data Source.

To apply a report template

1. Go to Activity > Events.

2. From the Events list view, click View above the filters and select Report templates.

3. Select a report.

You can use the search field or scroll down the list.

USM Anywhere™ User Guide 378

Events List View

4. Click Apply.

The result displays with the filters applied.

AlienVault Generic Data Source

Role Availability Read-Only Investigator Analyst Manager

The AlienVault Generic Data Source is a predefined view of events which displays log data
when the USM Anywhere Sensor is unable to match them with any AlienApps based on hints
and manual associations.

379 USM Anywhere™ User Guide

 Events List View

This view works the same as the events list view. On the left you can find the search and filter
options. In the upper side of the page, you can see any filters you have applied, and you have
the option to create and select different views of the events. The main part of the page is the
actual list of events. Each row describes an individual event.

If you want to analyze the data and see the additional columns without having to scroll left
and right, you can maximize the screen and hide the filter pane. Click the icon to hide the

filter pane. Click the icon to expand the filter pane.

The following table lists the fields you see on the page.

List of the Default Columns in the AlienVault Generic Data Source

Column / Field Name Description

Event Name Name of the event.

Time Created The date and time of the creation of the event. The displayed date
depends on your computer's time zone.

USM Anywhere™ User Guide 380

Events List View

List of the Default Columns in the AlienVault Generic Data Source (Continued)

Column / Field Name Description

OTX Indicate if it is an OTX event or not. If the icon displays as active, click it
to go to OTX.

Reporting Device The asset that sent the syslog.

Source Asset Hostname or IP address of the host (with the national flag if the country
is known) that initiates the event.

Important: If you want to create a rule, instead of using this field,

use the Source Name or Source Asset ID fields.

Destination Asset Hostname or IP address of the host (with the national flag if the country
is known) that receives the event.

Important: If you want to create a rule, instead of using this field,

use the Destination Name or Destination Asset ID fields.

Sensor Name of the USM Anywhere Sensor detecting the event. The type of
sensor is also displayed below the sensor name.

Username Username associated with the event.

The Reporting Device column includes the assets that sent the syslog. Next to the asset name
of this column, click the icon to access these options:

l Assign plugin: See Adding AlienApps to an Asset for more information.

l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.
l Delete Asset: See Deleting the Assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Run Scan: This option displays depending on the USM Anywhere Sensor associated with
the asset. See Running Asset Scans for more information.

381 USM Anywhere™ User Guide

 Events List View

l Configuration Issues: This option opens the Assets Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selec-
ted in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

Next to the source and destination asset name, click the icon to access these options:

l Add to current filter: Use this option to add the asset name as a search filter. See
Searching Events.
l Look up in OTX: This option searches the IP address of the source asset in the Open
Threat Exchange page. See Using OTX in USM Anywhere
l Add asset to system: Use this option to create the asset in the system. See Adding
Assets.

You can configure the view you want for the list of events; see Views for more information.

Click Generate Report to open the Configure Report dialog box. See Create an Events Report
for more details.

The graph above the events list displays the amount of events in a period of time. You can
change this period by clicking Last 24 Hours filter.

Click the icon to access these options:

l Actions / User: Reports USM Anywhere account activity based on specific account users
and summarized by Create, Read, Update, and Delete categories.
l Count / Time: Provides Reports USM Anywhere account activity based on specific
account users and summarized by Create, Read, Update, and Delete categories.
l Auth / User: Reports authorization actions.
l Source Map: Provides the number of events associated with each country on a global
map.

Click the icon to bookmark an item for quick access.

USM Anywhere™ User Guide 382

Events List View

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

Click the icon to filter your search by row fields. See Filtering Events by Row Fields for

more information.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Configuring Columns
Within the page, you can configure the columns and fields that display in the List view. You
can also save your columns configuration to return to it whenever you need it.

To configure your columns

1. From the AlienVault Generic Data Source list view, click the icon.

The Manage Columns dialog box opens.

2. Search the columns you want to have in the list view. You can enter your search in the
search field.

383 USM Anywhere™ User Guide

 Events List View

3. Use the and icons to pass the items from one column to the other and select the

columns you want to see.

4. You can order the columns by clicking one of them and dragging the column to the
desired place.

5. Click Apply.

Note: If you generate a report when you have set custom columns, your report keeps
the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting
Save View > Save as. Otherwise, your custom view is not kept when you move to
another feature. See AlienVault Generic Data Source for more information.

Views
You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, click the icon.

2. Use the and icons to pass the items from one column to another and select the

columns you want to see.

3. Click Apply.
4. If you want to delimit the search, select the filters you want to apply.

5. Go to Save View > Save As.

The Save Current View dialog box opens.

USM Anywhere™ User Guide 384

Events List View

6. Enter a name for the view.

7. Select Share View if you want to share your view with other users.
8. Click Save.

The created view is already selected.

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

385 USM Anywhere™ User Guide

 Searching Events

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the AlienVault Generic Plugin list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Searching Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

USM Anywhere™ User Guide 386

Searching Events

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. The management of filters is similar to
that for assets. See Managing Filters for more information.

Filters Displayed by Default in the Main Events Page

Filter Name Meaning

Last 24 Hours Filter events triggered in the last hour, last 24 hours, last 7 days, last 30
days, or last 90 days. You can also configure your own period of time by
clicking the Custom Range option. This option enables you to customize a
range. When you click Custom Range, a calendar opens. You can choose
the first and last day to delimit your search by clicking the days on the
calendar or entering the days directly. Then select the hours, minutes, and
seconds by clicking the specific box. Finally, select AM or PM.

Suppressed Filter suppressed events. The suppressed events are hidden by default. See
Creating Suppression Rules from the Events Page for more information.

Account Name Filter events by the account that has generated the event.

Data Source Filter events by the data source used to normalize the event.

Event Name Filter events by the short, user-readable description of the event.

Source Asset Filter events by the name of the asset that produced the event.

Source User Filter events by the name of the user that produced the event.

Sensor Filter events by the name of the USM Anywhere Sensor that received the
event.

Asset Groups When the host for the event source or destination is an asset belonging to
one or more of your asset groups, this field filters the asset group name or
names.

Username Filter events by the username associated with the asset that generated the
event.

Note: Filtering large asset groups will only return data from the most recent 1024
assets. See Creating an Asset Group for more information about this limitation.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

387 USM Anywhere™ User Guide

 Searching Events

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

USM Anywhere™ User Guide 388

Searching Events

About the Was Fuzzied Filter

When USM Anywhere receives raw log data on the USM Anywhere Sensor, it tries to match
them with integrations based on hints and manual associations. Sometimes that process fails
and events are processed by the AlienVault Generic Data Source, which attempts to find
some common information using "fuzzy" matching. These events can be found by filtering by
the data source integration or the "Was Fuzzied" fields.

Important: An event having the "Was Fuzzied" field with the value "true" has its data
source property as "[empty]".

See The AlienVault Generic Data Source in the USM Anywhere Deployment Guide for more
information about how this attempts to normalize an unmatched log message.

To search events that are not matched with a specific data source

1. Go to Activity > Events.

2. In the upper-left side of the page, click the Configure Filters link.

3. Search the filter Was Fuzzied.

4. Click the icon to select the filter.

5. Click Apply.
6. In the left pane, search the Was Fuzzied integration.
7. Click true. The number between parentheses indicates the number of events that were
created with the AlienVault Generic Data Source.

389 USM Anywhere™ User Guide

 Searching Events

Note: The false value displays the events that have an assigned data source. The
number between parentheses indicates the number of events.

Filtering Events by Row Fields

USM Anywhere includes a column with the icon in the list view in the events page. Use this

icon to add filters to your search. When you click this icon, a dialog box opens with the specific
fields of that row.

USM Anywhere™ User Guide 390

Searching Events

To filter events by row fields

1. Click the icon of the row to which you want to add the filters.

The Add Filters dialog box opens.

2. Select the fields that you want to filter during your search and click Equals or Not to limit
your search.
3. Click Apply.

The result of your search displays with the filters applied.

Searching Events by Using the Search Field

391 USM Anywhere™ User Guide

 Searching Events

Use the search field to enter queries and refine your search. You can enter free text, use
wildcards, and use advanced search syntax. When searching, keep in mind the accepted query
string syntax list in this table.

Accepted Query String Syntax

Type of Query Meaning Example

Standard query By default, a space between query terms is denylist malicious

with a blank space considered an implicit “OR”.
between terms

Literal, using Matches fields that contain the full term. "Event from asset not received"
double quotes Literal searches are case-sensitive.

"" Note: This type of query will not

match any searches in the raw log
unless the phrase included in double
quotes is an exact and complete
match to the contents of the raw log.

Note: IP addresses and FQDNs are

considered literal searches, so they
don't require quotation marks.

Boolean Including AND or OR between two search (http OR tcp) AND ftp
operators or terms will search for results that match
using parentheses both of those terms.

AND, OR, NOT, ( ) Including NOT between two search terms

will exclude results that match the second
term, even though they otherwise match
your query.

Parentheses can be used to group terms

for higher precedence relative to the rest
of your query. Parentheses are also used to
designate subsearches.

USM Anywhere™ User Guide 392

Searching Events

Accepted Query String Syntax (Continued)

Type of Query Meaning Example

Wildcards, Appending an asterisk to the end of a term instance*

asterisk within your query will search for results
that begin with your search term.
*
An asterisk cannot be used at the
beginning of a search query.

Wildcards, Embedding a question mark in the middle qu?ck

question mark of a term will search for results that
otherwise match your query, no matter the
? value in the position held by the question
mark in your search term.

A question mark cannot be used at the

beginning of a search query.

Regular Regular expression inside forward slash /Describe.*Instances/

expression characters. A dialog box opens to confirm
(regex), using the search.
/expression/
Note: The characters ", *, ?, (, and )
are special characters included in
expressions. If you want to search by
these characters, you need to
manually escape them by preceding
them with a backslash.

OTX pulse Pulses are collections of Indicators of pulse:59432536c1970e343ce61bf0

Compromise (IOCs). You need to insert the
word pulse followed by a colon and the
pulse ID or URL.

Any characters may be used in a query, but certain characters are reserved and must be
escaped. The reserved characters are these:

+-=&|><!{}[]^"~:\/

Use a backslash (for example, "\>") to escape any reserved character (including a backslash).

393 USM Anywhere™ User Guide

 Searching Events

To search for Events using the search field

1. Go to Activity > Events.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Important: The indexed fields are Event Name, Raw Log, Rep Device Asset ID,
Source Asset ID, and Destination Asset ID.

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the identified matches.

Example: Use Regex to Search for IP Addresses in a Network

You can use regex to broaden your search in a number of ways. See Using Regular
Expressions in USM Anywhere for more information. One of the most common applications
for regex in a search is to search for an IP address range in a network.

As an example, to search for hosts in the 25. network range, enter the following regex into the
search field:

/25.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/
Here is a more detailed anatomy of this example:

USM Anywhere™ User Guide 394

Searching Events

l / ... /: The regex search is indicated by the expression contents being contained
between forward slashes.

l 25.: Indicates the network range being searched.

l [0-9]: This set of brackets in the expression is a variable number range.
l {1,3}: The numbers in this set of braces indicates that the search will look for any pattern
using the preceding number range a minimum one time, to a maximum three times.
l [0-9]{1,3}:Because an IPv4 address consists of four sets of numbers, from 0-255, sep-
arated by periods, the [0-9]{1,3} part of this regular expression is used to include any
possible number from that range.

Note: Because the search field does not search all fields in an event, the results will be
limited to IP addresses in the Event Name, Raw Log, Rep Device Asset ID, Source Asset
ID, and Destination Asset ID fields.

Searching Events by Using the Pulse ID

You can use the search field to search events by pulse identification (ID). Pulses are
collections of IOCs, reported by the AT&T Alien Labs™ Open Threat Exchange® OTX™
community, on which other community members review and comment. Pulses provide you
with a summary of the threat, a view into the software targeted, and the related IOCs,
reported by the OTX community worldwide. See Open Threat Exchange® and USM Anywhere
for more information.

To search events by using the pulse ID

1. Go to Activity > Events.

2. Enter your query in the Enter search field. Either paste the full URL or insert the word
pulse followed by a colon and the pulse. For example, enter: https://otx.ali-
envault.com/pulse/59432536c1970e343ce61bf0 or pulse:59432536c1970e343ce61bf0.
3. Click the icon.

395 USM Anywhere™ User Guide

 Searching Events

4. The Query Submission dialog box opens.

5. Click Confirm to continue.

The result of your search displays with the items identified. This result matches entries
containing IOCs in your environment.

Standard and Advanced Modes on Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

USM Anywhere™ User Guide 396

Searching Events

To activate the standard mode when the advanced mode is on

1. Go to Activity > Events.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Activity > Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Activity > Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

397 USM Anywhere™ User Guide

 Searching Events

To search using the NOT operator

1. Go to Activity > Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

USM Anywhere™ User Guide 398

Searching Events

399 USM Anywhere™ User Guide

 Searching Events

USM Anywhere™ User Guide 400

Searching Events

401 USM Anywhere™ User Guide

 Searching Events

USM Anywhere™ User Guide 402

Searching Events

403 USM Anywhere™ User Guide

 Searching Events

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Activity > Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

Note: This option searches all filter values that are not empty. If the filter includes
the [No Value], this value will not be checked not displayed. See Searching Events
for more information.

About the No Value Option

Role Availability Read-Only Investigator Analyst Manager

The [No Value] option is a special value available for some filters. Use this value when you
want to filter items that do not have the filter property defined or do not match the other
defined property values in the filter. You can use the No Value option with other filter criteria
and apply this value to an individual filter. (For example, you can use this filter for filtering
events without an associated account name.)

USM Anywhere™ User Guide 404

Searching Events

In the Data Source filter, the equivalent of No Value is [AlienVault Generic Data Source]. If you
select this option, it means you are searching for events that do not have a specific data
source. See The AlienVault Generic Data Source for more information.

In the Packet Payload filter, the equivalent of No Value is [No Parsable Value]. The Packet
Payload field stores the Base64 encoded payload associated with the network-based
intrusion detection system (NIDS) events. Due to the size limit of the underlying technology,
the maximum length USM Anywhere can parse is 32766 B. When the payload exceeds this
limit, USM Anywhere stores the data in this field unparsed. The No Parsable Value option
includes two types of events: events with no data and events with data exceeding 32766 B.
Both events are not parsable. Therefore, sometimes you may see events with payload data
when you select the No Parsable Value option in the Packet Payload filter, similar to the
following screenshot.

405 USM Anywhere™ User Guide

 Viewing Event Details

Viewing Event Details

Role Availability Read-Only Investigator Analyst Manager

The event details page provides in-depth information on events.

USM Anywhere™ User Guide 406

Viewing Event Details

To view the details of an event

1. Go to Activity > Events.

2. Click the event to display a summary view, then click the event name to open the full
details of the event.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

407 USM Anywhere™ User Guide

 Viewing Event Details

The Event Details page includes event management functions that are supported for
your assigned user role:

l Select Action: See Applying Actions to Events for more information.

l Create Rule: See Creating Rules from Events for more information.
l Generate Report: This option displays if you have opened the full details of the event.
See Create an Events Report for more information.

The event details include the main fields that identify an event. Keep in mind that you can
edit or add values into this field:

l Investigation: This field indicates if the event has been associated to an investigation.
You can click the icon to edit the field and enter the title or the number that iden-

tifies each investigation. See Adding an Event to an Investigation for more information.

You can see the event details, then the source, the destination, the source and
destination users, the payload, and the log. The icon located next to the Source,

Destination, and two User fields enables you the access to several options. See Events List
View for more information about those options.

In addition, you have these three options:

l Add to current filter: This option enables you to add the asset to the selected filters.
l Look up in OTX: This option searches the IP address of the source asset in the AT&T
Cybersecurity Open Threat Exchange (OTX™) page. See Using OTX in USM Anywhere
for more information.
l Add asset to system: Use this option to create the asset, see Adding Assets for more
information.

Note: The value in the FQDN field comes from the event itself (raw log). This field
can have a real FQDN, an IP address, or be empty.

3. In the upper right corner, click previous and next to navigate between items.
4. Click the icon to close the dialog box.

Applying Actions to Events

USM Anywhere™ User Guide 408

Viewing Event Details

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to respond to the event. Use this button to associate the item
with an action. Depending on the USM Anywhere Sensor you have installed, you will see
different actions:

l Get Forensics Information: This option enables you to run pre-defined Linux and Win-
dows scripts to get more info from the system. These scripts are already defined in USM
Anywhere. The Basic, Moderate, and Full Forensic Info options get elemental, limited, and
complete forensic information from assets. Keep in mind that the Full Forensic Info option
will take more time for including all options. See Scheduling a Forensics and Response Job
in the USM Anywhere AlienApps Guide for more information.
l Scan (unauthenticated): You can launch an unauthenticated scan of an asset. See Run-
ning Asset Scans for more information.
l Report Domain: See AlienApp for Cisco Umbrella Actions in the USM Anywhere AlienApps
Guide for more information.
l Agent Query: You can run an agent query in response to any event. See for more inform-
ation.

Creating Rules from Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and manage your own orchestration rules from the
Events details pages, which is the easiest way to configure an orchestration rule.

Warning: Orchestration rules only apply to future events and alarms.

Suppression rules using the Contains, Match and Match, case insensitive
operators apply to future events and alarms, not to events and alarms received in the
current day.

You can create these rules:

409 USM Anywhere™ User Guide

 Viewing Event Details

l Suppression Rule: See Creating Suppression Rules from the Events Page and Suppression
Rules from the Orchestration Rules Page for more information.

Note: Users in the Investigator role can create suppression rules but cannot create
filtering, alarm, or notification rules.

l Filtering Rule: See Creating Filtering Rules from the Events Page and Filtering Rules from
the Orchestration Rules Page for more information.

Important: The Create Filtering Rule option is not visible if the Agent has sent the
event.

l Alarm Rule: See Creating Alarm Rules from the Events Page and Correlation Rules for
more information.
l Notification Rule: See Creating Notification Rules from the Events Page and Correlation
Rules for more information.

Creating Suppression Rules from the Events Page

Role Availability Read-Only Investigator Analyst Manager

You can create suppression rules from the Events page to prevent some events from
flooding your system.

USM Anywhere saves the events that match a suppression rule, but does not correlate these
suppressed events. By default, USM Anywhere hides these suppressed events. If you want to
see these events, click Suppressed in the Search & Filters area. The table displays suppressed
events along with all events. See To only display the suppressed events if you want to display
just the suppressed events.

Warning: Orchestration rules only apply to future events and alarms.

Suppression rules using the Contains, Match and Match, case insensitive
operators apply to future events and alarms, not to events and alarms received in the
current day.

You can create your own rules from the Suppression Rules page or the Events details page,
which is the easiest way to configure the matching conditions.

USM Anywhere™ User Guide 410

Viewing Event Details

To create a Suppression Rule from the Events page

1. Go to Activity > Events.

2. Search the events which you want to include in the suppression rule.

See Searching Events for more information.

3. Click the event to suppress.

4. Select Create Rule > Create Suppression Rule.

5. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
7. You have already suggested property values to create a matching condition. If you want
to add new property values, click Add Condition.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

411 USM Anywhere™ User Guide

 Viewing Event Details

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

8. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

9. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

USM Anywhere™ User Guide 412

Viewing Event Details

10. Enter a name for the rule.

11. (Optional.) Enter a description for identifying this rule.

12. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

13. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To only display the suppressed events

1. Go to Activity > Events.

2. In the Search & Filters area, click Not Suppressed to remove the Suppressed: False filter,
and then click Suppressed to add the Suppressed: True filter.
3. In the upper-left corner of the page, click the Configure Filters link to see events sup-
pressed by a certain rule.

413 USM Anywhere™ User Guide

 Viewing Event Details

4. In the Search filters field, enter Suppress.

5. Select the Suppress Rule Name filter.
6. Click the icon to pass the selected filter from the available filters to the selected ones.

7. Click Apply.

The page reloads, and the Suppress Rule Name filter is added at the lower-left corner.

8. Search the Suppress Rule Name filter and click the rule.

If no rule name displays, it is because the rules are not suppressing the events or the
Suppressed filter is not enabled

See Searching Events for more information about the icons below the filters.

Note: You can save the view for later use. See Event Views for more information about
how to create a configuration view.

To show triggered suppressed events

1. Go to Settings > Rules to open the All Orchestration Rules page.

2. In the Event Suppression row, click the icon.

The Events List View page opens. The page includes Rules Name as a filter so that you
can see how many events match the selected rule.

Creating Filtering Rules from the Events Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to make the sensor drops future events that match the rule.
These events will be neither correlated nor stored. Through these rules, you can define which
event data you are going to store in USM Anywhere. You will pay for the data you use.

Note: Filtering rules is not retroactive. The rule applies to future items, but not to to
previous items, even if those items follow the rule.

Important: You can't use a correlation list when you create a filtering rule.

USM Anywhere™ User Guide 414

Viewing Event Details

To create a filtering rule from the Events page

1. Go to Activity > Events.

2. Search the events which you want to include in the filtering rule.

See Searching Events for more information.

3. Click one of them.

4. Select Create Rule > Create Filtering Rule.

5. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
7. You have already suggested property values to create a matching condition. If you want
to add new property values, click Add Condition.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

415 USM Anywhere™ User Guide

 Viewing Event Details

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

8. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

9. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

USM Anywhere™ User Guide 416

Viewing Event Details

10. Enter a name for the rule.

11. (Optional.) Enter a description for identifying this rule.

12. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Creating Alarm Rules from the Events Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to easily identify existing and emerging threats, which are of
interest. Through alarm rules on events, you can organize your threats and only see high-
priority alarms, which can be received in an email and will help you to reduce noise and focus
on important things.

To create an alarm rule from the Events page

1. Go to Activity > Events.

2. Search the events which you want to include in the alarm rule.

See Searching Events for more information.

3. Click one of them.

4. Select Create Rule > Create Alarm Rule.

5. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

417 USM Anywhere™ User Guide

 Viewing Event Details

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
7. You have already suggested property values to create a matching condition. If you want
to add new property values, click Add Condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 418

Viewing Event Details

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

8. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

9. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

10. Enter a name for the rule and, if desired, a description to clarify its use in the Description
field.
11. Select an intent.

The intent describes the context of the behavior that is being observed. These intents
roughly map to the stages of the intrusion kill chains but are collapsed to ensure that
each is discrete. See Intent for more information about the available threat categories.

12. Enter a method.

If known, it is the method of attack or infiltration associated with the indicator that
generated the alarm.

419 USM Anywhere™ User Guide

 Viewing Event Details

Note: This is a required field; if you do not complete this field, the Save button
remains inactive.

13. Select a strategy.

The strategy describes the broad-based strategy or behavior that is detected. The
intention is to describe the malicious user's strategy to achieve their goal.

14. Enter a priority.

See Priority Field for Alarms for more information.

15. Configure a mute duration set in seconds, minutes, and hours.

You can use the mute value to set the period of time during which, once an alarm is
createdUSM Anywhere will not create a new alarm based on the same conditions.

Note: Take care to set a mute duration that is long enough to cover the span of
time in which matching events will occur to maximize the efficacy of your mute.

Important: If your USM Anywhere™ is restarted when one of your alarm mutes is
active, or if there is an update or hotfix, the alarm mute will be canceled.

16. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

USM Anywhere™ User Guide 420

Viewing Event Details

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

17. (Optional.) Select the fields that you want to display in the generated alarm.

You can select or remove the fields you want to include in the details of the alarm. A field
passes from one column to the other by clicking it.

18. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Creating Notification Rules from the Events Page

Role Availability Read-Only Investigator Analyst Manager

You can create your own notification rules from the Orchestration Rules page or from the
Events details page, which are the easiest ways to configure the matching conditions.

To create a Notification Rule from the Events page

1. Go to Activity > Events.

2. Search the events that you want to include in the notification rule. See Searching Events
for more information.
3. Click one of them.
4. Select Create Rule > Create Notification Rule.

5. Select a Boolean operator.

421 USM Anywhere™ User Guide

 Viewing Event Details

The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
7. You have already suggested property values to create a matching condition. If you want
to add new property values, click Add Condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 422

Viewing Event Details

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

8. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

9. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

10. Enter a name for the rule.

11. (Optional.) Enter a description for identifying this rule.
12. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an

423 USM Anywhere™ User Guide

 Viewing Event Details

Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

13. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.

USM Anywhere™ User Guide 424

Viewing Event Details

l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

14. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Adding an Event to an Investigation

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to associate events with an investigation.

Important: You can link up to 100 events to each investigation.

To add an event to an investigation from the Events Details page

1. Go to Activity > Event.

2. Locate the event you want to add to the investigation. See Searching Events for more
information.

425 USM Anywhere™ User Guide

 Create an Events Report

3. In the Investigation field, click the icon to edit it and enter the title or the number

that identifies the investigation.

Note: Click Create New Investigation if you want to start a new investigation. See
Creating a New Investigation for more information.

4. Click Apply.

The connection has been done and you can see it from Investigations. See Evidence on
Investigations for more information.

Create an Events Report

Role Availability Read-Only Investigator Analyst Manager

You can create a PDF or CSV report of the events directly from the events page.

Important: AT&T Cybersecurity recommends Google Chrome as the preferred browser

for generating reports. The use of alternative browsers may result in poor formatting.

To create an events report

1. Go to Activity > Events.

2. You can use filters to define the events content you want to display in your report.

3. Click Generate Report to open the Configure Report dialog box.

The filters selected and displayed for the page view are the ones that are populated in the
report.

4. Click Edit Filters if you want to modify the selected filters, and then click Continue to Fil-
ters. Do the modifications you need, and then click Edit Report.

5. Click the Date field if you want to choose a different date range.

USM Anywhere™ User Guide 426

Create an Events Report

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
to set a particular date range.

Note: This option is not available when generating reports for assets or asset
groups.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and then choose Never, Daily, Weekly,
Bi-weekly, or Monthly.
8. Enter an email address to send the report.
Select the Send to my Email Address option to add your email automatically.
9. Select the Enable Link Expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report.
This name will be displayed in the Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report. For CSV the options are 20, 50, 100, 500, 1000, or 50 K. For PDF the options
are 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views.
You can add or remove graphs included in the report by clicking the and icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

427 USM Anywhere™ User Guide

 Protecting Your Sensor's Performance with EPS Adaptive Response

Protecting Your Sensor's Performance with EPS Adaptive

Response

To protect the health of your system, USM Anywhere monitors the rate of events being sent
to your sensor. If that rate, measured in events per second (EPS), threatens to impact your
sensor's capacity USM Anywhere will engage EPS Adaptive Response. EPS Adaptive Response
enables your system to take more time to process events coming in by throttling your EPS,
keeping your system running without risking event loss.

Note: See Reaching the Monthly Usage Limit to read more about sensor capacity and
USM Anywhere tier limits.

EPS Adaptive Response may cause delays in the correlation of alarms. While activated, events
will enter an adaptive processing queue on sensors or the agent pipeline to assist product
stability. When deactivated, the queue will be processed at normal speeds. USM Anywhere
views events in the user interface (UI) based on the time the actual event occurred and not
the time the event was received by the sensor. When EPS Adaptive Response is ended and
queued events get forwarded, they will be backfilled into the appropriate timeslots.

Important: After EPS Adaptive Response has ended, alarms may be delayed while
throttled events are being forwarded.

EPS Adaptive Response Scenarios

There are two scenarios in which EPS Adaptive Response may be engaged:

l Your sensor's disk space is almost full: When your sensor's disk space approaches full,
throttling engages to preserve remaining disk space. This is enabled for all customers.

l Your USM Anywhere is projected over tier: When your USM Anywhere is projected to be
over tier, throttling slows down the event ingestion in both sensors and agents until you
are back within your tier limits. This is only enabled for heavy usage customers.

Note: Every time EPS Adaptive Response is engaged or disengaged, your USM
Anywhere sensor will create a system event. In addition, a system event is created when
throttling rates change.

You may also create custom events around throttling to best suit your environment's
needs.

USM Anywhere™ User Guide 428

Protecting Your Sensor's Performance with EPS Adaptive Response

Sensor Disk Space

If your sensor's disk volume ever filled up completely, the sensor would stop being able to
process events. To prevent this, EPS Adaptive Response slows down your sensor's EPS, giving
your system time to process events coming in. As your disk partition continues to fill, the rate
of EPS throttling will increase to preserve what remains of your disk space and your sensor's
operations. The following table summarizes the throttling rates based on your sensor usage.

Throttling Rates per Percentage of Sensor Disk Used

Disk Use (%) Sensor Throttling (ms)

88 0.25

90 0.5

92 2

95 5

98 10

99 100

Over Tier Projection

When your USM Anywhere is projected to go over tier, meaning either 5% over your allotment
or over 50GB in total, it will analyze the rate of traffic coming through the sensor and agent
data pipeline. Then it will engage EPS Adaptive Response to slow down your data rate and
keep your USM Anywhere operational until data ingestion is decreased, or your tier is
upgraded.

If you have more than one sensor or agent, USM Anywhere will begin by throttling only the
sensor with the highest EPS. This is determined by retrieving your system's EPS per minute
for every sensor and maintaining a rolling EPS average. Every hour, your system determines if
throttling is necessary, and EPS Adaptive Response will be engaged on any sensor sending
more EPS than 75% of this average.

When your USM Anywhere is projected to go over tier, EPS throttling is progressive, starting
at 1 ms and increasing up to 250 ms as necessary until data ingestion decreases or your tier
changes. Once throttling has been engaged, the projection will be sampled regularly. If the
tier decrement is smaller than 2%, then the throttling factor is doubled. Otherwise, it remains
the same until throttling is no longer necessary.

429 USM Anywhere™ User Guide

 Raw Logs in Events

EPS Adaptive Response System Events

Every time the event throttling value changes in a sensor, a new system event is generated.

There are two system event types:

l EPS throttling has been engaged: Your sensor's EPS is being throttled.

l EPS throttling has ended: Your sensor's EPS is no longer being throttled.

Each throttling system event type has a number of possible event keys, specifying which type
of event has been triggered.

EPS Throttling System Events and Their Meanings

Event Type Event Key Event Value

Sensor is being throttled event_action SENSOR_THROTTLING

event_name Sensor is being throttled

sensor_uuid Sensor ID

customheader_0 Throttling value

customfield_0 Throttling value in milliseconds

Sensor throttling is over event_action SENSOR_THROTTLING

event_name Sensor throttling is over

sensor_uuid Sensor ID

customheader_0 Throttling value

customfield_0 0

Raw Logs in Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere archives raw event data as logs. Raw logs are an invaluable asset for forensic
analysis and compliance mandates. You can download raw logs for review and find details
about specific incidents, search the logs for instances using a specific IP address, or analyze
the patterns of multiple attacks.

USM Anywhere™ User Guide 430

Raw Logs in Events

USM Anywhere enables you to configure the Raw Log column when viewing events or
download raw logs from events.

To add the Raw Log column when viewing events

1. From the Events List view, click the icon to open the Columns Configuration dialog

box.
2. Enter raw in the search field of the available columns.
3. Use the icon to pass the Raw Log column from one side to the other.

4. Click Apply.

Note: If you want to keep your configuration, you need to save it by selecting Save
View > Save as. Otherwise, your custom view will not be kept when you move to
another page.

To download Raw Logs

1. Go to Activity > Events.

2. Search or use filters to limit the events if needed.
3. In the upper right corner of the page, click Generate Report to open the Create Report
dialog box.
4. Click the Download Raw Logs tab.

5. Choose a date range. You can select a predefined range between Last Hour, Last 24
Hours, Last 7 Days, Last 30 Days, or Last 90 Days or Custom Range to set a particular
date range.

431 USM Anywhere™ User Guide

 Raw Logs in Events

6. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
7. Click Download Logs.

USM Anywhere™ User Guide 432

 System Events Management
An event is a record of activity, which contains information and that resides in a log file. USM
Anywhere collects, normalizes, and enriches logs with additional metadata, which are called
events.

USM Anywhere enables you to display system events. These events are any events generated
within your environment. They are not actions associated with any of the monitored assets or
networks collected by your environment. For instance, the system generates a system event
when an asset, a user, or a node is created, updated, or deleted or when you modify your
MFA subscription.

This topic discusses these subtopics:

USM Anywhere System Events List View 434

Searching System Events 438

Viewing System Event Details 449

Regular Events and System Events 449

USM Anywhere™ User Guide 433

USM Anywhere System Events List View

USM Anywhere System Events List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of your system events. Go to Settings > System
Events to see this centralized view.

The system events page displays information on any events generated within your
environment. On the left you can find the search and filters options. In the upper-left side of
the page, you can see any filters you have applied, and you have the option to create and
select different views of the system events. The main part of the page is the actual list of
system events. Each row describes an individual system event. The following table lists the
default columns for system events.

Note: System events older than 30 days are cleared from hot storage on a regular basis.

List of the Default Columns in System Events

Column Name Description

Event Name Name of the event.

Time Created Date and time of the creation of the event. The displayed date depends
on your computer's time zone.

Sensor Name of the USM Anywhere Sensor detecting the event. The type of
sensor is also displayed below the sensor name.

Source User Email Email of the user that performed the action. For example, when user
[email protected] logs in, the source email is [email protected].

Destination User Email Email of the user that the action is being performed on. For example, if
user [email protected] modifies or creates user
[email protected], then the destination email is [email protected].

Event Outcome Indicates if the action was successful and completed or if it failed.

Event Change Brief description of what was changed in the system event.

It only gets populated for certain actions and indicates what is being
changed. Most of these are user changes (for example, when a user is
suspended, locked status is reset, multifactor authentication (MFA) is
enabled or disabled, or password updated).

434 USM Anywhere™ User Guide

 USM Anywhere System Events List View

List of the Default Columns in System Events(Continued)

Column Name Description

Source Asset Hostname or IP address of the host (with the national flag if the country
is known) that initiates the event.

Important: If you want to create a rule, instead of using this field,

use the Source Name or Source Asset ID fields.

Identity Source Address IP address of the event or computer that it takes place on.

If you want to analyze the data, you can maximize the screen and hide the filter pane. Click
the icon to hide the filter pane. Click the icon to expand the filter pane.

Click Generate Report to open the Configure Report dialog box. See Create and Schedule
Reports for more details.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Configure Columns
Within the page, you can configure the columns and fields that display in the List view. You
can also save your columns configuration to return to it whenever you need it.

USM Anywhere™ User Guide 435

USM Anywhere System Events List View

To configure your columns

1. From the system event list view, click the icon.

The Columns Configuration dialog box opens.

2. Search the columns you want to have in the list view. You can enter your search in the
search field.

3. Use the and icons to pass the items from one column to the other and select the

columns you want to see.

4. You can order the columns by clicking one of them and dragging the column to the
desired place.

5. Click Apply.

Note: If you generate a report when you have set custom columns, your report keeps
the columns you have configured.

436 USM Anywhere™ User Guide

 USM Anywhere System Events List View

Important: If you want to keep your configuration, you need to save it by selecting
Save View > Save as. Otherwise, your custom view is not kept when you move to
another feature. See Views for more information.

Views
USM Anywhere enables you to define and save a custom System Events view to have your
own selected filters.

You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, select the filters you want to apply.
2. If you want to delimit the search, select the filters you want to apply.

3. Go to Save View > Save As.

The Save Current View dialog box opens.

4. Enter a name for the view.

5. Select Share View if you want to share your view with other users.
6. Click Save.

The created view is already selected.

USM Anywhere™ User Guide 437

Searching System Events

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the System Events list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Searching System Events

438 USM Anywhere™ User Guide

 Searching System Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. The management of filters is similar to
that for assets. See Managing Filters for more information.

The following table lists the filters you see on the page.

Filters Displayed by Default in the Main System Events Page

Filter Name Meaning

Last 24 Hours Filter system events triggered in the last hour, last 24 hours, last 7 days, last
30 days, or last 90 days. You can also configure your own period of time by
clicking the Custom Range option. This option enables you to customize a
range. When you click Custom Range, a calendar opens. You can choose
the first and last day to delimit your search by clicking the days on the
calendar or entering the days directly. Then select the hours, minutes, and
seconds by clicking the specific box. Finally, select AM or PM.

Suppressed Filter suppressed system events.

Not Suppressed Filter hiding suppressed system events. The suppressed system events are
hidden by default.

Event Name Filter system events by the short, user-readable description of the system
event.

Sensor Filter system events by the associated USM Anywhere sensor.

Source User Email Filter system events by the email of the user that performed the action. For
example, when user [email protected] logs in, the source email is
[email protected].

Destination User Email Filter system events by the email of the user that the action is being
performed on. For example, if user [email protected] modifies or
creates user [email protected], then the destination email is
[email protected].

Event Outcome Filter system events by the success of an action.

USM Anywhere™ User Guide 439

Searching System Events

Filters Displayed by Default in the Main System Events Page(Continued)

Filter Name Meaning

Event Change Filter system events by the description of what was changed in the system
event.

Source Asset Filter system events by the hostname or IP address of the host that
initiates the system event.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

440 USM Anywhere™ User Guide

 Searching System Events

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

1. Go to Settings > System Events.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Settings > System Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

USM Anywhere™ User Guide 441

Searching System Events

To perform a search in the advanced mode

1. Go to Settings > System Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

To search using the NOT operator

1. Go to Settings > System Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

442 USM Anywhere™ User Guide

 Searching System Events

USM Anywhere™ User Guide 443

Searching System Events

444 USM Anywhere™ User Guide

 Searching System Events

USM Anywhere™ User Guide 445

Searching System Events

446 USM Anywhere™ User Guide

 Searching System Events

USM Anywhere™ User Guide 447

Searching System Events

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Settings > System Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

Searching System Events by Using the Search Field

To search for System Events using the search field

1. Go to Settings > System Events.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the items identified.

448 USM Anywhere™ User Guide

 Viewing System Event Details

Viewing System Event Details

Role Availability Read-Only Investigator Analyst Manager

The system event details page provides in-depth information on system events.

To view the details of a system event

1. Go to Settings > System Events.

2. Click the system event to display its details.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

3. In the upper right corner, click previous and next to navigate between items.
4. Click the icon to close the dialog box.

Regular Events and System Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of regular events and system events.

From now on, and during a grace period, the following regular events are also generated as
system events:

l Sensor appears offline (see Sensor Disconnected from the USM Anywhere Service for
more information)
l Sensor reconnected (see Sensor Disconnected from the USM Anywhere Service for more
information)
l Event from asset not received (see Events Created When an Asset Stops Sending Data for
more information)
l Event from AlienApp not received (see Events Created When AlienApps Stop Receiving
Data for more information)

USM Anywhere™ User Guide 449

Regular Events and System Events

Warning: Soon the previously listed regular events will be generated only as system
events. AT&T Cybersecurity will announce this change in advance. Meanwhile, AT&T
Cybersecurity recommends that you disable all orchestration rules in your environment
regarding these kinds of regular events and create new orchestration rules based on
these system events. See Orchestration Rule for the "Sensor Appears Offline" System
Event, Orchestration Rule for the "Sensor Reconnected" System Event,Orchestration
Rule for the "Event from Asset Not Received" System Event, and Orchestration Rule for
the "Event from AlienApp Not Received" System Event for more information.

Disable Orchestration Rules

AT&T Cybersecurity recommends that you disable all orchestration rules you have created in
your environment regarding these events:

l Sensor appears offline

l Sensor reconnected
l Event from asset not received
l Event from AlienApp not received

To disable an orchestration rule

1. Go to Settings > Rules.

2. In the enabled column, click the icon of the rule you want to disable.

This turns the icon gray and disables the orchestration rule.

450 USM Anywhere™ User Guide

 Regular Events and System Events

Orchestration Rule for the "Sensor Appears Offline" System Event

Role Availability Read-Only Investigator Analyst Manager

AT&T Cybersecurity recommends that you create new orchestration rules regarding the
Sensor appears offline system event.

The usual way is to create alarm rules or notification rules. See Alarm Rules from the
Orchestration Rules Page and Notification Rules from the Orchestration Rules Page for more
information.

To create a notification rule for the Sensor appears offline system event

1. Go to Settings > Rules > Orchestration Rules.

2. Select Create Orchestration Rule > Notification Rule.

3. Select System Events in the Match drop-down list.

4. Click Add Conditions and select the property values you want to include in the rule to
create a matching condition.

Note: You can check the fields from Settings > System Events. See Viewing
System Event Details for more information.

USM Anywhere™ User Guide 451

Regular Events and System Events

5. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

452 USM Anywhere™ User Guide

 Regular Events and System Events

6. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

7. Enter a name for the rule.

8. (Optional.) Enter a description for identifying this rule.
9. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

USM Anywhere™ User Guide 453

Regular Events and System Events

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

10. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

454 USM Anywhere™ User Guide

 Regular Events and System Events

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

11. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Orchestration Rule for the "Sensor Reconnected" System Event

Role Availability Read-Only Investigator Analyst Manager

AT&T Cybersecurity recommends that you create new orchestration rules regarding the
Sensor reconnected system event.

The usual way is to create alarm rules or notification rules. See Alarm Rules from the
Orchestration Rules Page and Notification Rules from the Orchestration Rules Page for more
information.

To create a notification rule for the Sensor reconnected system event

1. Go to Settings > Rules > Orchestration Rules.

2. Select Create Orchestration Rule > Notification Rule.

3. Select System Events in the Match drop-down list.

USM Anywhere™ User Guide 455

Regular Events and System Events

4. Click Add Conditions and select the property values you want to include in the rule to
create a matching condition.

Note: You can check the fields from Settings > System Events. See Viewing
System Event Details for more information.

456 USM Anywhere™ User Guide

 Regular Events and System Events

5. Click Add Conditions and select the property values you want to include in the rule to
create a matching condition.

Note: You can check the fields from Settings > System Events. See Viewing
System Event Details for more information.

6. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

USM Anywhere™ User Guide 457

Regular Events and System Events

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule.

9. (Optional.) Enter a description for identifying this rule.
10. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

458 USM Anywhere™ User Guide

 Regular Events and System Events

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

11. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

USM Anywhere™ User Guide 459

Regular Events and System Events

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

12. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Orchestration Rule for the "Event from Asset Not Received" System
Event

Role Availability Read-Only Investigator Analyst Manager

AT&T Cybersecurity recommends that you create new orchestration rules regarding the
Event from asset not received system event.

The usual way is to create alarm rules or notification rules. See Alarm Rules from the
Orchestration Rules Page and Notification Rules from the Orchestration Rules Page for more
information.

To create a notification rule for the Event from asset not received system event

1. Go to Settings > Rules > Orchestration Rules.

2. Select Create Orchestration Rule > Notification Rule.

3. Select System Events in the Match drop-down list.

460 USM Anywhere™ User Guide

 Regular Events and System Events

4. Click Add Conditions and select the property values you want to include in the rule to
create a matching condition.

Note: You can check the fields from Settings > System Events. See Viewing
System Event Details for more information.

USM Anywhere™ User Guide 461

Regular Events and System Events

5. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

462 USM Anywhere™ User Guide

 Regular Events and System Events

6. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

7. Enter a name for the rule.

8. (Optional.) Enter a description for identifying this rule.
9. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

USM Anywhere™ User Guide 463

Regular Events and System Events

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

10. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

464 USM Anywhere™ User Guide

 Regular Events and System Events

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

11. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Orchestration Rule for the "Event from AlienApp Not Received" System
Event

Role Availability Read-Only Investigator Analyst Manager

AT&T Cybersecurity recommends that you create new orchestration rules regarding the
Event from AlienApp not received system event.

The usual way is to create alarm rules or notification rules. See Alarm Rules from the
Orchestration Rules Page and Notification Rules from the Orchestration Rules Page for more
information.

To create a notification rule for the Event from AlienApp not received system event

1. Go to Settings > Rules > Orchestration Rules.

2. Select Create Orchestration Rule > Notification Rule.

3. Select System Events in the Match drop-down list.

USM Anywhere™ User Guide 465

Regular Events and System Events

4. Click Add Conditions and select the property values you want to include in the rule to
create a matching condition.

Note: You can check the fields from Settings > System Events. See Viewing
System Event Details for more information.

466 USM Anywhere™ User Guide

 Regular Events and System Events

5. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

USM Anywhere™ User Guide 467

Regular Events and System Events

6. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

7. Enter a name for the rule.

8. (Optional.) Enter a description for identifying this rule.
9. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

468 USM Anywhere™ User Guide

 Regular Events and System Events

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

10. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

USM Anywhere™ User Guide 469

Regular Events and System Events

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

11. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

470 USM Anywhere™ User Guide

 Console User Events on USM Anywhere

Console User Events on USM

Anywhere
A console user event is a file generated when a user does any action inside USM Anywhere.
These actions are create, edit, delete, enable, or disable. A console user event is created when
a user does one of these actions in the user interface (UI). This information is important to be
compliant with external auditing agencies.

USM Anywhere enables you to view the activity of these console user events. All generated
events display in the page. Go to Settings > Console User Events to display the page.

This topic discusses these subtopics:

USM Anywhere Console User Events List View 472

Searching Console User Events 473

Viewing Console User Events Details 485

Create a Console User Events Report 486

USM Anywhere™ User Guide 471

USM Anywhere Console User Events List View

USM Anywhere Console User Events List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of your console user events. Go to Settings >
Console User Events.

The console user events page displays information on any actions generated within your
environment by the user. On the left you can find the search and filters options. In the upper
side of the page, you can see any filters you have applied. The main part of the page is the
actual list of console user events. Each row describes an individual console user event.

If you want to analyze the data, you can maximize the screen and hide the filter pane. Click
the icon to hide the filter pane. Click the icon to expand the filter pane.

Note: By default, the list displays all console user events generated throughout the last
180 days.

This table includes the list of the default columns in the console user events page.

List of the Default Columns in the Console User Events page

Column Field Name Description

Event Name Name of the event.

Time Created The date and time of the creation of the event. The displayed date
depends on your computer's time zone.

Username Email account associated with the person who triggered the event.

Target Identification of the modified object.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

472 USM Anywhere™ User Guide

 Searching Console User Events

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Above the list, you also have a filter to sort the list by a specific column.

Searching Console User Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes several filters displayed by default. These filters enable you to search
for your items of interest. You can either filter your search, or enter what you are looking for
in the search field, which is in the upper-left corner of the page.

Note: The management of filters is similar to that for assets. See Managing Filters for
more information.

This table includes the filters displayed by default in the main page of the Console User
Events page.

USM Anywhere™ User Guide 473

Searching Console User Events

Filters Displayed by Default in the Main Console User Events Page

Filter Name Meaning

Last 24 Hours Filter system events triggered in the last hour, last 24 hours, last 7 days, last
30 days, or last 90 days. You can also configure your own period of time by
clicking the Custom Range option. This option enables you to customize a
range. When you click Custom Range, a calendar opens. You can choose
the first and last day to delimit your search by clicking the days on the
calendar or entering the days directly. Then select the hours, minutes, and
seconds by clicking the specific box. Finally, select AM or PM.

Event Name Filter system events by the short, user-readable description of the system
event.

Username Email of the user who triggered the event.

Type Type of object,

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

474 USM Anywhere™ User Guide

 Searching Console User Events

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

1. Go to Settings > Console User Events.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

USM Anywhere™ User Guide 475

Searching Console User Events

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Settings > Console User Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Settings > Console User Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

476 USM Anywhere™ User Guide

 Searching Console User Events

To search using the NOT operator

1. Go to Settings > Console User Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

USM Anywhere™ User Guide 477

Searching Console User Events

478 USM Anywhere™ User Guide

 Searching Console User Events

USM Anywhere™ User Guide 479

Searching Console User Events

480 USM Anywhere™ User Guide

 Searching Console User Events

USM Anywhere™ User Guide 481

Searching Console User Events

482 USM Anywhere™ User Guide

 Searching Console User Events

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Settings > Console User Events.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

Searching Console User Events by Using the Search Field

To search for Console User Events using the search field

1. Go to Settings > Console User Events.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the items identified.

USM Anywhere™ User Guide 483

Searching Console User Events

Filter Console User Events by Username

USM Anywhere enables you to search your console user events by username. You have these
options to filter events by that field:

l From the Console User Events page by using the username filter
l From the Users List page

To filter console user events by the username from the users list page

1. Go to Settings > Users.

2. Click the icon.

484 USM Anywhere™ User Guide

 Viewing Console User Events Details

3. Select the option View account events.

The console user events page opens displaying the events related to that username.

Viewing Console User Events Details

Role Availability Read-Only Investigator Analyst Manager

The Console User Events details page provides in-depth information on Console User Events.

USM Anywhere™ User Guide 485

Create a Console User Events Report

To view the details of a Console User Event

1. Go to Settings > Console User Events.

2. Click the console user event to display its details.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

3. Click the item to see an expanded view.

4. In the upper right corner, click previous and next to navigate between items.
5. Click the icon to close the dialog box.

Create a Console User Events Report

You can create a PDF or CSV report of the console user events directly from the console user
events page.

Important: AT&T Cybersecurity recommends Google Chrome as the preferred browser

for generating reports. The use of alternative browsers may result in poor formatting.

486 USM Anywhere™ User Guide

 Create a Console User Events Report

To create a console user events report

1. Go to Console User Events.

2. You can use filters to define the console user events content you want to display in your
report.

3. Click Generate Report to open the Configure Report dialog box.

The filters selected and displayed for the page view are the ones that are populated in the
report.

4. Click Edit Filters if you want to modify the selected filters, and then click Continue to Fil-
ters. Do the modifications you need, and then click Edit Report.

5. Click the Date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
to set a particular date range.

Note: This option is not available when generating reports for assets or asset
groups.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and then choose Never, Daily, Weekly,
Bi-weekly, or Monthly.
8. Enter an email address to send the report.
Select the Send to my Email Address option to add your email automatically.
9. Select the Enable Link Expiration option. This link is delivered by email and expires in 14
days.

USM Anywhere™ User Guide 487

Create a Console User Events Report

10. Click Next.

11. In the Report Name field, enter a name for the report.
This name will be displayed in the Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report. For CSV the options are 20, 50, 100, 500, 1000, or 50 K. For PDF the options
are 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views.
You can add or remove graphs included in the report by clicking the and icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

488 USM Anywhere™ User Guide

 Configuration Issues Management
USM Anywhere assesses your configuration to identify the insecure use of security features,
identify detailed information about configuration issues, to understand operational
processes, and to remediate the root cause.

Note: Configuration Issues are only available for AWS Sensors.

This topic discusses these subtopics:

Configuration Issues List View 490

Searching Configuration Issues 494

Viewing Configuration Issues Details 504

Create a Configuration Issues Report 505

List of Configuration Issues in USM Anywhere 507

USM Anywhere™ User Guide 489

Configuration Issues List View

Configuration Issues List View

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a centralized view of your configuration issues. Go to Environment

> Configuration Issues to see this centralized view.

The configuration issues page displays information on configuration issues. On the left you
can find the search and filters options. In the upper side of the page, you can see any filters
you have applied, and you have the option to create and select different views of the
configuration issues. The main part of the page is the actual list of configuration issues. Each
row describes an individual configuration issue and includes a check box on the left side of
each one for selecting it. You can select all the configuration issues on the same page by
clicking the check box in the first column of the header row.

If you want to analyze the data, you can maximize the screen and hide the filter pane. Click
the icon to hide the filter pane. Click the icon to expand the filter pane.

The following table displays the list of the default columns found on the page.

List of the Default Columns in Configuration Issues

Column Field Name Description

Last Seen Last date on which the configuration issue was seen in the asset. The
displayed date depends on your computer's time zone

Category Category of the configuration issue. Issues with similar impacts have the
same category

Subcategory Sub-category of the configuration issue. The sub-category explains the

detail of the issue

Asset Asset associated with the configuration issue

Severity Severity of the issue (values are Low, Medium, or High)

Description Text for identifying the configuration issue

First Seen Date of detection of the configuration issue in the asset (the displayed
date depends on your computer's time zone)

Click the icon to access these options:

490 USM Anywhere™ User Guide

 Configuration Issues List View

l Add to Current Filter: Use this option to add the asset name as a search filter. See
Searching Events for more information.
l Find in Events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.
l Delete Asset: See Deleting the Assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor
associated with the asset. See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Run Scan: This option displays depending on the USM Anywhere Sensor associated with
the asset. See Running Asset Scans for more information.
l Configuration Issues: This option opens the Assets Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is
selected in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

You can configure the view you want for the list of configuration issues. See Views for more
information.

Click Generate Report to open the Configure Report dialog box. See Create a Configuration
Issues Report for more details.

Click the icon to bookmark an item for quick access.

USM Anywhere™ User Guide 491

Configuration Issues List View

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

Views
USM Anywhere enables you to define and save a custom Configuration Issues view to have
your own selected filters.

You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, select the filters you want to apply.

2. Go to Save View > Save As.

The Save Current View dialog box opens.

3. Enter a name for the view.

4. Select Share View if you want to share your view with other users.
5. Click Save.

The created view is already selected.

492 USM Anywhere™ User Guide

 Configuration Issues List View

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the Configuration Issues list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

USM Anywhere™ User Guide 493

Searching Configuration Issues

Configuration Issues from the Assets Main Page

To explore configuration issues from assets

1. Go to Environment > Configuration Issues.

2. Filter assets by clicking Has Configuration Issues. See Searching Assets for more inform-
ation.
3. Click the icon and select Configuration Issues. The asset details page opens with the

list of configuration issues.

Searching Configuration Issues

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. The management of filters is similar to
that for assets. See Managing Filters for more information.

This table shows the filters displayed by default in the main Configuration Issues page.

Filters Displayed by Default in the Main Configuration Issues Page

Filter Name Meaning

Last 24 Hours Filter configuration issues triggered in the last hour, the last 24 hours, last 7
days, or last 30 days. You can also configure your own period of time by
clicking the Custom Range option. This option enables you to customize a
range. When you click Custom Range, a calendar opens. You can choose
the first and last day to delimit your search by clicking the days on the
calendar or entering the days directly. Then select the hours, minutes, and
seconds by clicking the specific box. Finally, select AM or PM.

Active/Inactive Filter the active or inactive configuration issues.

Category Filter configuration issues by category of configuration issue. Issues with

similar impacts have the same category.

494 USM Anywhere™ User Guide

 Searching Configuration Issues

Filters Displayed by Default in the Main Configuration Issues Page (Continued)

Filter Name Meaning

Subcategory Filter configuration issues by sub-category of the configuration issue. The

sub-category explains the detail of the issue.

Severity Filter configuration issues by severity of the issue. Values are Low, Medium,
or High.

Asset Filter configuration issues by asset associated with the configuration issue.

Asset Groups Filter configuration issues by asset group.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

USM Anywhere™ User Guide 495

Searching Configuration Issues

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

496 USM Anywhere™ User Guide

 Searching Configuration Issues

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

1. Go to Environment > Configuration Issues.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

USM Anywhere™ User Guide 497

Searching Configuration Issues

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

To activate the advanced mode

1. Go to Environment > Configuration Issues.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Environment > Configuration Issues.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

To search using the NOT operator

1. Go to Environment > Configuration Issues.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

498 USM Anywhere™ User Guide

 Searching Configuration Issues

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

USM Anywhere™ User Guide 499

Searching Configuration Issues

500 USM Anywhere™ User Guide

 Searching Configuration Issues

USM Anywhere™ User Guide 501

Searching Configuration Issues

502 USM Anywhere™ User Guide

 Searching Configuration Issues

USM Anywhere™ User Guide 503

Viewing Configuration Issues Details

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Environment > Configuration Issues.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

To search for Configuration Issues using the search field

1. Go to Environment > Configurations Issues.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the items identified.

Viewing Configuration Issues Details

504 USM Anywhere™ User Guide

 Create a Configuration Issues Report

Role Availability Read-Only Investigator Analyst Manager

The configuration issues details page provides in-depth information on configuration issues.

To view the details of a configuration issue

1. Go to Environment > Configuration Issues.

2. Click the configuration issue to display its details.

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

You can see the configuration issues details, then a description, and the associated asset.
Click the icon if you want more information. See Viewing Assets Details for more

information.

3. In the upper right corner, click previous and next to navigate between items.
4. Click the icon to close the dialog box.

5. Click the configuration issue title to expand its details.

6. Click Generate Report to open the Configure Report dialog box. See Create a Con-
figuration Issues Report for more information.

Create a Configuration Issues Report

Role Availability Read-Only Investigator Analyst Manager

You can create a PDF or CSV report of the configuration issues directly from the
configuration issues page.

Important: AT&T Cybersecurity recommends Google Chrome as the preferred browser

for generating reports. The use of alternative browsers may result in poor formatting.

USM Anywhere™ User Guide 505

Create a Configuration Issues Report

To create a configuration issues report

1. Go to Environment > Configuration Issues.

2. You can use filters to define the configuration issues content you want to display in your
report.

3. Click Generate Report to open the Configure Report dialog box.

The filters selected and displayed for the page view are the ones that are populated in the
report.

4. Click Edit Filters if you want to modify the selected filters, and then click Continue to Fil-
ters. Do the modifications you need, and then click Edit Report.

5. Click the Date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
to set a particular date range.

Note: This option is not available when generating reports for assets or asset
groups.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and then choose Never, Daily, Weekly,
Bi-weekly, or Monthly.
8. Enter an email address to send the report.
Select the Send to my Email Address option to add your email automatically.
9. Select the Enable Link Expiration option. This link is delivered by email and expires in 14
days.

506 USM Anywhere™ User Guide

 List of Configuration Issues in USM Anywhere

10. Click Next.

11. In the Report Name field, enter a name for the report.
This name will be displayed in the Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report. For CSV the options are 20, 50, 100, 500, 1000, or 50 K. For PDF the options
are 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views.
You can add or remove graphs included in the report by clicking the and icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

List of Configuration Issues in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

This table includes all configuration issues you can find in USM Anywhere:

List of Configuration Issues in USM Anywhere

Protocol
Category Subcategory Description
(Port)

Global access to SSH TCP (22) Global access to the SSH port has
administration port been defined within this security
group. This should be restricted to
the IP Range of the company.

Global access to DNS (UDP) UDP (53) Global access to the DNS port has
internal port been defined within this security
group.

Global access to DNS (TCP) TCP (53) Global access to the DNS port has
internal port been defined within this security
group.

USM Anywhere™ User Guide 507

List of Configuration Issues in USM Anywhere

List of Configuration Issues in USM Anywhere(Continued)

Protocol
Category Subcategory Description
(Port)

Global access to Mini SQL TCP (4333) Global access to the MSQL port has
internal port been defined within this security
group. This should be an internally
facing port only.

Global access to SQL Server (UDP UDP (1434) Global access to the SQL Server port
internal port Port) has been defined within this security
group. This should be an internally
facing port only.

Global access to SQL Server (TCP TCP (1433) Global access to the SQL Server port
internal port Port) has been defined within this security
group. This should be an internally
facing port only.

Global access to PostgreSQL Server TCP (5432) Global access to the PostgreSQL port
internal port has been defined within this security
group. This should be an internally
facing port only.

Global access to MySQL Server TCP (3306) Global access to the MySQL port has
internal port been defined within this security
group. This should be an internally
facing port only.

Global access to Syslog UDP (514) Global access to the Syslog port has
internal port been defined within this security
group. This should be an internally
facing port only.

Global access to rsync TCP (873) Global access to the rsync port has
internal port been defined within this security
group. This should be an internally
facing port only.

Global access to MongoDB (UDP) UDP (27017) Global access to the MongoDB port
internal port has been defined within this security
group. This should be an internally
facing port only.

508 USM Anywhere™ User Guide

 List of Configuration Issues in USM Anywhere

List of Configuration Issues in USM Anywhere(Continued)

Protocol
Category Subcategory Description
(Port)

Global access to MongoDB (TCP) TCP (27017) Global access to the MongoDB port
internal port has been defined within this security
group. This should be an internally
facing port only.

Global access to CouchDB (UDP) UDP (5984) Global access to the CouchDB port
internal port has been defined within this security
group. This should be an internally
facing port only.

Global access to CouchDB (TCP) TCP (5984) Global access to the CouchDB port
internal port has been defined within this security
group. This should be an internally
facing port only.

Global access to VNC Server TCP (5900) Global access to the VNC Server port
administration port has been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to VNC Listener TCP (5500) Global access to the VNC Listener
administration port port has been defined within this
security group. This should be
restricted to a company owned CIDR.

Global access to Windows RPC TCP (135) Global access to the Windows RPC
administration port port has been defined within this
security group. This should be
restricted to a company owned CIDR.

Global access to Windows Remote TCP (3389) Global access to the Windows
administration port Desktop Remote Desktop port has been
defined within this security group.
This should be restricted to a
company owned CIDR.

Global access to Telnet TCP (23) Global access to the Telnet port has
administration port been defined within this security
group. This should be restricted to a
company owned CIDR.

USM Anywhere™ User Guide 509

List of Configuration Issues in USM Anywhere

List of Configuration Issues in USM Anywhere(Continued)

Protocol
Category Subcategory Description
(Port)

Global access to X11 (TCP) TCP (6000) Global access to the X11 port has
administration port been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to X11 (UDP) UDP (6001) Global access to the X11 port has
administration port been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to SMTP TCP (25) Global access to the SMTP port has
service port been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to FTP TCP (21) Global access to the FTP port has
service port been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to FTP Data TCP (20) Global access to the FTP (data) port
service port has been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to CIFS UDP (445) Global access to the CIFS port has
service port been defined within this security
group. This should be restricted to a
company owned CIDR.

Global access to NetBios (Named UDP (137) Global access to the NetBios (Named
service port Services) Services) port has been defined
within this security group. This
should be restricted to a company
owned CIDR.

Global access to NetBios (Datagram UDP (138) Global access to the NetBios
service port Services) (Datagram Services) port has been
defined within this security group.
This should be restricted to a
company owned CIDR.

510 USM Anywhere™ User Guide

 List of Configuration Issues in USM Anywhere

List of Configuration Issues in USM Anywhere(Continued)

Protocol
Category Subcategory Description
(Port)

ICMP globally ICMP ICMP ICMP is globally permitted.

permitted

Global access to All TCP Ports Open TCP (1) All TCP ports have been explicitly
service port permitted by this security group.
Access to your system should be
restricted to the minimal set of TCP
ports you require to access for
operation. In addition, ensure ports
that are for administrative access or
do not require global access should
be restricted to a company owned
CIDR.

Global access to All UDP Ports Open UDP (1) All UDP ports have been explicitly
service port permitted by this security group.
Access to your system should be
restricted to the minimal set of UDP
ports you require to access for
operation. In addition, ensure ports
that are for administrative access or
do not require global access should
be restricted to a company owned
CIDR.

USM Anywhere™ User Guide 511

 USM Anywhere Scheduler

USM Anywhere Scheduler

The Job Scheduler page provides a list of all jobs that are defined in your USM Anywhere
environment. Many jobs are predefined (out-of-the-box) items for log collection and asset
scans, and some of these require enablement to run according to the defined schedule. You
can also define your own custom jobs to schedule automatic log collection, asset scans, and
asset group scans. See USM Anywhere Scheduler Best Practices for more information.

The Job Scheduler Page

The Job Scheduler page includes navigation and filtering elements to help you locate the jobs
you want to review. When you go to Settings > Scheduler, the page displays all jobs by
default. You can select one of the job types in the left navigation to display only the jobs of
that type:

l Log Collection: Select this display option to review the list of scheduled log collection jobs.
See Log Collection from Your Data Sources for more information.
l Asset Scans: Select this option to review the list of scheduled asset scan jobs. This option
displays both asset scan, authenticated asset scan, and asset discovery jobs. See Schedul-
ing Asset Scans from Assets, Scheduling Authenticated Asset Scans from Assets, and Run-
ning an Asset Discovery for more information.
l Asset Group Scans: Select this option to review the list of scheduled asset group scan
jobs. This option displays both asset group scan and authenticated asset group scan jobs.
See Running Asset Groups Scans, and Running Authenticated Asset Groups Scans for
more information.
l User Scans: Select this option to review the list of scheduled user scan jobs. These jobs
detect users in your environment for User Behavior Analytics.

USM Anywhere™ User Guide 512

USM Anywhere Scheduler Best Practices

USM Anywhere Scheduler Best Practices

USM Anywhere provides automatic repeatable actions that are collectively called jobs, which
you can run in your environment. The jobs are initiated on a schedule stored in your
provisioned USM Anywhere cloud instance. All jobs are directly assigned to a source, and
acted upon by the assigned sensor or cloud connector. The cloud instance doesn't perform
job activities; it only schedules them and collects the output of the job for processing.

Go to Settings > Scheduler to open the Scheduler page and display all jobs by default.

The scheduler specifies when a job is sent to the assigned sensor or cloud connector for
processing based on the job schedule. Preloaded log collection jobs can't be edited. These
jobs don't have the icon associated with it, but they can be enabled ( ) or disabled (

). These jobs have settings that are created and managed by USM Anywhere.

Log Collection jobs run endpoint-specific API calls against target systems. Some log collection
jobs are source-type specific because they query endpoints specific to the sensor or cloud
connector type in use. For example, the Scan Azure Audit Sharepoint Events job is only active
for Azure Sensors.

Many of these jobs are associated with an AlienApp selection. Go to Data Source >
AlienApps to view the available AlienApps. See The USM Anywhere AlienApps Guide for more
information. Assigning multiple sensors to perform API calls to the same endpoint can cause
unnecessary duplication of data and effort, therefore must be avoided.

513 USM Anywhere™ User Guide

 USM Anywhere Scheduler Best Practices

Note: You can enable AlienApps on the AlienApp page, but it does not automatically
enable the job to run. See USM Anywhere Scheduler for more information.

Asset Scans are used for asset discovery. This app has multiple actions and scan profiles. See
Scheduling Asset Scans from Assets and Scheduling Asset Scans from the Job Scheduler
Page for more information. The Asset Scans section also include asset discoveries performed
through API calls. Some examples of this include the discover S3 buckets job for AWS Sensors,
the discover virtual machines job for VMware Sensors, and the scan Azure IIS log locations job
for Azure Sensors.

Asset Group Scans are performed for vulnerability scanning. This app also has multiple scan
profiles. See Scheduling Asset Group Scans from Asset Groups and Scheduling Asset Groups
Scans from the Job Scheduler Page for more information.

Asset Scans and Asset Group Scans are user-created jobs. No such jobs come pre-loaded into
a system image. All of these jobs can be edited, enabled and disabled.

Performance Issues Associated with Scheduled Jobs

Log Collection jobs are initially preset at installation and can't be modified by a user,
regardless of the role. They can only be enabled or disabled. Additional Log Collection jobs
can be user defined and their action and time frames are set by a user at that time. These
settings can be edited.

Keep in mind the following points when scheduling your jobs because they have a direct
impact on the performance of a sensor and USM Anywhere cloud instance:

l When specifying a Classless Inter-Domain Routing (CIDR) block for jobs that require it, limit
it to a /24 or smaller network segment. Avoid using a /16 CIDR block size. The smaller the
CIDR block number used, the larger the network IP address range it will process. These are
some sample IP ranges:
l /16 notation will access 64,000 IP addresses
l /24 notation will access 256 IP addresses
l /28 notation will access 16 IP addresses
l If multiple user-defined scheduled jobs are required for the environment, spread them
over a 24-hour period, and avoid having more than one scan job type running at any given
time. This holds true for all jobs regardless of the sensor or sensors in use. Although the
scan jobs may be readily run on any given sensor, all sensor data is forwarded to the USM
Anywhere cloud instance and can, cumulatively, cause performance issues.

USM Anywhere™ User Guide 514

Managing Jobs in the Scheduler

l Scheduling an Asset Scan or Asset Group Scan job to run more than once a day is coun-
terproductive and directly affects system performance. This is also true for AD Scanner
jobs. The best practice is to run them, at most, no more than once a day, or, every other
day, and overlap them on alternate days. Additionally, initiate the job at off-hours where
sensor and USM Anywhere cloud instance activity is lowest.
l Vulnerability scans should be run weekly or at even larger intervals. This job checks for soft-
ware vulnerabilities on installed servers. Unless continuous software updates are being per-
formed in the environment, scanning no more than once a week is sufficient. This job can
also be initiated manually if immediate results are required.
l Try to space jobs at least one hour apart on any given day. At least two hours is recom-
mended. Do not “stack” more than two to three jobs for any start time.
l Ensure job start time intervals are larger than the time it takes for the job to complete. If
not, this will cause the job to continuously run and put a constant load on the sensor.
l If multiple AWS Sensors are in the same account subscription, only one AWS log collection
job is required as any given AWS Sensor has visibility to all AWS regions associated with the
account. AWS log collection jobs that explicitly span all regions and streams are noted in
the description field of the job. Although not noted there, all AWS EC2 Scan jobs will tra-
verse all regions as well. The processing of multiple regions by such a job can't be limited in
the job settings.

Managing Jobs in the Scheduler

Role Availability Read-Only Investigator Analyst Manager

The Job Scheduler enables you to configure specific jobs to run automatically in your
environment on a set schedule, keeping your USM Anywhere up to date on the latest changes
in your environment. Visit the Job Scheduler page at Settings > Scheduler to view a list of all
jobs that are defined in your USM Anywhere environment and to manage the jobs that are
scheduled to run in your environment.

515 USM Anywhere™ User Guide

 Managing Jobs in the Scheduler

Sort and Filter the Displayed Jobs

To change the sort order of the displayed list, click the column label for the field that you
want to use to sort the list. Use the filters in the upper side of the list to change the displayed
list so that it includes only the jobs you want to see.

These are the Job Scheduler filters:

l Filter by: Enter a search string for the name of the app or the job name to display only
matching jobs.
l Source: If you have more than one deployed USM Anywhere Sensor or cloud connector,
select an option to display only the jobs that are configured for it. You also have the All
Sources option to display all of the sources you have in your environment.
l Job Type: Set this option to display only the jobs of the selected type. The available items
are based on the jobs currently displayed on the page:

l All Types
l Collection
l Scan

USM Anywhere™ User Guide 516

Managing Jobs in the Scheduler

l Configuration
l Asset Discovery
l User Scan
l Task Status: Set this option to display only jobs for the selected status, Enabled or Dis-
abled. You also have the option All Tasks.
l Clear Filters: Click this button to remove filtering options and display all items for the cat-
egory selected in the left navigation.

When you locate a scheduled job in the list, you can select it to expand the details for the job
and review its history.

Enable Defined Jobs

When most logs in your Amazon Web Services (AWS) or Microsoft Azure account are enabled,
USM Anywhere automatically discovers them and they can start generating events, based on
AWS CloudTrail, Amazon Simple Storage Service (S3), AWS Elastic Load Balancing (ELB) access
logs, Azure security event logs, and others. But, because these out-of-box log collection and
asset scan jobs deploy as disabled initially, you must decide which jobs you want to activate
and enable them.

You can disable or enable a predefined or custom job in the Job Scheduler page.

517 USM Anywhere™ User Guide

 Managing Jobs in the Scheduler

To enable scheduled jobs

1. Go to Settings > Scheduler to open the Job Scheduler page.

2. Locate the jobs with which you want to enable to collect events or asset information, and
click the icon.

This turns the icon green. To disable an already-enabled job, toggle the icon to its
original status.

Modify Defined Jobs

You can only change the parameters of out-of-the-box jobs related to USM Anywhere
AlienApps. Other USM Anywhere defined jobs cannot be modified.

To make changes to an AlienApp defined job

1. Locate the job in the Job Scheduler list.

2. In the row for the job, click the icon.

3. In the Edit Job dialog box, change the parameters for the job as needed.

Note: The Name and Schedule fields are editable.

4. Click Save.

USM Anywhere™ User Guide 518

Managing Jobs in the Scheduler

Add a New Custom Job

USM Anywhere includes defined jobs to perform many of the standard log collection and
scanning actions that you will need to monitor your networks. These jobs are predefined to
run using a recurrence according to industry best practices. However, if you need to define a
scheduled job to perform log collection, asset scans, or asset group scans, you can add a new
job directly on the Job Scheduler page.

To create a new job

1. Go to Settings > Scheduler to open the Job Scheduler page.

2. In the upper-right of the page, click New Job.
l If you have selected Log Collection in the left navigation panel, this button is labeled
Create Log Collection Job. This limits the options in the dialog to those that define a
log collection job.
l If you have selected Asset Scans or Asset Group Scans in the left navigation panel,
this button is labeled Create Scan Job. This limits the options in the dialog to those
that define an asset scan, asset group scan, or asset discovery job.
l If you have selected User Scans in the left navigation panel, this button is labeled
Create User Scan Job. This limits the options in the dialog to those that define a user
scan job.

3. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

4. Select the source for the new job.

You can choose between Sensor or Cloud Connector. Depending on the previously
selected source, there are different actions or parameters.

5. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

519 USM Anywhere™ User Guide

 Managing Jobs in the Scheduler

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

6. Click Save.

USM Anywhere™ User Guide 520

Scheduling Active Directory Scans from the Job Scheduler Page

Modify or Delete a Custom Job

You cannot change or delete the parameters of the out-of-the-box jobs in USM Anywhere.
You can only enable or disable the predefined jobs. However, you can make changes to the
scheduled jobs that you have defined, such as changing the schedule parameters to run the
job more or less frequently. If a custom job is no longer needed, you can delete it.

To make changes to a custom job

1. Locate the job in the Job Scheduler list.

2. In the row for the job, click the icon.

3. In the Edit Job dialog box, change the parameters for the job as needed.

See Add a New Custom Job for more information about these options.

4. Click Save.

To delete a custom job

1. Locate the job in the Job Scheduler list.

2. In the row for the job, click the icon.

3. Click Accept to confirm.

Scheduling Active Directory Scans from the Job

Scheduler Page

521 USM Anywhere™ User Guide

 Scheduling Active Directory Scans from the Job Scheduler Page

Role Availability Read-Only Investigator Analyst Manager

To effectively manage your Microsoft Windows systems, USM Anywhere can perform scans
through an Active Directory (AD) server to collect inventory information. When you configure
your VMware Sensor, Microsoft Hyper-V Sensor, or Microsoft Azure Sensor, you can define
the credentials that USM Anywhere will use to perform AD scans through the sensor. When
you configure these credentials, USM Anywhere performs an initial AD asset scan. You can
also schedule a job to perform scans through the Active Directory Scanner and collect
updated information about the assets managed by your AD server. The scan returns
information for each computer in the AD domain in the following format:

Name : WIN2K12-DC
DistinguishedName : CN=WIN2K12-DC,OU=Domain
Controllers,DC=ECORP,DC=local
DNSHostName : WIN2K12-DC.ECORP.local
OperatingSystem : Windows Server 2012 R2 Standard
OperatingSystemServicePack :
OperatingSystemVersion : 6.3 (9600)
IPv4Address : 10.20.30.15
The Active Directory Scanner runs a PowerShell (version 5.1 or later) command through
Windows Remote Management (WinRM) (version 2.0 or later). See Granting Access to Active
Directory for USM Anywhere for information about configuring the AD server to allow access
for USM Anywhere,.

To schedule an AD scan job

1. Go to Settings > Scheduler.

2. In the left navigation menu, click Asset Scans.

3. On the right side of the page, click Create Scan Job.

This opens the Schedule New Job dialog box.

USM Anywhere™ User Guide 522

Scheduling Active Directory Scans from the Job Scheduler Page

4. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

5. Select Sensor as the source for your new job.

6. In Action Type, select Active Directory Scanner.

7. If you have more than one deployed USM Anywhere Sensor, select the sensor you want to
use to run the scan.

This should be the sensor that is associated with the asset that you want to specify as the
target.

8. In App Action, the Get Active Directory Asset Information option is already selected.

9. Specify the asset that you want to use as a target for the action.

523 USM Anywhere™ User Guide

 Scheduling Active Directory Scans from the Job Scheduler Page

You can enter the name or IP address of the asset in the field to display matching items
that you can select. Or you can click Browse Assets to open the Select Asset dialog box
and browse the asset list to make your selection.

10. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

USM Anywhere™ User Guide 524

Scheduling Active Directory Scans from the Job Scheduler Page

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

11. Click Save.

Granting Access to Active Directory for USM Anywhere

If you want to run Active Directory (AD) scans in USM Anywhere, you need to configure your
AD server assets to grant access to the USM Anywhere Sensor. You also need to configure
credentials in USM Anywhere to make an authenticated connection.

This process contains three tasks:

l Create a dedicated administrator account in AD on all the hosts you want to scan. This is
used by USM Anywhere to log into that host system to perform a scan.
l Activate Windows Remote Management (WinRM) in the domain controller and in all the
hosts you want to scan.
l Apply the AD account credentials for those assets in USM Anywhere.

Note: See Microsoft's guide on authentication for remote connections for more
information on Microsoft Windows authentication permissions.

525 USM Anywhere™ User Guide

 Scheduling Active Directory Scans from the Job Scheduler Page

Create a Dedicated AD Account

When configuring your VMware Sensor, Hyper-V Sensor, or Azure Sensor, you can define AD
credentials that USM Anywhere uses to perform an AD scan through the sensor. These are
the credentials that you define in the Credentials page and assign to the asset to support a
scheduled Active Directory scan job. It is a best practice to use a dedicated account for this
purpose.

To create a new dedicated account in AD

1. Log in to your domain controller administrator account.

2. Open Active Directory Users and Computers.
3. Create a new user called either alienvault_usm_anywhere or any other name that's easy
to associate with USM Anywhere.
4. Add the user you’ve just created to the Domain Admins group.

Activate WinRM to Enable Windows PowerShell Remoting

For Microsoft Windows systems, USM Anywhere uses the WinRM framework to execute the
corresponding commands. Therefore, if WinRM is unavailable on a target Windows system
through the account credentials, USM Anywhere won't be able to connect. You must satisfy
the following requirements:

l WinRM version 2.0 or later.

l PowerShell version 5.1 or later. The Active Directory Scanner runs a PowerShell command
through WinRM, which requires PowerShell 5.1 or later to be installed on your machine.

To activate WinRM, you can use a group policy to combine the domain controller and all the
hosts in your AD. (For reference, see this How to enable PowerShell Remoting via Group
Policy article.)

Alternatively, if you prefer to activate WinRM manually in each system you want to scan, use
this procedure to activate a Windows RM listener on port 5985.

To start the WinRM service

1. Open the Windows Command Prompt using administrator privledges and run the
command winrm qc.

Important: Only the members of the Remote Management Users and

Administrators groups can log in through WS-Management.

USM Anywhere™ User Guide 526

Scheduling Asset Scans from the Job Scheduler Page

2. Accept the default settings.

The command starts the WinRM service and configures a listener for the port 5985.

3. Create a firewall rule to allow incoming connections to port 5985.

For more information about WinRM, you can refer to these Microsoft articles:

l Installation and configuration for Windows Remote Management

l WinRM (Windows Remote Management) Troubleshooting

Manage Credentials for Your AD Servers

Before you run an AD scan from USM Anywhere, you should make sure that each of the
assets has assigned credentials that are able to connect to the system. In USM Anywhere, you
can assign credentials for an individual asset or for an asset group. See Creating Credentials
on how to create credentials and Assigning Credentials to Assets on how to assign them to
assets.

Note: Credentials assigned directly to an asset have higher priority than those assigned
to an asset group.

When USM Anywhere runs a scan or executes a system-level action, it uses the
credential set assigned directly to the asset, if there is one. If those credentials don't
connect or the asset doesn't have an assigned credential set, it uses the credential set
assigned to the group where the asset is a member, if that asset is a member of an asset
group.

Scheduling Asset Scans from the Job Scheduler Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include scans for scheduling using its web user
interface (UI).

To schedule an asset scan job from the Job Scheduler page

1. Go to Settings > Scheduler to open the Job Scheduler page.

2. In the left navigation panel, click Asset Scans.
3. Click Create Scan Job.

The Schedule New Job dialog box opens.

527 USM Anywhere™ User Guide

 Scheduling Asset Scans from the Job Scheduler Page

1. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. Select Sensor as the source for your new job.

3. In the Action Type field, select Asset Scanner.

Depending on the USM Anywhere Sensor that you have installed, this field can include
different options.

USM Anywhere™ User Guide 528

Scheduling Asset Scans from the Job Scheduler Page

4. Select a sensor in case you have more than one installed.

5. In the App Action field, leave Scan, which is the default option.

This option discovers services, operating systems (OSes), hostnames, IP and media access
control (MAC) addresses, and vulnerabilities of known hosts.

6. The Asset field displays the name of the asset to scan. You can't modify this field.

7. Select the scan profile that you want to run:

l Discovery: This profile scans the known ports and services searching for the most-
used ports. (There are 4575 ports.)
l Complete: This profile scans all TCP and UDP ports to find the possible ports in a
deployment. (There are 65535 ports.)
l Vulnerability Discovery: Performs general network discovery and checks for specific
known vulnerabilities. It only reports results if they are found.
l Extended Vulnerability Discovery: Performs a Vulnerability Discovery scan, which act-
ively discovers more about the network.
l Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities,
which uses a significant number of resources on the targeted machine. Because of
this, sensitive targets may perceive a brief disruption on their services.

8. Select Set Debug Mode if you want to log the results of the scan or if you have a problem
with a scan.

This option is disabled by default.

Note: The Set Debug Mode option must be used only for debugging purposes
because it needs a large amount of disk space for the file or files that it generates.
Only AT&T Cybersecurity Technical Support should review these files. You can
contact this department for more information.

9. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

529 USM Anywhere™ User Guide

 Scheduling Asset Scans from the Job Scheduler Page

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

10. Click Save.

The job now displays in the job scheduler list.

USM Anywhere™ User Guide 530

Scheduling Asset Scans from the Job Scheduler Page

To schedule an authenticated asset scan job from the Job Scheduler page

1. Go to Settings > Scheduler to open the Job Scheduler page.

2. In the left navigation panel, click Asset Scans.
3. Click Create Scan Job.

The Schedule New Job dialog box opens.

1. Enter the name and description for the job.

531 USM Anywhere™ User Guide

 Scheduling Asset Scans from the Job Scheduler Page

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. Select Sensor as the source for your new job.

3. In the Action Type field, select Authenticated Asset Scanner.

Depending on the USM Anywhere Sensor that you have installed, this field can include
different options.

4. Select a sensor in case you have more than one installed.

5. In the App Action field, Scan is the default option. This option discovers services,
operating systems, hostnames, IP and MAC addresses, and vulnerabilities of known hosts.
6. The Asset field displays the name of the asset to scan. You can't modify this field.

7. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

USM Anywhere™ User Guide 532

Scheduling Asset Groups Scans from the Job Scheduler Page

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

8. Click Save.

The job now displays in the job scheduler list.

Scheduling Asset Groups Scans from the Job Scheduler

Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include scans for scheduling using its web user
interface (UI).

To schedule an asset group scan job from the Job Scheduler page

1. Go to Settings > Scheduler to open the Job Scheduler page.

2. In the left navigation panel, click Asset Group Scans.

3. Click Create Scan Job.

The Schedule New Job dialog box opens.

533 USM Anywhere™ User Guide

 Scheduling Asset Groups Scans from the Job Scheduler Page

1. Enter the name and description for the job.

USM Anywhere™ User Guide 534

Scheduling Asset Groups Scans from the Job Scheduler Page

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. Select Sensor as the source for your new job.

3. In the Action Type field, select Asset Scanner.

Depending on the USM Anywhere Sensor that you have installed, this field can include
different options.

4. Select a USM Anywhere sensor in case you have more than one installed.
5. Select the App Action:
Asset Discovery

Discovers assets in your environment, detects changes in assets, and discovers malicious
assets in the network.

l Select Existing Asset Group: In the Enter asset group name field, search for the asset
groups to scan. These asset groups are already existing, and you can search for them
by entering the name of the asset group or by browsing for them.
l Create New Asset Group to Scan Using CIDR Block: You can create a new asset
group from a Classless Inter-Domain Routing (CIDR) block. You need to indicate the
CIDR block and the network name you want to scan. This option discovers new assets
and scans the discovered assets.

535 USM Anywhere™ User Guide

 Scheduling Asset Groups Scans from the Job Scheduler Page

Important: Use the Create New Asset Group to Scan Using CIDR Block option for
creating new CIDR-based asset groups without leaving the scheduler form. After
clicking Save, a new asset group based on the selected CIDR is created.

Your scan job will have the Select Existing Asset Group option selected and the
CIDR-based asset group assigned automatically.

Important: Make sure when you use a virtual private network (VPN) using a Cisco
Firewall, that arp-proxy is enabled in the firewall. Otherwise, all the assets will be
reported using the same media access control (MAC) address, and USM
Anywhere will consider all of them to be different interfaces for the same asset.

Asset Group Scan

Discovers services, operating systems, hostnames, IP and MAC addresses, and

vulnerabilities of known hosts. This option scans the assets that are already in the group.

The Asset Group field displays the name of the asset group to scan. You can't modify this
field.

6. In the App Action field, the Asset Group Scan is the default option.

7. Select the scan profile that you want to run:

l Discovery: This profile scans the known ports and services searching for the most-
used ports. (There are 4576 ports.)
l Complete: This profile scans all TCP and UDP ports to find the possible ports in a
deployment. (There are 65535 ports.)
l Vulnerability Discovery: Performs general network discovery and checks for specific
known vulnerabilities. It only reports results if they are found.
l Extended Vulnerability Discovery: Performs a Vulnerability Discovery scan, which act-
ively discovers more about the network.
l Intensive Vulnerability Discovery: Performs several tasks to discover vulnerabilities,
which uses a significant number of resources on the targeted machine. Because of
this, sensitive targets may perceive a brief disruption on their services.
8. (Optional.) Select the assets you want to exclude from the scan.

9. Select Set Debug Mode if you want to log the results of the scan or if you have a problem
with a scan.

This option is disabled by default.

USM Anywhere™ User Guide 536

Scheduling Asset Groups Scans from the Job Scheduler Page

Note: The Set Debug Mode option must be used only for debugging purposes
because it needs a large amount of disk space for the file or files that it generates.
Only AT&T Cybersecurity Technical Support should review these files. You can
contact this department for more information.

10. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

537 USM Anywhere™ User Guide

 Scheduling Asset Groups Scans from the Job Scheduler Page

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

11. Click Save.

The job now displays in the job scheduler list.

To schedule an authenticated asset group scan job from the Job Scheduler page

1. Go to Settings > Scheduler to open the Job Scheduler page.

2. In the left navigation panel, click Asset Group Scans.
3. Click Create Scan Job.

4. The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 538

Scheduling Asset Groups Scans from the Job Scheduler Page

1. Enter the name and description for the job.

539 USM Anywhere™ User Guide

 Scheduling Asset Groups Scans from the Job Scheduler Page

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. Select Sensor as the source for your new job.

3. In the Action Type field, select Authenticated Asset Scanner.
4. Select a sensor in case you have more than one installed.
5. In the App Action field, Asset Group Scan is the default option.
6. In the Asset Group field, you can either enter the asset group name or browse asset
groups.

7. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

USM Anywhere™ User Guide 540

Scheduling User Discovery Jobs from the Job Scheduler Page

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

8. Click Save.

The job now displays in the job scheduler list.

Scheduling User Discovery Jobs from the Job Scheduler

Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to enable scheduled user scans for user behavior
analytics (UBA). Your USM Anywhere instance includes preconfigured scans for each of the
user sources UBA supports.

541 USM Anywhere™ User Guide

 Scheduling User Discovery Jobs from the Job Scheduler Page

User Behavior Analysis Standard Jobs

To open the Job Scheduler page go to Settings > Scheduler and, in the left navigation panel,
click User Scans.

There are several apps in USM Anywhere that support the creation of scheduled jobs for user
behavior monitoring.

Amazon Web Services

If you have a deployed Amazon Web Services (AWS) Sensor, the AWS Sensor app provides
support for the predefined user discovery jobs that USM Anywhere uses to monitor AWS
Identity and Access Management (IAM) activity. You can also use the app to define custom
jobs.

The AWS user discovery job is enabled by default and runs every 20 minutes to collect AWS
users.

USM Anywhere™ User Guide 542

Scheduling User Discovery Jobs from the Job Scheduler Page

Azure

If you have a deployed Microsoft Azure Sensor, the Azure Sensor app provides support for the
predefined Azure Active Directory (AD) user discovery jobs that USM Anywhere uses to
monitor your Azure AD users, either as an actor in the Azure cloud or as an identity provider.
You can also use the app to define custom jobs.

The Azure user discovery job is enabled by default and runs every 20 minutes to collect Azure
AD users. See Azure Log Discovery and Collection in USM Anywhere in the USM Anywhere
Deployment Guide for more information about jobs for the Azure Sensor app.

You can verify that your app is properly configured to collect user data by viewing the app
status. Go to Data Sources > Sensors to open the sensors main page, click a sensor to open
its detail, and click the App Status tab.

543 USM Anywhere™ User Guide

 Scheduling User Discovery Jobs from the Job Scheduler Page

Active Directory

If you are using Microsoft Active Directory to authenticate users in your environment, the
Azure AD Sensor app provides support for the predefined user discovery job that scans for
both assets and users authenticated via Microsoft Active Directory. Go to Data Sources >
Sensors to open the sensors main page, click the sensor to open its details, and click the
Active Directory tab.

You can execute a new Microsoft Active Directory scan either from the Getting Started
Wizard during your sensor's deployment, or at any time from the sensor details page. In
addition, you can schedule a custom job to collect users regularly.

See Running Active Directory Scans in the USM Anywhere Deployment Guide for more
information about jobs for this app.

USM Anywhere™ User Guide 544

Scheduling User Discovery Jobs from the Job Scheduler Page

Okta

If you are using Okta in your environment to authenticate users, the Okta Sensor app
provides support for the predefined user discovery job that scans for users authenticated via
Okta.

You can confirm your Okta app is configured to collect user data by checking the app. Go to
Data Sources > AlienApps > Available Apps, search for Okta, and then click the tile. See
AlienApp for Okta for more information.

545 USM Anywhere™ User Guide

 Scheduling User Discovery Jobs from the Job Scheduler Page

Office 365

If you are using Microsoft Office 365 in your environment to authenticate users, the Office 365
Sensor app provides support for the predefined user discovery job that scans for users
authenticated via Office 365.

You can confirm your Office 365 app is configured to collect user data by checking the app
status. Go to Data Sources > AlienApps > Available Apps, search for Office 365, and then
click the tile. See AlienApp for Office 365 for more information.

USM Anywhere™ User Guide 546

Scheduling User Discovery Jobs from the Job Scheduler Page

G Suite

If you are using Google G Suite in your environment to authenticate users and would like to
set up a scheduled job to discover them, you must create a new job for that purpose.

Note: Because of the nature of Google G Suite scans, no preconfigured scan is available
for G Suite users.

To configure a scheduled job to discover G Suite users, use the following values:

l Name: An identifying name for the new job

l Description: A description of the new job
l Action Type: G Suite
l App Action: Find G Suite users
l Domain: The domain this job will scan
l Schedule: The frequency with which this scan job will run (most scan jobs run every 20
minutes)

547 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

See USM Anywhere Scheduler for detailed instructions on how to create new scheduled jobs.

Google Cloud Platform

If you are using Google Cloud Platform (GCP) in your environment to authenticate users, the
GCP Sensor app provides support for the predefined user discovery job that scans for users
authenticated via GCP.

Important: You must have a privileged GCP user account for your user discovery jobs to
run successfully.

Scheduling Log Collection from the Job Scheduler Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere provides a simple way to include scans for scheduling using its web user
interface (UI). Go to the Job Scheduler page at Settings > Scheduler and click Log Collection
to view a list of all jobs that are defined in your USM Anywhere environment and to manage
the jobs that are scheduled to run in your environment.

Depending on your deployed sensor, you can collect different kind of logs:

l Azure Log Discovery and Collection in USM Anywhere

l AWS Log Discovery and Collection in USM Anywhere

AWS Log Discovery and Collection in USM Anywhere

USM Anywhere™ User Guide 548

Scheduling Log Collection from the Job Scheduler Page

Amazon Web Services (AWS) customers have access to service-specific log files to gain
insight into how each AWS service is operating. In addition, applications running in AWS also
generate various log files in different formats. With a deployed AWS Sensor, USM Anywhere
can collect both logs from AWS, but the procedures are slightly different:

l Use a predefined scheduler job

USM Anywhere automatically discovers the AWS CloudTrail logs, the Amazon Simple
Storage Service (S3) access logs, and some Amazon CloudWatch logs when they are
enabled within your AWS account. There are predefined scheduler jobs in USM Anywhere
to collect these logs but they are disabled by default. Go to Settings > Scheduler > Log
Collection for the full list. You need to enable each job based on which log you want to
collect. See Collect AWS CloudTrail Logs on an AWS Sensor, Collect Amazon S3 Access
Logs and Collect ELB Access Logs for more information.

l Use a customer-defined scheduler job

If none of the predefined jobs collect from your log location, you can create a new job
under Settings > Scheduler > Log Collection. Depending on where your logs are stored,
USM Anywhere provides two ways to collect them:
o Amazon CloudWatch Logs: If you choose to use Amazon CloudWatch Logs in your
AWS environment, USM Anywhere can collect CloudWatch logs directly. See Collect
AWS CloudTrail Logs on an AWS Sensor for more information. For example, you can col-
lect the Amazon Virtual Private Cloud (VPC) flow logs using this method.
o Amazon S3 bucket: If you choose to store logs in an Amazon S3 bucket instead, USM
Anywhere can also collect logs directly from an Amazon S3 bucket. See Collect Other
Logs from an Amazon S3 Bucket for more information.

Configure Amazon GuardDuty for the AWS Sensor

Role Availability Read-Only Investigator Analyst Manager

You can leverage your Amazon GuardDuty service within the AWS Sensor to translate the raw
log data into normalized events for analysis.

Amazon GuardDuty service is automatically detected when a new AWS Sensor is deployed.
However, it still needs to be enabled for USM Anywhere to receive information from it.

549 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

To enable Amazon GuardDuty for your AWS Sensor

1. Go to Settings > Scheduler.

2. Search for GuardDuty in the Job Scheduler Filter By field.

3. In the row for the GuardDuty job, click icon.

Collect AWS CloudTrail Logs on an AWS Sensor

Amazon Web Services (AWS) CloudTrail provides a complete audit log for all actions taken
with the Amazon API, either through the web user interface (UI), the AWS Command Line
Interface (CLI), or an AWS software development kit (SDK). Ongoing monitoring of this log
gives you visibility of end user and automated actions in your environment. This helps you
quickly detect abuse cases and security incidents, such as a user trying to make changes to an
AWS account that are inconsistent with their privileges.

USM Anywhere automatically detects AWS CloudTrail and retrieves your AWS CloudTrail logs
across all regions within a single AWS account. USM Anywhere also provides you the
credentials to securely access your AWS CloudTrail logs. When a new trail is detected, a new
log collection job is automatically created and enabled to capture the logs in that trail.
Similarly, if a trail is deleted, the existing job that was created for it is automatically deleted.

As the AWS Sensor collects this raw log data, USM Anywhere uses its AWS CloudTrail data
source to normalize the data and generate meaningful events. Depending on the size and
activity in your AWS account, this log collection can produce an excessive number of events.
See Managing Collected CloudTrail Event Logs for a list of possible CloudTrail events.
Similarly, if your AWS instance includes organizations, you may create a trail that will log all
events for any AWS accounts assigned to an organization.

USM Anywhere™ User Guide 550

Scheduling Log Collection from the Job Scheduler Page

Note: If you choose not to enable AWS CloudTrail, USM Anywhere processes all stored
logs at initial startup. See the Amazon documentation for information about enabling
AWS CloudTrail. After that initial processing, log collection jobs run every five minutes to
ensure that logs are captured and can generate meaningful events in a timely manner.

Note: Sometimes you may see that the CloudTrail events in USM Anywhere display a
different username compared to the raw log. This is because CloudTrail provides
different types of user identities, one of which is AssumedRole. When the user identity
type is set to AssumedRole, it means that the user credential is temporary and the
username you see in the raw log is not the actual username. See Amazon
documentation for more information.

To enable AWS CloudTrail for your AWS Sensor

1. Go to Settings > Scheduler.

2. Search for CloudTrailin the Job Scheduler Filter By field.

3. In the row for the CloudTrail job, click the icon to enable the AWS CloudTrail jobs.

This turns the icon green.

Collect Amazon CloudWatch Logs

551 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Role Availability Read-Only Investigator Analyst Manager

Amazon CloudWatch Logs monitors applications and systems using log data, aggregating and
storing application logs. CloudWatch Logs is useful because you can easily configure it to
process additional metadata with the log files. Visit the AWS documentation to learn more
about VPC flow log collection.

Important: If you choose to enable CloudWatch Logs in your Amazon Web Services
(AWS) environment, you should make sure that you are not collecting more data than
you need because this service incurs AWS costs based upon usage. See the CloudWatch
pricing information to plan and configure your usage.

If not already done, install and configure the Amazon CloudWatch agent to collect logs from
Amazon Elastic Compute Cloud (EC2) instances. See Amazon documentation for instructions.

USM Anywhere provides some CloudWatch log collection jobs out of the box, but they are
disabled by default. You can enable them under Settings > Scheduler. When enabled, these
jobs monitor certain log groups and collect logs from CloudWatch every five minutes. You
must configure your CloudWatch agent to use these log group names and to keep the log
types the same within a given log group.

USM Anywhere Log Collection Jobs and CloudWatch Log Groups

USM
Anywhere CloudWatch
Log Log Group Default File Path Date Format
Collection Name
Job Name

CloudWatch - Apache- /var/log/apache2/access.log %d/%b/%Y:%H:%M:%S

Apache- Access-Logs
Access-Logs

CloudWatch - Linux-Audit- /var/log/audit/audit.log Use the default

Linux-Audit- Logs
Logs

USM Anywhere™ User Guide 552

Scheduling Log Collection from the Job Scheduler Page

USM Anywhere Log Collection Jobs and CloudWatch Log Groups (Continued)

USM
Anywhere CloudWatch
Log Log Group Default File Path Date Format
Collection Name
Job Name

CloudWatch - Linux-Auth- /var/log/auth.log %b %d %H:%M:%S

Linux-Auth- Logs
Logs

CloudWatch - OSQuery-Logs /var/log/osquery/osqueryd.results.log Use the default

Osquery-
Logs

If you want to collect logs from other log groups, ensure that all streams in the same group
are of the same type so that USM Anywhere can use a designated data source to parse the
collected raw log data. You can then set up a CloudWatch log collection job for each log
group.

To create a new CloudWatch log collection job

1. Go to Settings > Scheduler.

2. In the left navigation menu, click Log Collection.

Note: You can use the Sensor filter at the top of the list to review the available log
collection jobs on your AWS Sensor.

3. Click Create Log Collection Job.

553 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Note: If you have recently deployed a new USM Anywhere Sensor, it can take up to
20 minutes for USM Anywhere to discover the various log sources. After it discovers
the logs, you must manually enable the AWS log collection jobs you want before the
system collects the log data.

The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 554

Scheduling Log Collection from the Job Scheduler Page

1. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

2. Select Sensor as the source for your new job.

3. In the Action Type drop-down list, select Amazon Web Services.

4. In the App Action drop-down list, select Monitor CloudWatch.

5. Enter the Region Name, Group Name, and Stream Name information for your AWS
account. Region name can be an asterisk ( * ) to monitor all regions for a given group.

555 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

6. In Source Format, select either of the following log formats:

l Syslog: All messages transmitted to USM Anywhere are processed with the
assumption that they are syslog formatted.

When you choose syslog as the source format, the data source selection is bypassed
and USM Anywhere uses the auto-detect hints from the data sources to match the
incoming messages to the correct data source.

l Raw: Use for non-syslog formatted data.

If you select this option, you must choose the data source that USM Anywhere will use
to parse all of the streams in the group. For example, to collect Amazon Virtual Private
Cloud (VPC) flow logs, select the VPC Flow Logs data source.

Important: If a group contains streams of mixed log formats, USM Anywhere

parses all of them with the data source that you chose, which produces

USM Anywhere™ User Guide 556

Scheduling Log Collection from the Job Scheduler Page

undesired results. In this case, you need to configure CloudWatch to separate the
streams into different groups so that each contains only a single log type that
can be mapped to the correct data source.

7. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

557 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

8. Click Save.

USM Anywhere detects any enabled jobs with the same configuration and asks you to
confirm before continuing. This is because having two jobs with the same configuration
generates duplicate events and alarms.

Collect Amazon S3 Access Logs

Role Availability Read-Only Investigator Analyst Manager

Amazon Simple Storage Service (S3) is object storage with a simple web service interface
that you can use to store and retrieve any amount of data from anywhere on the web.
Organizations running an Amazon Web Services (AWS) environment typically use it as the
primary storage for their cloud-native applications, as a bulk repository, as a target for
backup and recovery, and as a long-term archive location.

When enabled, Amazon S3 can provide complete access logs for all actions taken in an
Amazon S3 bucket. This gives you insight into who is accessing the data, and what actions are
being taken. See Amazon's documentation to learn how to enable S3 access logging.

Note: In AWS, you must enable Amazon S3 access logging in every Amazon S3 bucket
that you want to monitor.

With a deployed AWS Sensor, USM Anywhere automatically discovers the Amazon S3 access
logs when you have enabled them within your AWS account. All you need to do is to enable
the log collection job in USM Anywhere.

To enable Amazon S3 access logs collection in USM Anywhere

1. Go to Settings > Scheduler.

2. In the left navigation pane, click Log Collection.

3. Locate the Discover S3 buckets job and click the icon.

USM Anywhere™ User Guide 558

Scheduling Log Collection from the Job Scheduler Page

This turns the icon green ( ). To disable an already-enabled job, toggle the icon to its
original status.

After you have enabled log collection, USM Anywhere automatically discovers your Amazon
S3 access logs every 20 minutes. They will now begin generating events and you can see them
in the Amazon S3 Dashboard.

Collect ELB Access Logs

Role Availability Read-Only Investigator Analyst Manager

Elastic Load Balancing (ELB) is an important feature in Amazon Web Services (AWS) because it
automatically distributes incoming application traffic across multiple targets. AWS ELB access
logs provide insight into who is accessing your web resources. They also help you identify
common abuse patterns and use of automated hacking tools such as web application
scanners.

USM Anywhere supports log discovery in two types of load balancers:

l AWS Application Load Balancer: You must enable Application Load Balancer logs for
every AWS ELB that you want to monitor. See the Amazon documentation to learn how to
enable Application Load Balancer access logging in AWS.

l AWS Classic Load Balancer: You must enable Classic Load Balancer logs for every AWS
ELB that you want to monitor. See the Amazon documentation to learn how to enable
Classic Load Balancer access logging in AWS.

559 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Collecting AWS Application Load Balancer Access Logs

Once you have enabled Application Load Balancer access logging in AWS, you must also
configure a scheduled job to monitor the Amazon Simple Storage Service (S3) bucket for the
AWS Application Load Balancer. Only after this has been completed will USM Anywhere be
able to automatically discovery your ELB access logs.

To create an AWS Application Load Balancer access log collection in USM Anywhere

1. Go to Settings > Scheduler.

2. Click New Job.
3. Configure your new scheduled job to collect access logs
l Action Type: Amazon Web Services
l App Action: Monitor S3 Bucket
l Bucket Name: The name of the S3 bucket you want to monitor
l Path: The prefix for the path you want to monitor
l Source Format: Specify whether the source is raw or syslog
l Data Source: AWS Application Load Balancer
4. Set a schedule for your new scheduled job.

5. Click Save.

After you have enabled your new job, USM Anywhere will use this job to discover your AWS
Application Load Balancer access logs on the schedule you chose. These logs will now begin
generating events and you can see them in the AWS Load Balancer Dashboard.

Collecting AWS Classic Load Balancer Access Logs

The AWS Sensor automatically detects Classic Load Balancer access logs after you have
enabled them in AWS. After they're enabled in AWS, all you need to do is to enable the log
collection job in USM Anywhere.

To enable AWS Classic Load Balancer access log collection in USM Anywhere

1. Go to Settings > Scheduler.

2. In the left navigation pane, click Log Collection.

3. Locate the Discover Elastic Load Balancer (ELB) job and click the icon.

USM Anywhere™ User Guide 560

Scheduling Log Collection from the Job Scheduler Page

This turns the icon green ( ). To disable an already-enabled job, toggle the icon to its
original status.

After you have enabled log collection, USM Anywhere automatically discovers your AWS
Classic Load Balancer access logs every 20 minutes. They will now begin generating events
and you can see them in the AWS Load Balancer dashboard.

Collect Other Logs from an Amazon S3 Bucket

Role Availability Read-Only Investigator Analyst Manager

In addition to the native service-specific logging that Amazon Web Services (AWS) provides,
individual applications you run in the AWS environment often generate their own log files. You
can forward these logs to an Amazon Simple Storage Service (S3) bucket and configure USM
Anywhere to collect logs from that Amazon S3 bucket. USM Anywhere does not restrict the
number of logs you can collect, but AWS does set limits on the number of logs it can return in
each operation.

For example, to collect logs from AWS Web Application Firewall (WAF), you first need to follow
AWS documentation to configure AWS WAF logging to store logs in an Amazon S3 bucket.
Then configure a scheduler job in USM Anywhere to collect logs from the bucket.

Note: USM Anywhere accepts any file type when collecting log files. For compressed
files, it looks for the file extension .gz, .zip, or .bz2 and uses the standard java.util or
Apache Commons library to read the files. All other files are read as plain text.

561 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

To collect logs from an Amazon S3 bucket

1. Go to Settings > Scheduler.

2. In the left navigation menu, click Log Collection.

Note: You can use the Sensor filter at the top of the list to review the available log
collection jobs on your AWS Sensor.

3. Click Create Log Collection Job.

Note: If you have recently deployed a new USM Anywhere Sensor, it can take up to
20 minutes for USM Anywhere to discover the various log sources. After it discovers
the logs, you must manually enable the AWS log collection jobs you want before the
system collects the log data.

The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 562

Scheduling Log Collection from the Job Scheduler Page

4. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

5. Select Sensor as the source for your new job.

6. In the Action Type option, select Amazon Web Services.
7. Select a sensor if you have more than one installed in your environment.

8. In the App Action option, select Monitor S3 Bucket.

563 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

9. Enter the Bucket Name and Path.

The bucket name is the name of the Amazon S3 bucket as configured in your AWS
account, such as alienvault-test-0726 in the screenshot below.

USM Anywhere™ User Guide 564

Scheduling Log Collection from the Job Scheduler Page

The path is the path prefix within the Amazon S3 bucket, such as sub-folder1 in the
screenshot below. This does not include the bucket name.

Note: Logs from the directory and its subdirectories are collected.

Important: If you have selected Elastic Load Balancer (ELB), Application Load
Balancer (ALB), or Cloud Trail sources, then you need to use, inside the path field, the
same prefix you have introduced in your AWS configuration. If the prefix field is
empty in your AWS configuration, then you must leave the path field inside USM
Anywhere empty.

10. In Source Format, select either of the following log formats:

l syslog: Standard format for transmitting log data to USM Anywhere.

l raw: Use for non-syslog formatted data.

11. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

565 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

12. Click Save.

USM Anywhere detects any enabled jobs with the same configuration and asks you to
confirm before continuing. This is because having two jobs with the same configuration
generates duplicate events and alarms.

USM Anywhere™ User Guide 566

Scheduling Log Collection from the Job Scheduler Page

13. In the AWS console, restart the AWS Sensor instance so that it detects the new con-
figuration.
You can confirm that the scheduled job is collecting logs by going back to Settings
> Scheduler > Log Collection and expanding the job you've created. Each log collection
event will be listed under Schedule History.

Moving Logs from an Amazon EC2 Instance to an Amazon S3 Bucket

In Amazon Elastic Compute Cloud (EC2), it can be difficult to create direct network
connections between isolated parts of your environment. Amazon S3 provides a convenient
way to move application logs from an Amazon EC2 instance to an Amazon S3 bucket. Amazon
S3 buckets are used to store objects that consist of data and metadata that describes the
data. You then configure the AWS Sensor to retrieve and process the log files.

You'll want to synchronize logs from your instance with an Amazon S3 bucket. There are
multiple ways to do this. The easiest method is to use the AWS Command Line Interface (CLI)
as documented by Amazon. You then create a script similar to the following example and
configure it to run periodically as a cron job.

aws s3 sync "<path_to_log>" "S3://<bucket_name>/<storage_path>/"

Azure Log Discovery and Collection in USM Anywhere

With a USM Anywhere Sensor deployed in your Microsoft Azure environment, referred to as
the Azure Sensor, USM Anywhere can discover and collect logs in two different ways.

An Azure Sensor is preconfigured to automatically discover and collect these types of Azure
resource logs (previously referred to as diagnostic logs):

l Azure Monitor (Insight)

l Azure Security Alerts
l Azure Internet Information Services (IIS) logs
l Azure SQL Server logs
l Azure Web Apps logs
l Azure Windows logs

See Collect Azure Resource Logs for more information.

Furthermore, if you stream data to Azure Event Hubs, you can connect an Azure Sensor to
your event hub and collect the following logs:

567 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

l Azure Active Directory (AD) logs, including audit logs and sign-in logs
l Azure Monitor logs
l Azure SQL Database logs
l Microsoft Defender Advanced Threat Protection (ATP) logs

See Collect Logs from Azure Event Hubs for more information.

Collect Azure Resource Logs

Microsoft Azure resource logs (previously referred to as diagnostic logs) provide insight into
operations performed within an Azure resource, such as Microsoft Azure Internet Information
Services (IIS) or Microsoft Azure SQL Server. USM Anywhere discovers and collects these logs
through the Azure APIs. A USM Anywhere Sensor deployed in your Azure environment is
preconfigured to automatically discover logs from your Azure storage account. You can
enable or disable the predefined jobs from the Azure Sensor Setup Wizard (see Azure Log
Collection) or within the USM Anywhere scheduler (see USM Anywhere Scheduler).

To supplement the default log location or to add log collection for Microsoft Azure Web Apps,
you can create custom log collection jobs that operate through the Azure Sensor app.

Note: What an Azure log job collects depends on whether you granted contributor
permissions to one of your resources or to your entire Azure subscription for the USM
Anywhere application. Depending on the Azure credentials configured for the deployed
Azure Sensor, the sensor could have access to individual resource groups or the whole
subscription. See Creating an Application and Obtaining Azure Credentials for more
information.

Microsoft Azure Monitor (Insight)

Microsoft Azure Monitor (formerly Azure Insights) provides base-level infrastructure metrics
and logs for most services in Azure. It helps you to track user activities within an Azure
subscription, including when users log on, deploy or shut down virtual machines (VMs), and
more. Through the Microsoft Azure Monitor Representational State Transfer (REST) API, USM
Anywhere captures those logs and creates events.

You need to perform a specific configuration of Azure Monitor in the Azure console for USM
Anywhere to collect the Azure-related logs. You need to enable the archive to a storage
account option on the Azure subscription, which then enables USM Anywhere to
automatically detect and create a job for the Azure-related jobs. When you complete the Log
Collection step for your Azure Sensor setup, you can enable this default job, which runs every
20 minutes.

USM Anywhere™ User Guide 568

Scheduling Log Collection from the Job Scheduler Page

You can also enable or disable this default job in the USM Anywhere Scheduler page. When
you select the job in this page, you can review the history for the scheduled job.

569 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Azure Security Alerts

Microsoft Azure Security Center is an Azure service that continuously monitors your Azure
environment and applies analytics to automatically detect a wide range of potentially
malicious activity. It surfaces these detections as security alerts. Security Center performs this
function by collecting data from your VMs, which is enabled for all VMs in your subscription by
default. You can also customize this data collection in the Security Center policy.

You do not need to perform a specific configuration of the Azure Security Center alerts in the
Azure console to be able to collect these logs. USM Anywhere automatically detects these
logs and creates a job for Azure Security Center alerts logs. When you complete the Log
Collection step for your Azure Sensor setup, you can enable this default job, which runs every
20 minutes.

You can also enable or disable this default job in in the USM Anywhere Scheduler page. When
you select the job in this page, you can review the history for the scheduled job.

Azure IIS Logs

For individual VMs running IIS with Azure diagnostics enabled, you can designate storage for
the IIS logs. USM Anywhere automatically detects these logs through the Azure APIs and
Azure software development kits (SDKs). For each Azure Storage container locations with
Azure IIS logs that it detects, USM Anywhere creates a default log collection job. When you
complete the Log Collection step for your Azure Sensor setup, you can enable these default
jobs, which run every five minutes.

Warning: If there are network restrictions in your environment restricting access to the
storage account, those restrictions must allow access to the sensor.

USM Anywhere™ User Guide 570

Scheduling Log Collection from the Job Scheduler Page

Note: This type of IIS implementation is different than Azure Web Apps, which is a
platform service and uses a different logging configuration. See Azure Web Apps Logs
for information about collecting logs for web apps.

You can also enable or disable this default job in the Job Scheduler. When you select the job in
this page, you can review the history for the scheduled job. You could choose to disable this
default job based on the IIS log locations that USM Anywhere discovers, and create a custom
Azure IIS log collection job for a location that you specify.

When you configure the new job, set the App Action option to Process Azure IIS Logs. You
must also specify the Resource Group, Storage Account, and Blob Container for the
custom log collection job. See Create a New Azure Log Collection Job for more information
about scheduling an Azure log collection job.

571 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Azure SQL Server Logs

For individual VMs running an Azure SQL Server with Azure diagnostics enabled, you can
designate storage for the IIS logs. You must configure this to use Microsoft Azure Table
storage. To simplify the tracking of related security issues, USM Anywhere treats the SQL
service as an asset, and maps events and other security issues directly with the SQL service.
When it detects Azure Table storage locations with Azure SQL Server logs, USM Anywhere
creates a default log collection job for each. When you complete the Log Collection step for
your Azure Sensor setup, you can enable these default jobs, which run every five minutes.

Important: The Azure SQL Server job is deprecated. Use the Event Hub Integration to
collect Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more
information.

If you want to supplement this automatic Azure log collection in USM Anywhere, you can
create an additional Azure SQL Server log collection job.

When you configure the new job, set the App Action option to Process Azure SQL Server
Logs. You must also specify the Resource Group, Storage Account, and Table Container for
the custom log collection job. See Create a New Azure Log Collection Job for more
information about creating a new Azure log collection job.

USM Anywhere™ User Guide 572

Scheduling Log Collection from the Job Scheduler Page

Azure Web Apps Logs

Warning: If there are network restrictions in your environment restricting access to the
storage account, those restrictions must allow access to the sensor.

Azure App Service Web Apps is a fully managed compute platform that is optimized for
hosting websites and web applications. A web app represents the compute resources that
Azure provides for hosting a website or web application. These compute resources may be on
shared or dedicated VMs. For each deployed web application in your Azure environment, you
can enable diagnostic logging to capture and store the web server and application
information.

Important: When configuring Azure Web Apps logs, you must use the World Wide Web
Consortium (W3C) format and select the following fields:

date, time, s-sitename, cs-method, cs-uri-stem, cs-uri-query, s-port, cs-username, c-ip,

cs(User-Agent), cs(Cookie), cs(Referer), cs-host, sc-status, sc-substatus, sc-win32-
status, sc-bytes, cs-bytes, time-taken

Unlike the other supported Azure logs, the USM Anywhere Sensor does not perform an
automatic discovery job for Web Apps to look for the storage location. If you want USM
Anywhere to collect the log data for your Web Apps, you must create a new log job and
specify the storage location parameters.

573 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

When you configure the new job, set the App Action option to Process Azure Web Apps
Logs. You must also specify the Resource Group, Storage Account, and Blob Container for
the custom log collection job. See Create a New Azure Log Collection Job for more
information about creating a new Azure log collection job.

Azure Windows Logs

Warning: If there are network restrictions in your environment restricting access to the
storage account, those restrictions must allow access to the sensor.

For individual VMs running Microsoft Windows with Azure diagnostics enabled, Azure stores
the Windows Events logs by default. USM Anywhere automatically detects these logs through
Azure APIs and Azure SDKs. When it detects Azure Storage container locations with Azure
Windows logs, USM Anywhere creates a default log collection job for each. When you
complete the Log Collection step for your Azure Sensor setup, you can enable these default
jobs, which run every five minutes.

If you want to supplement this automatic Azure log collection in USM Anywhere, you can
create an additional Azure Windows log collection job.

USM Anywhere™ User Guide 574

Scheduling Log Collection from the Job Scheduler Page

When you configure the new job, set the App Action option to Process Azure Windows Logs.
You must also specify the Resource Group, Storage Account, and Blob Container for the
custom log collection job. See Create a New Azure Log Collection Job for more information
about creating a new Azure log collection job.

Enable Diagnostics for Azure Web Apps

Role Availability Read-Only Investigator Analyst Manager

If you have Azure Web Apps running in your Azure environment, you can enable diagnostics
logging for these web apps in the Azure console and then create log collection jobs in USM
Anywhere to retrieve and process the log data.

The Azure App Service web apps provide diagnostic functionality for logging information
from both the web server and the web application. It logically separates this into web server
diagnostics and application diagnostics. When you enable this feature in Azure, you specify a
log data storage account and container for each of these. See the Microsoft Azure
documentation at https://docs.microsoft.com/en-us/azure/app-service/web-sites-enable-
diagnostic-log for more information.

575 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

To enable diagnostics for your Azure Web App

1. Log in to your account at https://portal.azure.com/.

2. Go to your Azure Web App and select Settings > Diagnostics logs.

3. For Application Logging (Blob), click On and set the parameters:

l Set the Level for the logging.

l For Storage Settings, click > and select the Storage Account and Container.

This is the storage account and container that Azure will use to store logs for the Web
App. Make note of this information because you will need it to set up a log collection
job in USM Anywhere. You can click + Storage Account to create a new storage
account or container, or select an existing one.

4. For Web server logging, select Storage.

5. Click Storage Settings and select the same storage account and container that you set
for the application logging.

6. Click Save.

Create a New Azure Log Collection Job

USM Anywhere™ User Guide 576

Scheduling Log Collection from the Job Scheduler Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere automatically creates log collection jobs for Azure Monitor and security logs.
It also creates jobs for Internet Information Services (IIS), Microsoft Azure SQL Server, and
Microsoft Windows if it detects storage locations for these log types. When you complete the
Log Collection step for the Azure Sensor, you can enable these default jobs. You can review
these jobs and their history in the Scheduler, but you cannot modify the parameters of these
default jobs.

Note: What an Azure log job collects depends on whether you granted contributor
permissions to one of your resources or to your entire Azure subscription for the USM
Anywhere application. Depending on the Azure credentials configured for the deployed
Azure Sensor, the sensor could have access to individual resource groups or the whole
subscription. See Creating an Application and Obtaining Azure Credentials for more
information.

To supplement the automatic Azure log collection in USM Anywhere and to set up log
collection for Azure Web Apps, add new Azure log collection jobs.

Important: Before your scheduled jobs can collect logs, you may also have to perform
specific configuration steps outside of USM Anywhere in your environment. See Collect
Azure Resource Logs for detailed descriptions of the configuration steps your
environment might require.

To schedule a new job to collect and process Azure logs

1. Go to Settings > Scheduler.

2. In the left navigation menu, click Log Collection.

Note: You can use the Sensor filter at the top of the list to review the available log
collection jobs on your Azure Sensor.

3. Click Create Log Collection Job.

577 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Note: If you have recently deployed a new USM Anywhere Sensor, it can take up to
20 minutes for USM Anywhere to discover the various log sources. After it discovers
the logs, you must manually enable the Azure log collection jobs you want before
the system collects the log data.

The Schedule New Job dialog box opens.

USM Anywhere™ User Guide 578

Scheduling Log Collection from the Job Scheduler Page

4. Enter the name and description for the job.

The description is optional, but it is a best practice to provide this information so that
others can easily understand what it does.

5. Select Sensor as the source for your new job.

6. In the Select App option, select Azure.

579 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

7. In the App Action option, select the action for Azure log type that you want to schedule
for collection.

See Collect Azure Resource Logs to review details about the Azure log types that USM
Anywhere can collect.

8. Depending on the selected app action (log type), specify the Resource Group, Storage
Account, and Container for the logs.

You can obtain this information by logging into the Azure console and reviewing the
configuration for your diagnostic and storage resources.

USM Anywhere™ User Guide 580

Scheduling Log Collection from the Job Scheduler Page

Note: For Azure IIS logs, Azure Web Apps logs, and Azure Windows logs, you must
specify a binary large object (BLOB) container used for the log storage. For the
Azure SQL Server log type, you must specify the table container used for the log
storage.

The Azure SQL Server job is deprecated. Use the Event Hub Integration to collect
Azure SQL Server logs. See Collect Logs from Azure Event Hubs for more
information.

9. In the Schedule section, specify when USM Anywhere runs the job:

a. Select the increment as Minute, Hour, Day, Week, Month, or Year.

Warning: After a frequency change, monitor the system to check its

performance. For example, you can check the system load and CPU. See USM
Anywhere System Monitor for more information.

b. Set the interval options for the increment.

The selected increment determines the available options. For example, on a weekly
increment, you can select the days of the week to run the job.

581 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

Or on a monthly increment, you can specify a date or a day of the week that occurs
within the month.

Important: USM Anywhere restarts the schedule on the first day of the month if
the option "Every x days" is selected.

c. Set the start time.

This is the time that the job starts at the specified interval. It uses the time zone
configured for your USM Anywhere instance (the default is Coordinated Universal
Time [UTC]).

10. Click Save.

Collect Logs from Azure Event Hubs

Role Availability Read-Only Investigator Analyst Manager

Microsoft Azure Event Hubs is a data and event processing service for Microsoft Azure. The
integration between USM Anywhere and Azure Event Hubs enables the Azure Sensor to
receive and process information from an event hub so that you can manage it in your USM
Anywhere environment.

Warning: To process and display the custom events received from the Azure Event
Hubs as generic events, USM Anywhere needs these custom events in a specific format.
The correct format is an array as a value of a "records" key in JSON format. For example
{ "records": [ {<event-content>} ] }.

Important: Be sure to review the Azure requirements page for any environmental
requirements specific to Azure Event Hubs before implementing the streaming of your
logs to Azure Event Hubs.

USM Anywhere™ User Guide 582

Scheduling Log Collection from the Job Scheduler Page

The Azure Sensor can process different types of logs sent through Azure Event Hubs,
including but not limited to the following:

l Azure Active Directory (AD) logs, including audit logs and sign-in logs
l Azure Application Gateway logs
l Azure Monitor logs
l Azure SQL Database logs
l Microsoft Defender Advanced Threat Protection (ATP) logs
l Microsoft Intune logs

Important: The Azure Sensor will need to be connected to ports 5671 and 5672 in order
to integrate with Azure Event Hubs.

Stream Logs to Azure Event Hubs

Before configuring the Azure Event Hubs integration in USM Anywhere, you must stream the
logs you want to be analyzed to Azure Event Hubs. Make sure to stream your logs to the
same event hub, because each Azure Sensor can only collect from a single event hub.

To stream logs to Azure Event Hubs

1. Log in to the Azure portal.

2. Create an event hub. See Microsoft Azure Quickstart: Create an event hub using Azure
portal for instructions.
3. Go to the event hub you just created and click Shared Access Policies in the sidebar.
4. Create or edit a policy, and then select Manage, Send, and Listen. Streaming to Event
Hubs requires these permissions.

5. Copy the connection string listed in the policy under Connection String–Primary Key.

Note: You will need to enter this string when configuring the Event Hubs connection
in USM Anywhere.

6. Configure streaming for the logs you want to collect. For example:

Note: Make sure to enable Stream to an event hub and select the Event Hub you just
created as the destination.

583 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

l Azure AD logs: See Stream Azure Active Directory Logs to an Azure Event Hub for
instructions from Microsoft.
l Azure Application Gateway logs: See Enable Logging for Application Gateway for
instructions from Microsoft.
l Azure Monitor logs: See Create Diagnostic Settings to Send Logs for instructions
from Microsoft.
l Azure SQL Database logs: See Set up auditing for your database for instructions
from Microsoft. Make sure to select Event Hub as the destination.
l Microsoft Defender ATP logs: See Configure Microsoft Defender ATP to stream
Advanced Hunting events to your Azure Event Hubs for instructions from Microsoft.
l Microsoft Intune logs: See Send log data to storage, event hubs, or log analytics in
Intune for instructions from Microsoft.

Set Up Azure Event Hubs Connection in USM Anywhere

After completing the initial setup of your Azure Event Hubs, return to your USM Anywhere
Sensors page to enable the Azure Event Hubs connection in USM Anywhere.

USM Anywhere™ User Guide 584

Scheduling Log Collection from the Job Scheduler Page

To enable Azure Event Hubs in USM Anywhere

1. Go to Data Sources > Sensors, and then open the Azure Sensor.

2. Click the Configuration tab.

3. Complete the three fields:

585 USM Anywhere™ User Guide

 Scheduling Log Collection from the Job Scheduler Page

l Event Hub Name: The name of the event hub created during initial setup.

l Event Hub Connection String: A string containing unique configuration data about
your Azure Event Hubs implementation. This is the connection string that was copied
under Connection String–Primary Key in the Stream Logs to Azure Event Hubs pro-
cedure.
l Event Hub Consumer Group: The name of your Event Hubs consumer group. You can
locate this name by opening your Event Hubs overview in the Azure portal and
scrolling to the bottom of the page.
4. (Optional.) Select Process Generic Events to collect events for which USM Anywhere cur-
rently does not have a parser. These events will display as "GENERIC event" under Activity
> Events.
5. Click Save.
6. Click the Event Hub tab to check the connection status and the number of events pro-
cessed by each data source.

Viewing Azure Event Hubs Connectivity in USM Anywhere

The Event Hub tab on the Azure Sensor page provides a glimpse into the health of your
sensor's connection to Azure Event Hubs. This page contains the name of your event hub, its
connectivity status, and the number of events being processed by USM Anywhere.

To view your Azure Event Hubs connection

1. Go to the Sensors page, and then open your Azure Sensor.

2. Click the Event Hub tab.

These are the connectivity statuses you may see:

USM Anywhere™ User Guide 586

Scheduling Log Collection from the Job Scheduler Page

l Connecting: Azure Event Hubs is currently connecting to the sensor.

l Processing: Azure Event Hubs is successfully connected.
l Shutting Down: Azure Event Hubs has begun the shutdown process to allow a different
event hub to connect to the sensor.
l Shutdown: The sensor is not currently connected to an event hub.
l Error: The connection has experienced an error.

587 USM Anywhere™ User Guide

 Rules Management
Every networked environment generates thousands of logs from assorted systems. USM
Anywhere enables you to manage those logs and, through the use of rules, you can prevent
and frustrate attacks. The management of the different USM Anywhere rules helps you to
make the most of your environment.

Keep in mind that setting up a rule base is an iterative process. That means it happens
relatively slowly and needs to be tuned over a period of time. There are always new attacks
and new indicators to monitor.

USM Anywhere includes these rules:

l Correlation rules: These are predefined rules, which are developed by AT&T Cybersecurity.
See Correlation Rules for more information.
l Orchestration rules: You can create and customize these rules to add specific policies for a
particular event or alarm. See Orchestration Rules for more information. These are the
orchestration rules:
l Suppression rules: Use these rules to suppress events or alarms that create noise in
your system. See Suppression Rules from the Orchestration Rules Page for more
information.
l Filtering rules: Use these rules to make the sensor drop future events that match the
rule. See Filtering Rules from the Orchestration Rules Page for more information.
l Alarm rules: Use these rules to identify existing and emerging threats. See Alarm Rules
from the Orchestration Rules Page for more information.
l Notification rules: Use these rules to create your own rules and receive notifications.
See Notification Rules from the Orchestration Rules Page for more information.
l Response action rules: Use these rules to respond to an event or an alarm running an Ali-
enApp. See Response Action Rules from the Orchestration Rules Page for more inform-
ation.

USM Anywhere™ User Guide 588

Orchestration Rules

Orchestration Rules

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and manage your own orchestration rules. Keep in mind
that these rules verify whether they match with every new event coming into the system.

Warning: Orchestration rules only apply to future events and alarms.

Suppression rules using the Contains, Match and Match, case insensitive
operators apply to future events and alarms, not to events and alarms received in the
current day.

USM Anywhere includes these orchestration rules:

l Suppression rules: See Suppression Rules from the Orchestration Rules Page
l Filtering rules: See Filtering Rules from the Orchestration Rules Page
l Alarm rules: See Alarm Rules from the Orchestration Rules Page
l Notification rules: See Notification Rules from the Orchestration Rules Page
l Response action rules: See Response Action Rules from the Orchestration Rules Page

Note: USM Anywhere follows a specific order for applying orchestration rules. See
Orchestration Rules Workflow for more information.

The order of the conditions is significant because USM Anywhere follows a specific order
when it evaluates the rule conditions, reading them from left to right. If your rule
includes the packet_type and plugin_device fields, these should always occur first in the
order.

You can also create orchestration rules from the details of an event or alarm. The
functionality works the same way and the dialog box is similar when you are creating a rule
either from a detail page of an event or alarm or from the settings page.

Important: The easiest way to configure an orchestration rule is from the Alarm and the
Events details pages. See Creating Notification Rules from the Alarms Page, Creating
Alarm Rules from the Events Page, and Creating Notification Rules from the Events Page
for more information.

See Example: Creating an Orchestration Rule if you want to see an example of an

orchestration rule.

589 USM Anywhere™ User Guide

 Orchestration Rules

AlienApp™ Orchestration Rules

Some of the AlienApps available in USM Anywhere enable you to automate and orchestrate
response actions in third-party security tools, which simplifies and accelerates your threat
detection and incident response processes. With a configured integration, these AlienApps
include support for app actions in orchestration rules:

l The AlienApp for Carbon Black Endpoint Detection and Response (EDR)
l The AlienApp for Cisco Umbrella
l The AlienApp for Palo Alto Networks PAN-OS

The USM Anywhere™ AlienApps™ Guide provides detailed information about creating
orchestration rules for a configured AlienApp.

Orchestration Rules Workflow

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere follows a specific order for applying orchestration rules:

1. Filtering rules: These rules are essential to control the traffic of your events. USM Any-
where does not process nor save events that match a filtering rule.
2. Suppression rules: USM Anywhere saves the events that match a suppression rule, but
does not correlate these suppressed events. By default, USM Anywhere hides these sup-
pressed events. If you want to see these events, click Suppressed in the Search & Filters
area. The table displays suppressed events along with all events. See To only display the
suppressed events if you want to display just the suppressed events.
3. Notification, alarm, and response action rules: USM Anywhere processes and cor-
relates all events that match one of these rules.

All orchestration rules, including event filtering rules, are processed on the USM Anywhere
Service (control node). USM Anywhere Sensor only processes event filtering rules. Event
filtering rules are reapplied on the control node because event enrichment for the event on
the control node can modify or add to event details with items not found on the sensor
during normalization.

This diagram summarizes the workflow of orchestration rules:

USM Anywhere™ User Guide 590

Orchestration Rules

Orchestration Rules Best Practices

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and customize your own orchestration rules to
conform with your company's cybersecurity practice, but a poorly-written rule can easily
overwhelm the sensor, fill up storage, or even crash the system. Therefore, AT&T
Cybersecurity recommends the following best practice guideline for creating orchestration
rules.

General Guideline
When creating an orchestration rule, you must specify an item you want to match and your
matching criteria. Depending on the type of rule, the matching item can be alarms, logs
(events), configuration issues, vulnerabilities, system events, or console user events. Your
matching criteria is called rule conditions in USM Anywhere. Each rule condition contains three
parts: a field, an operator, and a value.

591 USM Anywhere™ User Guide

 Orchestration Rules

Ensure that all fields referenced by your rule are present in the item you are matching against;
otherwise, your rule won't be evaluated and, therefore, won't be applied. See Orchestration
Rule Validation for more information.

Carefully decide whether to suppress alarms or events. Suppression rules are usefull for
suppressing false positives, but you must take care not to suppress true positives. Once an
alarm or event is suppressed, all subsequent correlation or orchestration rule activity is
terminated for that event or alarm and will not trigger any notifications.

Since alarms are raised from events, it's more efficient to suppress events when they are
deemed unimportant so that alarms won't be generated. If you want to keep the events but
don't need the alarms, you can filter the alarms to prevent them from being processed any
further.

Best Practice on Rule Conditions

As you add different conditions to your rule, USM Anywhere converts them into query strings
and displays them in the same order as added under Current Rule.

When USM Anywhere evaluates these conditions, it processes them from left to right and
stops whenever a condition evaluates to true or false. At that point, any rules criteria
following this state are discarded, and the rule action is taken if true and dropped if false.

For example, the following rule is always false:

packet_type == ‘log’ AND source_username == ‘Bill’ AND source_username ==

‘Bob’ AND...
On the other hand, depending on the packet type, the following is always true because the
rule valuates true and the rule action is always taken:

packet_type == ‘log’ OR ‘<any_criteria>’ is always true for every event item.

packet_type == ‘alarm’ OR ‘<any_criteria>’ is always true for every alarm
item.

USM Anywhere™ User Guide 592

Orchestration Rules

Consequently, AT&T Cybersecurity provides the following best practice guideline for rule
conditions:

l To ensure efficient processing, all rules should contain at least two conditions, one for
packet_type and the other for plugin.

packet_type is the internal field name for the item you are matching against, while plugin
is the internal field name for Data Source.

l Place the most restrictive condition immediately after Data Source to save time pro-
cessing the conditions.
l Use Equals for string comparison (case sensitive) as much as possible because it con-
sumes the least resources.
l Evaluate your conditions carefully (from left to right) to make sure that it isn't always true
or always false.

For example, the following rule is always false:

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome ==

'Deny' AND source_username IN ('VALUE_1', 'VALUE_2', 'VALUE_3') AND access_
control_outcome == 'Allow'

On the other hand, a rule with the following conditions is always true:

packet_type == 'log' OR packet_type != 'log'

Important: While always-true conditions are ineffective for most rules, they can be
detrimental in Filtering Rules because the sensor will discard all the events when
applying such a rule. Discarded events cannot be recovered. See How can I Test an
Orchestration Filtering Rule? for more information on how to validate a Filter Rule
before it is enabled.

l Reduce the total number of rules. Avoid having multiple rules with the same conditions to
reduce resource consumption.

For example, if there are the following two rules:

Rule 1:

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome

== 'Deny' AND source_username == 'VALUE_1'

Rule 2:

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome

== 'Deny' AND source_username == 'VALUE_2'

593 USM Anywhere™ User Guide

 Orchestration Rules

It's better to combine them into one rule:

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome

== 'Deny' AND source_username IN ('VALUE_1', 'VALUE_2')
l Do not add extra fields or conditions in the rule that have no bearing on the result. For
example:

packet_type == 'log' AND plugin == 'Linux SSH' AND event_name == 'PAM

authentication failure' AND access_control_outcome == 'Deny' AND
authentication_type == 'pam_unix'

The last condition is unnecessary because all SSH attempts use pluggable authentication
modules (PAM) for authentication.

Best Practice on Rule Operators

USM Anywhere supports a wide range of operators when creating orchestration rules. Some
operators require more resources to process than others; therefore, AT&T Cybersecurity also
provides some guidelines on choosing the best operators for your rules:

l Always use case sensitive comparators where available.

Equals, Not Equals, Contains, Assign or Equals, In, Match, In List, and Not In List offer both
case-sensitive and case-insensitive comparisons.

l If you want to match a specific string, use Equals instead of Contains.

Use:

packet_type == 'log' AND plugin == 'Linux SSH'

Do not use:

packet_type == 'log' AND plugin contains 'Linux SSH'

l Use IN instead of multiple Equals and OR combinations for the same field.

Use:

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome

== 'Deny' AND source_username IN ('VALUE_1', 'VALUE_2', 'VALUE_3')
Do not use:

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome

== 'Deny' AND (source_username == 'VALUE_1' OR source_username == 'VALUE_2'
OR source_username == 'VALUE_3')
l Use a Correlation List and the In List operator where possible. For example:

USM Anywhere™ User Guide 594

Orchestration Rules

packet_type == 'log' AND plugin == 'Linux SSH' AND access_control_outcome

== 'Deny' AND source_username -> [[Values_List]])

Note: You can't use correlation lists in filtering rules.

l If you want to match a field with no values, use the Is Empty operator.

This is how the AlienVault Generic Data Source events are identified. Search for events
where the Data Source field is empty. The AlienVault Generic Data Source is not a valid
data source name. Use it as plugin == “” for the Data Source Event field, which means
that the data source is empty. See USM Anywhere Rules - Use of “AlienVault Generic Data
Source” in Orchestration Rules for more information.

l Use Contains instead of Match.

The Match operator requires a valid regular expression (regex) as the value.
Using a malformed regex to search a large raw log can cause performance
degradation. If you have to use Match, form a simple regex and place this
condition as the last one in your rule.

l Avoid using OR, OR NOT, and AND NOT operators unless absolutely necessary. It's very
easy to create always-true or always-false conditions when using these operators.

l Do not use packet_payload event detail for rule criteria because the rule will not validate
as true. Use raw log event details if you need them, which consist of the packet syslog
header followed by the packet payload data. The use of this event detail generates a
warning message in the rules user interface (UI) views. Specify packet type==log to have
a valid rule. Alarm rules do not have access to this data field and will never validate as true.

Important: Don't use packet type==alarm for a filter rule. Alarms can't be filtered
out. Use packet type==log.

Orchestration Rules Page Overview

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to manage your own orchestration rules. To view orchestration
rules, go to Settings > Rules. The All Orchestration Rules page opens. The page displays the
list of rules and includes these parts:

595 USM Anywhere™ User Guide

 Orchestration Rules

l At the top of the page, you can see a banner if there is at least one rule that has errors.
This yellow banner is recommended for reviewing and fixing rules with any error. Errors
can impact system stability and must be reviewed immediately.
l Below the banner, you can see the filters that you can apply. You can filter by name, by rule
status, and by orchestration rule.
l The main part of the page is the list of rules, where each row describes an individual rule.
You can enable, disable, edit, and delete a rule. You can also choose a rule by selecting the
checkbox to the left of the rule. Select all rules at the same time by selecting the first
checkbox in the column. Enable ( ) and disable ( ) rules by using the buttons below
the enabled column. You can also see the details of a rule by clicking it. The icon is avail-

able for the Event Suppression and Create an Alarm rows.

The following table lists the columns you see on the page.

USM Anywhere™ User Guide 596

Orchestration Rules

Columns on the All Orchestration Rules page

Column Description

Name Name of the rule.

Rule Status Status notification of the rule. Each rule is classified by its
severity. Values are (in increasing severity): info, warning, and
error.

Type Type of rule.

Conditions Conditions applied by the rule.

Last Modified Date and time on which that rule has been modified.

Triggered Column displays when you apply an all orchestration rules

filter. If you have filtered by Alarm rules, the number below the
column indicates the times that rule has triggered an alarm. If
you have filtered by any other rule, the number indicates the
hits value, how often a rule has matched its criteria against an
event.

Enabled Icons to enable or disable the rule.

Icons to edit or delete the rule.

Icon available for the Event Suppression and Create an Alarm

rows. Depending on the selected option, the Events List View
page or the Alarms List View page opens.

Orchestration Rules Details

USM Anywhere provides visibility on how your rules behave. Click any rule on the All
Orchestration Rules page to display the details.

597 USM Anywhere™ User Guide

 Orchestration Rules

Note: The default time range for the trend chart is 24 hours. You can click Last Hour,
Last Day, or Last 7 Days to change the time range.

You can see the following information:

l Evaluations vs. Hits: This graph shows the progress of the rule triggers over the last 7
days, 24 hours, or 1 hour.
l All Systems: This combo box displays when you have expanded a filtering rule. Choose
between the control node or the sensor. Choose the All Systems option if you want to
display the data of both control node and sensor.

USM Anywhere™ User Guide 598

Orchestration Rules

l Average Duration: Average time it takes (in milliseconds) to evaluate the rule.
l Evaluations: How many times a rule has been evaluated.
l Alarms Triggered: How many times the rule has executed the associated action. This num-
ber might be different than Hits if the rule has a mute period assigned.

Important: This field only displays when you have expanded an alarm rule.

l Total Evaluation Rate: How often the rule is evaluated against the total number of items.
The item can be alarms, events, configuration issues, vulnerabilities, system events, or con-
sole user events. Rules are only evaluated if the item contains all the fields specified in the
rule criteria, so providing detailed criteria might improve the performance.
l Hits: How many times a rule has matched its criteria against an event.
l Created: The date of creation and email of the user.
l Updated: The date of the update and email of the user.
l Rules Status: Status notification of the rule. Each rule is classified by its severity. Values
are (in increasing severity): info, warning, and error.
l Rules History: This table shows the user who has made an action related with an orches-
tration rule, the action, and the date of creation.

Orchestration Rules Management

USM Anywhere enables you to manage your own orchestration rules from the All
Orchestration Rules page.

599 USM Anywhere™ User Guide

 Orchestration Rules

To filter orchestration rules by name

1. Go to Settings > Rules.

2. Click the box next to Filter By.
3. Enter your search.

To filter orchestration rules by rule status

1. Go to Settings > Rules.

2. Click the combo box next to Rule Status.
3. Select All Rules, Enabled, or Disabled.

To edit an orchestration rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to edit.

3. Modify the data of the items that need to be modified.

4. Click Next.
5. Click Save.

To delete an orchestration rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to delete.

3. Confirm by clicking Accept.

To enable an orchestration rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to enable.

To disable an orchestration rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to disable.

USM Anywhere™ User Guide 600

Orchestration Rules

To enable all orchestration rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Enable All Rules.

To disable all suppression rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Disable All Rules.
4. Confirm by clicking Accept.

To show triggered alarms rules or suppressed events

1. Go to Settings > Rules to open the All Orchestration Rules page.

2. In the row, click the icon.

This icon is available for the Event Suppression and Create an Alarm rows.

Depending on the selected option, the Events List View page or the Alarms List View page
opens. The page includes Rules Name as a filter so that you can see how many alarms or
events match the selected rule.

Orchestration Rules Creation

Role Availability Read-Only Investigator Analyst Manager

Before creating an orchestration rule, it is necessary to understand what an orchestration

rule is, the different orchestration rules you can create, and how an orchestration rule
operates. See Orchestration Rules Workflow and Orchestration Rules Best Practices before
creating an orchestration rule.

There are two ways of creating an orchestration rule:

l From the detail of an alarm or event, select the create rule option.

l From the orchestration rules page, select the rule you want to create.

601 USM Anywhere™ User Guide

 Orchestration Rules

When orchestration rules are active, USM Anywhere inspects and validates them to show you
how well the rule is working. Be sure to check your rule's validation, and make recommended
or necessary changes to optimize the rule based on the validation status. See Orchestration
Rule Validation for more information.

To create an orchestration rule from an alarm or an event

1. Go to Activity > Alarms or Activity > Events.

2. Locate the alarms or events you want to include in the rule.
3. Click an alarm or event to see its details.
4. Click Create Rule:
l If you are displaying an alarm, you can choose between a suppression or a notification
rule.
l If you are displaying an event, you can choose between an alarm, filtering, notification,
or suppression rule.

5. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

The options vary depending on the selected rule.

7. You have already suggested property values to create a matching condition, but you can
add new property values by clicking Add Condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

USM Anywhere™ User Guide 602

Orchestration Rules

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

8. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

9. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

10. Enter a name for the rule.

11. (Optional.) Enter a description for identifying this rule.
12. Depending on the selected rule, you should fill in different fields.

13. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.

603 USM Anywhere™ User Guide

 Orchestration Rules

l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

14. (Optional.) Click the box labeled Schedule Rule to configure a schedule within which this
rule will apply.
Modify these two options:
l Start Date and Time: Specify the date and time at which this rule will begin applying.
l End Date and Time: Specify the date and time at which this rule will stop applying.

If an otherwise matching event occurs outside of this set schedule, it will not be
considered a match and will not trigger an alarm.

15. (Optional.) If you choose to configure a schedule for this rule, you can also set it to recur
on a configured schedule.
Click the box labeled Set Recurrence Details to configure when and how frequently or on
which days this new rule will apply.

USM Anywhere™ User Guide 604

Orchestration Rules

16. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To create an orchestration rule from the orchestration rules page

1. Go to Settings > Rules and select the rule you want to create:
l Suppression Rule (see Suppression Rules from the Orchestration Rules Page for more
information)
l Filtering Rule (see Filtering Rules from the Orchestration Rules Page for more inform-
ation)
l Alarm Rule (see Alarm Rules from the Orchestration Rules Page for more information)
l Notification Rule (see Notification Rules from the Orchestration Rules Page for more
information)
l Response Action Rule (see Response Action Rules from the Orchestration Rules Page
for more information)

2. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

605 USM Anywhere™ User Guide

 Orchestration Rules

3. Select a packet type in the Match drop-down list.

The options vary depending on the selected rule.

4. Click Add Conditions and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

5. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

USM Anywhere™ User Guide 606

Orchestration Rules

6. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

7. Enter a name for the rule.

8. (Optional.) Enter a description for identifying this rule.
9. Depending on the selected rule, you should fill in different fields.

10. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

607 USM Anywhere™ User Guide

 Orchestration Rules

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

11. (Optional.) Click the box labeled Schedule Rule to configure a schedule within which this
rule will apply.
Modify these two options:
l Start Date and Time: Specify the date and time at which this rule will begin applying.
l End Date and Time: Specify the date and time at which this rule will stop applying.

If an otherwise matching event occurs outside of this set schedule, it will not be
considered a match and will not trigger an alarm.

12. (Optional.) If you choose to configure a schedule for this rule, you can also set it to recur
on a configured schedule.
Click the box labeled Set Recurrence Details to configure when and how frequently or on
which days this new rule will apply.

USM Anywhere™ User Guide 608

Orchestration Rules

13. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Operators in the Orchestration Rules

USM Anywhere enables you to use operators in orchestration rules to match specific events
or alarms.

The following table lists the orchestration rule operators, their meanings, and an example for
each.

609 USM Anywhere™ User Guide

 Orchestration Rules

Orchestration Rules: Operators

Operator Meaning Example

Assign or Checks whether a field is equal to a

Equal value in the list. If the value is not
found, adds the value to the list.

Note: USM Anywhere completes the

value according to the field you have
selected. The structure is always "var"
followed by the field name. In the
example above, the first condition
assigns the destination IP address to
[var_destination_address], a list of
variables, and the second condition
looks for the source IP address that
equals a variable in the list. Essentially,
when both conditions are met, you will
see events or alarms whose destination
IP address is the same as their source IP
address.

Note: Rules are only muted if the

user/field matches a value in the
variable list. If the user/field is not equal
to a value found in the list, this operator
acts as add to list.

For example, source_username >>

[user] mute length="6h" will
trigger when user Bob is found, and will
not trigger again for Bob in the next 6
hours. But when Mary meets the
condition, it will alarm again, as “Mary”
does not exist in the source_
username list [“Bob“].

USM Anywhere™ User Guide 610

Orchestration Rules

Orchestration Rules: Operators(Continued)

Operator Meaning Example

Assign or Assigns a value if empty. If the

Equal, case variable is populated it acts like
insensitive Equals, ignoring case
considerations.

Contains Checks for the presence of a

substring in a string.

Contains, case Checks for the presence of a

insensitive substring in a string, ignoring case
considerations.

Equals Compares the field to the specified

value.

Equals, case Compares the field to the specified

insensitive value, ignoring case considerations.

Greater than Returns true if the left operand is

greater than the right operand.

611 USM Anywhere™ User Guide

 Orchestration Rules

Orchestration Rules: Operators(Continued)

Operator Meaning Example

In Searches for character and numeric

values that are equal to one from a
list of comma-separated values.

In, case Searches for character and numeric

insensitive values that are equal to one from a
list of comma-separated values,
ignoring case considerations.

In List Returns true if the value is included

in the correlation list (see Example:
Creating an Alarm Rule Using a
Correlation List).

In List, case Returns true if the value is included

insensitive in the correlation list, ignoring case
considerations.

Is Empty Finds elements that have an empty

value (operates in the same way as
Equals but matches against an
empty string).

Is Not Empty Finds elements that do not have a

value.

Is In CIDR Find elements that are included in

the given IP range (using CIDR
notation).

USM Anywhere™ User Guide 612

Orchestration Rules

Orchestration Rules: Operators(Continued)

Operator Meaning Example

Is Not In CIDR Find elements that are not included

in the given IP range (using CIDR
notation).

Less than Returns true if the left operand is

less than the right operand.

Match Finds elements that match a

specified pattern using regular
expressions.

Match, case Finds elements that match a

insensitive specified pattern using regular
expressions, ignoring case
considerations.

Not Equals Returns true when the specified

field does not match the specified
value.

Not Equals, Returns true when the specified

case field does not match the specified
insensitive value, ignoring case considerations.

Using Regular Expressions in USM Anywhere

The Match and Match, case insensitive operators enable you to use regular
expressions (regex) to define a pattern to match the content of a field.

613 USM Anywhere™ User Guide

 Orchestration Rules

Important: USM Anywhere uses the Java Regular Expression Syntax, which is different
from JavaScript, Perl, Gnu, and other flavors of regex, so be sure to read their
documentation and familiarize yourself with the differences.

It is highly recommended that you find and use a tool to test your regular expressions
before saving them into rules. Some popular examples include Java Regular Expression
Tester or RegexPlanet.

When using regular expressions in USM Anywhere, keep the following in mind:

l The expression pattern must be delimited with the forward slash "/" character. For
example:

/Router -.*/
l Use a backslash ("\") to escape special characters that would otherwise be interpreted as
regex syntax, which includes the "\" character itself. For example:

/C:\\Windows\\System\\.*/

Note: Since the backslashes are not used as literals in Java code, but are carried as
data in strings in the system, you do not need to double-escape them like you would
if you were putting a regex pattern into a Java literal in coding.

l You can use capture and grouping syntax such as \1, $1, or (?:).
l Modifiers such as /i, /x, /m, and /s are not supported.

Possible Messages When Creating Rules

When you are creating a rule, you may receive one or more of these messages.

Rules Messages

Message This Message Is Displayed When

At least one criterion is required besides Packet Type is the unique criterion in the rule condition.
packet type

All condition fields must have a value The condition value is missing.

Case insensitive operator does not apply You selected a case insensitive operator and the
to numbers condition value is a number.

A regular expression must be used with You selected the Match operator and the condition
"Match" operator (example: ~ /value/) value has to be a valid regexp.

USM Anywhere™ User Guide 614

Orchestration Rules

Rules Messages(Continued)

Message This Message Is Displayed When

A variable expression must be used with You selected the Assign or Equal operator and the
"Assign or Equal" operator (example: >> condition value must be a valid variable name between
varname) brackets.

Some characters used could be part of a Your condition value contains *, +, [, or ], but the Match
regular expression (use "Match" operator) operator is not selected.

Determining the Mapping of a Field

You can determine the mapping of a field by adding the request in the condition of an
orchestration rule. From an asset that has an assigned integration or from AlienApps, you can
determine the mapping between the property value and its property key. Once you know the
property key, you can add the field as a condition in your rule.

To determine the mapping of a field from AlienApps

1. Go to Data Sources > AlienApps > Available Apps.

2. Locate the integration.
3. Click the icon next to Data Sources Details.

4. Search the property key inside the text box and copy the property value that maps with
that property key.

Note: In this example the field is “customfield_11“. This is only for this integration;
the same field from another integration may be mapped to another field.

5. Go to Settings > Rules.

615 USM Anywhere™ User Guide

 Orchestration Rules

6. Select Create Orchestration Rule > Notification Rule.

7. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

8. Select a packet type in the Match drop-down list.

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
9. Click Add Conditions and paste the property value.

10. Choose an operator and enter the value.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 616

Orchestration Rules

Note: The fields found in the integration code may be different from the fields used
in the rule conditions. In the example, "customfield_11" is actually the "Custom Field
11" in rule conditions.

11. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

12. Enter a name for the rule.

13. (Optional.) Enter a description for identifying this rule.

14. Select a notification method:

617 USM Anywhere™ User Guide

 Orchestration Rules

l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

15. Modify these two options:

USM Anywhere™ User Guide 618

Orchestration Rules

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

16. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To determine the mapping of a field from assets

1. Go to Environment > Assets.

2. Locate the asset that has the integration assigned.
3. Next to the asset name, click the icon and select Full Details.

4. Click the Assigned Apps tab.

619 USM Anywhere™ User Guide

 Orchestration Rules

5. Click the icon next to Data Sources Details.

6. Copy all the text under the Data pane.

7. Search the property key inside the copied text and copy the property value that maps
with that property key. For example, search the property key fromPort. This property key
maps with customfield_11.

Note: In this example the field is “customfield_11“. This is only for this integration;
the same field from another integration may be mapped to another field.

USM Anywhere™ User Guide 620

Orchestration Rules

8. Go to Settings > Rules .

9. Click Create Orchestration Rule > Notification Rules.

See Notification Rules from the Orchestration Rules Page for more information.

10. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

11. Select a packet type in the Match drop-down list.

621 USM Anywhere™ User Guide

 Orchestration Rules

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
12. Click Add Condition and paste the property value.

13. Choose an operator and enter the value.

Note: The fields found in the integration code may be different from the used in the
rule conditions. In the example, “customfield_11“ is actually the “Custom Field 11“ in
rule conditions.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 622

Orchestration Rules

14. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

15. Enter a name for the rule.

16. (Optional.) Enter a description for identifying this rule.

17. Select a notification method:

l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an
Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

623 USM Anywhere™ User Guide

 Orchestration Rules

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

18. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

USM Anywhere™ User Guide 624

Orchestration Rules

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

19. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Suppression Rules from the Orchestration Rules Page

Role Availability Read-Only Investigator Analyst Manager

About Suppression Rules

USM Anywhere includes suppression rules which enable you to manage false positive alarms
and events. After you have confirmed that these issues do not pose a security threat, create a
suppression rule to prevent them from displaying in the user interface (UI), and avoid noise in
your system.

Warning: Orchestration rules only apply to future events and alarms.

Suppression rules using the Contains, Match and Match, case insensitive
operators apply to future events and alarms, not to events and alarms received in the
current day.

You can create a suppression rule from the details page of an event (Viewing Event Details) or
from the details page of an alarm (Viewing Alarm Details). This functionality works the same
way, and the Create Rule dialog box is similar when you are creating a rule either from a detail
page or from the system configuration window.

Important: The easiest way to configure a suppression rule is from the Events details
page (see Creating Suppression Rules from the Events Page) or from the Alarms details
page (see Creating Suppression Rules from the Alarms Page).

625 USM Anywhere™ User Guide

 Orchestration Rules

Note: USM Anywhere saves the events that match a suppression rule, but does not
correlate these suppressed events. By default, USM Anywhere hides these suppressed
events. If you want to see these events, click Suppressed in the Search & Filters area.
The table displays suppressed events along with all events. See To only display the
suppressed events if you want to display just the suppressed events.

Note: The suppression rule you create will apply to future items. It also will apply to
items of the current day, up to 10 K events/alarms.

See Example: Creating a Suppression Rule for Sudo Events and Example: Creating a
Suppression Rule for VPC Flow Logs if you want to see an example of a suppression rule.

Managing Suppression Rules

USM Anywhere enables you to manage your own suppression rules from the All Orchestration
Rules page.

To create a suppression rule from the orchestration rules page

1. Go to Settings > Rules.

2. Select Create Orchestration Rule > Suppression Rules.

3. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

USM Anywhere™ User Guide 626

Orchestration Rules

4. Select a packet type in the Match drop-down list.

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
5. Click Add Conditions and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

627 USM Anywhere™ User Guide

 Orchestration Rules

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

6. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule.

9. (Optional.) Enter a description for identifying this rule.

10. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.

USM Anywhere™ User Guide 628

Orchestration Rules

l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

11. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To filter suppression rules by name

1. Go to Settings > Rules.

2. Click the box next to Filter By.
3. Enter your search.

To filter suppression rules by rule status

1. Go to Settings > Rules.

2. Click the combo box next to Rule Status.
3. Select All Rules, Enabled, or Disabled.

629 USM Anywhere™ User Guide

 Orchestration Rules

To edit a suppression rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to edit.

3. Modify the data of the items that need to be modified.

4. Click Next.
5. Click Save.

To delete a suppression rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to delete.

3. Confirm by clicking Accept.

To enable a suppression rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to enable.

To disable a suppression rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to disable.

To enable all suppression rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Enable All Rules.

To disable all suppression rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Disable All Rules.
4. Confirm by clicking Accept.

Example: Creating a Suppression Rule for Sudo Events

USM Anywhere™ User Guide 630

Orchestration Rules

Role Availability Read-Only Investigator Analyst Manager

In this example, we are going to create a suppression rule to avoid having a lot of sudo events.
You can create this rule whenever you trust the origin host, or because you need to do
maintenance. This way you will avoid noise in your list of events.

Note: You can also create your own rules from the Events page, which is an easier way
to configure the matching conditions. See Creating Suppression Rules from the Events
Page for more information.

To create a suppression rule for avoiding Sudo events

1. Go to Settings > Rules.

2. Select Create Orchestration Rule > Suppression Rule.

3. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

631 USM Anywhere™ User Guide

 Orchestration Rules

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l Alarms: Use this packet type for console user alarms-based rules.

5. Select these property values:

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 632

Orchestration Rules

6. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

7. Enter a name for the rule, (for example, Suppress Sudo Events).
8. (Optional.) Enter a description for identifying this rule.

9. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

633 USM Anywhere™ User Guide

 Orchestration Rules

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

10. Click Save.

The suppression rule has been created. You can see it from Settings > Rules. See
Suppression Rules from the Orchestration Rules Page for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Example: Creating a Suppression Rule for VPC Flow Logs

Role Availability Read-Only Investigator Analyst Manager

In this example, we are going to create a suppression rule to suppress VPC Flow Logs events.
This way you will avoid noise in your list of events.

To create a VPC Flow Logs Suppression Rule

1. Go to Activity > Events.

2. Enter VPC in the search field.
3. Click the icon.

4. Select one of the events.

5. Select Create Rule > Create Suppression Rule.

6. These property values are selected:

USM Anywhere™ User Guide 634

Orchestration Rules

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule, for example Suppress VPC Flow Logs.
9. (Optional.) Enter a description for identifying this rule.

635 USM Anywhere™ User Guide

 Orchestration Rules

10. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

11. Click Save.

The suppression rule has been created. You can see it from Settings > Rules. See
Suppression Rules from the Orchestration Rules Page for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Filtering Rules from the Orchestration Rules Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to make the sensor drop future events that match the rule.
These future events are neither correlated nor stored. Through these rules, you are able to
define which event data you are going to store in USM Anywhere. You pay for the data you
use, so discarded event information is not stored and does not count against the service-level

USM Anywhere™ User Guide 636

Orchestration Rules

tier of an account. This rule runs on a sensor and control node. The action of this rule has no
recovery, so you must be careful when creating the rule. This action can cause a user-
generated data loss environment.

Note: Filtering rules are not retroactive. The rule applies to future items and it does not
apply to previous items, even if those items follow the rule.

Important: You can't use a correlation list when you create a filtering rule.

To create a rule for filtering events

1. Go to Settings > Rules.

2. Select Create Orchestration Rule > Filtering Rule.

3. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

637 USM Anywhere™ User Guide

 Orchestration Rules

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
5. Click Add Condition and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 638

Orchestration Rules

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

6. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule.

9. (Optional.) Enter a description for identifying this rule.

10. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

639 USM Anywhere™ User Guide

 Orchestration Rules

To test the match criteria of a filter rule

1. Create a test event suppression rule.

2. Add the desired match criteria for the target filter rule action.
3. Enable the rule.
4. Go to Settings > Rules to verify that the rule is working as desired.
5. In the All Orchestration Rules page, click the icon of the filter rule you want to test.

The events, which triggered the rule and are suppressed, display.

6. Create a filtering rule with the exact same match criteria if the event information dis-
played is correct. If the event information displayed is not correct, modify the suppression
rule match criteria until the correct values are found that suppresses the correct event
data. Then generate the filter rule.

To filter filtering rules by name

1. Go to Settings > Rules.

2. Click the box next to Filter By.
3. Enter your search.

To filter filtering rules by rule status

1. Go to Settings > Rules.

2. Click the combo box next to Rule Status.
3. Select All Rules, Enabled, or Disabled.

To edit a filtering rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to edit.

3. Modify the data of the items that need to be modified.

4. Click Next.
5. Click Save.

USM Anywhere™ User Guide 640

Orchestration Rules

To delete a filtering rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to delete.

3. Confirm by clicking Accept.

To enable a filtering rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to enable.

To disable a filtering rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to disable.

To enable all filtering rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Enable All Rules.

To disable all filtering rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Disable All Rules.
4. Confirm by clicking Accept.

Alarm Rules from the Orchestration Rules Page

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to easily identify existing and emerging threats that are of
interest. Through alarm rules, you can organize your threats and only see high-priority alarms,
which can be received via email and will help you to reduce noise and focus on important
things.

641 USM Anywhere™ User Guide

 Orchestration Rules

Note: You can also create alarm rules from the details of an event. See Creating Alarm
Rules from the Events Page for more information.

To create an alarm rule

1. Go to Settings > Rules > Orchestration Rules.

2. Select Create Orchestration Rule > Alarm Rule.

3. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

USM Anywhere™ User Guide 642

Orchestration Rules

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
5. Click Add Conditions and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

643 USM Anywhere™ User Guide

 Orchestration Rules

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

6. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule and, if desired, a description to clarify its use in the Description
field.
9. Select an intent.

The intent describes the context of the behavior that is being observed. These intents
roughly map to the stages of the intrusion kill chains but are collapsed to ensure that
each is discrete. See Intent for more information about the available threat categories.

10. Enter a method.

If known, it is the method of attack or infiltration associated with the indicator that
generated the alarm.

USM Anywhere™ User Guide 644

Orchestration Rules

Note: This is a required field; if you do not complete this field, the Save button
remains inactive.

11. Select a strategy.

The strategy describes the broad-based strategy or behavior that is detected. The
intention is to describe the malicious user's strategy to achieve their goal.

12. Enter a priority.

See Priority Field for Alarms for more information.

13. Configure a mute duration set in seconds, minutes, and hours.

You can use the mute value to set the period of time during which, once an alarm is
createdUSM Anywhere will not create a new alarm based on the same conditions.

Note: Take care to set a mute duration that is long enough to cover the span of
time in which matching events will occur to maximize the efficacy of your mute.

Important: If your USM Anywhere™ is restarted when one of your alarm mutes is
active, or if there is an update or hotfix, the alarm mute will be canceled.

14. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

645 USM Anywhere™ User Guide

 Orchestration Rules

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

15. (Optional.) Select the fields that you want to display in the generated alarm.

You can select or remove the fields you want to include in the details of the alarm. A field
passes from one column to the other by clicking it.

16. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To filter alarm rules by name

1. Go to Settings > Rules.

2. Click the box next to Filter By.
3. Enter your search.

To filter alarm rules by rule status

1. Go to Settings > Rules.

2. Click the combo box next to Rule Status.
3. Select All Rules, Enabled, or Disabled.

To edit an alarm rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to edit.

3. Modify the data of the items that need to be modified.

USM Anywhere™ User Guide 646

Orchestration Rules

4. Click Next.
5. Click Save.

To delete an alarm rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to delete.

3. Confirm by clicking Accept.

To enable an alarm rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to enable.

To disable an alarm rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to disable.

To enable all alarm rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Enable All Rules.

To disable all alarm rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Disable All Rules.
4. Confirm by clicking Accept.

Notification Rules from the Orchestration Rules Page

Role Availability Read-Only Investigator Analyst Manager

Notification rules are a mechanism to generate a specified notification method when the
match criteria is met. One major difference between notification rules and other rules is that
it does not have the mute operator available. These rules always generate a notification
whenever the match criteria is met and never go silent.

647 USM Anywhere™ User Guide

 Orchestration Rules

You can create your own notification rules from the Orchestration rules page or from the
Events details page, which is the easiest way to configure the matching conditions. See
Creating Notification Rules from the Events Page for more information.

To create a notification rule from the Orchestration rules page

1. Go to Settings > Rules.

2. Select Create Orchestration Rule > Notification Rule.

3. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

USM Anywhere™ User Guide 648

Orchestration Rules

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
5. Click Add Conditions and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

649 USM Anywhere™ User Guide

 Orchestration Rules

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

6. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule.

9. (Optional.) Enter a description for identifying this rule.
10. Select a notification method:
l Amazon SNS: This method requires the setup of the Amazon Simple Notification Ser-
vice (SNS) API call from the USM Anywhere server. There is no limit to the number of
Amazon SNS endpoint notifications sent. However, this method requires having an

USM Anywhere™ User Guide 650

Orchestration Rules

Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the
first 1000 email notifications per month to fall into the free messaging tier. See Send-
ing Notifications Through Amazon SNS in the USM Anywhere Deployment Guide for
more information.
l Datadog: This method requires the creation of a Datadog API key and additional steps.
See Sending USM Anywhere Notifications to Datadog in the USM Anywhere Deploy-
ment Guide for more information.
l Email: This method sends the notification by email. You need to enter information for
the email subject and enter a destination email address. Multiple comma-separated
email addresses are possible. This method uses a built-in integration with the Amazon
Simple Email Service (SES) function and is limited to a maximum of 200 emails per
rolling 24-hour period. The only user-customizable information available is the email
subject line.

Note: The rolling 24-hour, 200-email limit refers to all email accounts. For
example, you can have a rule with multiple emails, which counts as a single email
delivery. Alternately, if you have several rules with several emails, each of these
counts as an individual email account. Sensor-disconnect emails do not count
against this number because they are critical and are only sent to users whose
role is manager.

Select the Sanitize Email Content checkbox to replace detailed email contents with a
generic message and a link that requires user authentication to view further
information.

l PagerDuty: This method is performed using an integration in the product, and user
setup is required. See Sending USM Anywhere Notifications to PagerDuty in the USM
Anywhere Deployment Guide for more information.
l Slack: This method makes use of a user-created Slack Webhook integration. Slack
integration can also be performed using Amazon SNS. See Sending USM Anywhere
Notifications to Slack in the USM Anywhere Deployment Guide for more information.

11. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.

651 USM Anywhere™ User Guide

 Orchestration Rules

l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

12. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To filter notification rules by name

1. Go to Settings > Rules.

2. Click the box next to Filter By.
3. Enter your search.

To filter notification rules by rule status

1. Go to Settings > Rules.

2. Click the combo box next to Rule Status.
3. Select All Rules, Enabled, or Disabled.

USM Anywhere™ User Guide 652

Orchestration Rules

To edit a notification rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to edit.

3. Modify the data of the items that need to be modified.

4. Click Next.
5. Click Save.

To delete a notification rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to delete.

3. Confirm by clicking Accept.

To enable a notification rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to enable.

To disable a notification rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to disable.

To enable all notification rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Enable All Rules.

To disable all notification rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Disable All Rules.
4. Confirm by clicking Accept.

Response Action Rules from the Orchestration Rules Page

653 USM Anywhere™ User Guide

 Orchestration Rules

Role Availability Read-Only Investigator Analyst Manager

To create a response action rule

1. Go to Settings > Rules.

2. Select Create Orchestration Rule > Response Action Rule.

3. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

USM Anywhere™ User Guide 654

Orchestration Rules

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.
l Alarms: Use this packet type for console user alarms-based rules.
5. Click Add Condition and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

655 USM Anywhere™ User Guide

 Orchestration Rules

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

6. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule
verification box reviews that syntax before saving the rule.

7. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

8. Enter a name for the rule.

9. (Optional.) Enter a description for identifying this rule.
10. Select an Action Type:

USM Anywhere™ User Guide 656

Orchestration Rules

l AT&T Cybersecurity Forensics and Response App: See Collecting Forensics and
Response Data in the USM Anywhere Deployment Guide for more information.
l Authenticated Asset Scanner: See Performing Vulnerability Scans for more inform-
ation.
l Agent Query: You can run a user-initiated agent query. There are several ad-hoc quer-
ies, which are in your environment by default. These queries generate events which
can be used for a forensic investigation, so you can focus on fast response and remedi-
ation. See The AlienVault Agent for more information.

11. Select an App Action.

The options vary depending on the selected action type.

12. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

13. Click Save.

657 USM Anywhere™ User Guide

 Orchestration Rules

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To filter response action rules by name

1. Go to Settings > Rules.

2. Click the box next to Filter By.
3. Enter your search.

To filter response action rules by rule status

1. Go to Settings > Rules.

2. Click the combo box next to Rule Status.
3. Select All Rules, Enabled, or Disabled.

To edit a response action rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to edit.

3. Modify the data of the items that need to be modified.

4. Click Next.
5. Click Save.

To delete a response action rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to delete.

3. Confirm by clicking Accept.

To enable a response action rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to enable.

To disable an response action rule

1. Go to Settings > Rules.

2. Click the icon of the rule you want to disable.

USM Anywhere™ User Guide 658

Orchestration Rules

To enable all response action rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Enable All Rules.

To disable all response action rules

1. Go to Settings > Rules.

2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click Disable All Rules.
4. Confirm by clicking Accept.

Orchestration Rule Validation

Role Availability Read-Only Investigator Analyst Manager

When orchestration rules are active, USM Anywhere inspects and validates them to show how
well the rule is working.

The orchestration rule validation process is engaged whenever a new rule is created or an
existing rule is updated. Additionally, active rules are validated periodically for the duration of
the time they are active. The orchestration rule validation process checks your rule against a
set of tests, called rule checks, which evaluate how well your orchestration rule will perform,
and checks it for common errors. For example, this validation process keeps you from
creating a rule that will collect nothing (or everything).

Note: Any time you create a new rule or edit an existing rule, be sure to review your
rule's validation and make recommended or necessary changes to optimize the rule
based on the validation status.

For every rule check that your orchestration rule fails, you are shown a status notification,
which explains in detail what should be improved in your rule. Each status notification is
classified by its severity into four statuses (in increasing severity): ok, info, warning, and error.
While an info-level status notification may indicate that optimizing the rule would be useful, a
warning-level status notification indicates a more critical problem that should be addressed.
An error-level status notification will prevent you from saving the new rule until it is fixed.

659 USM Anywhere™ User Guide

 Orchestration Rules

Viewing Your Rule's Validation Status

To view the validation status of your orchestration rules, go to Settings > Rules. The rule's
status is indicated by a column on the Orchestration Rules main page. If you would like to
view just the rules that have a specific status, you can filter by validation statuses from the All
Orchestration Rules page.

To read a detailed breakdown of your rule's validation, click the rule. This opens a window
listing the details that apply to your rule, with an icon indicating each status notification's
severity. From this view, you can see a clear list of all the changes you can make to optimize
your rule. You can also see any changes that are required for your rule to function.

USM Anywhere™ User Guide 660

Orchestration Rules

Understanding How Validation Is Assessed and Applied

When more than one validation check applies to an orchestration rule, USM Anywhere
considers the most severe of those the rule's validation status. For example, in the
screenshot, you can see that a warning, info, and error notifications were all triggered by the
"Alarm without Condition" rule, so its overall validation status is error.

The following table shows the list of validation statuses.

661 USM Anywhere™ User Guide

 Orchestration Rules

List of Orchestration Rule Validation Statuses

Status Icon Description

INFO There are minor issues in this rule's definition that might affect
your rule's operation.

WARNING There are issues in this rule's definition that might negatively
impact your system.

ERROR This rule will present undesired behavior on your system.

Rule Validation Lifecycle

Your rule's validation status will persist as long as the rule checks that apply to it are active.
Status checks are either static or dynamic. Static checks evaluate your rule against common
mistakes when your rule is first created, while dynamic checks analyze your rule's behaviors
and are assessed every 10 minutes while your rule is active.

Both static and dynamic checks show up as status notifications on your orchestration rule.

Static Checks

These checks evaluate your rule against common mistakes such as the presence of a data
source or packet type, in addition to validating fields like IP and operator. Some of the static
checks will prevent users from creating or updating a rule if they fail.

Rules are evaluated immediately against static checks when they are created or updated.
Static checks don’t have a predetermined lifetime and will persist until the triggering
condition is fixed or removed from the rule. They will be ignored in scheduled purge tasks
used to clean invalid rule checks.

Note: Static checks help prevent you from creating a rule that is invalid or a rule that
risks capturing everything or nothing.

Dynamic Checks

These checks will analyze your rule's behaviors, like their match ratio or how quickly they are
processed. They are evaluated as long as your orchestration rule is active.

USM Anywhere™ User Guide 662

Correlation Rules

Active rules are evaluated against dynamic checks every 10 minutes with the help of a
scheduler task. Dynamic checks have a predetermined lifetime of 7 days. During those 7 days,
another scheduler task runs every 6 hours to confirm whether those dynamic checks still
apply to your rule. If the conditions for that check haven't been seen on your rule for 7 days,
the check and its related status will be removed from your rule.

Correlation Rules

Role Availability Read-Only Investigator Analyst Manager

Correlation is the processing of the event stream to identify important events or patterns of
events within large volumes of data. The logic to identify these events is encapsulated in a
correlation rule. The AT&T Alien Labs™ Security Research Team creates correlation rules,
which associate multiple events from one or more data sources to identify potential security
threats. These rules identify patterns associated with malicious activity. Alarms are generated
by an explicit call within these rules.

These correlation rules are created by the Security Research Team and you are not able to
modify them. However, you can use orchestration rules to modify the way USM Anywhere
treats events. See Orchestration Rules for more information.

Important: The "Suspicious Behavior - OTX Indicators of Compromise" correlation rule

generates alarms if the pulse comes from the AlienVault OTX account.

What Is Correlation?
Correlation is a process performed by the correlation engine in USM Anywhere. It identifies
potential security threats by detecting behavior patterns across different types of assets,
which produce disparate yet related events. Correlation links different events, turning data
into more useful information.

The logs received and processed by USM Anywhere carry important information such as what
your users are doing, what data is being accessed, how your system and network are
performing, and if there are any security threats or attacks taking place. However, reading
logs has these disadvantages:

l Logs vary from system to system or even from version to version on the same system.
l Logs have limited perspective because each system sees events from its own perspective.
l Logs are static, fixed points in time without the full context or sequence of related events.

663 USM Anywhere™ User Guide

 Correlation Rules

The correlation process provides answers to these challenges, putting the events into full
context. For example, a network firewall sees packets and network sessions, while an
application sees users, data, and requests. While different systems report logs of similar
activities, the way in which they articulate these activities is quite different. With the help of
correlation rules, USM Anywhere can correlate the two types of events, generating an alarm if
a threat exists.

Event correlation enables the security analysts and the incident responders to do the
following:

l Make informed decisions on how to respond to security threats

l Validate the effectiveness of existing security controls
l Measure and report compliance
l Detect policy violations

Correlation Rules Structure

This is the structure of correlation rules: Intent — Strategy — Method.

The structure uses a three-tiered model for describing an observed behavior:

l Intent: The first tier is the "intent" of the behavior. This roughly maps to the "intrusion kill
chain" to provide an understanding of the context of the behavior.

l Strategy: The second tier is the strategy the attacker took, used to describe the
methodology employed.

l Method: The third tier is the "method" of the behavior, used to describe the details of the
particular methodology.

Intent

The intent describes the context of the behavior that is being observed. These intents
roughly map to the stages of the intrusion kill chains but are collapsed to ensure that each is
discrete.

From highest to lowest, these are the threat categories:

USM Anywhere™ User Guide 664

Correlation Rules

Threat Structures on Correlation Rules

Intent Description

System Compromise Behavior indicating a compromised system.

Exploitation & Installation Behavior indicating a successful exploit of a vulnerability, backdoor, or

remote access trojan being installed on the system.

Delivery & Attack Behavior indicating an attempted delivery of an exploit. This can include
detection of malicious email attachments, network-based detection of
known attack payloads, or analysis-based detection of known attack
strategies such as an SQL injection.

Reconnaissance & Probing Behavior indicating an actor attempting to discover information about
your organization. This is broad-based, including everything from port
scans to social engineering to open-source intelligence.

Environmental Awareness Behavior and status about the environment being monitored. This
includes information about services running, behavior of users in the
environment, and the configuration of the systems.

Strategy

The strategy describes the broad-based strategy or behavior that is detected. It is a

description of the strategy the malicious user is using to achieve their goal. For example,
when trying to exploit a known vulnerability in a web browser, the attacker is launching a
"Client-Side Attack - Known Vulnerability".

Method

The method describes the approach that the actor employs. To further the previous example,
the method would provide additional detail on the target of the attack and the vulnerability
"Firefox - CVE-2008-4064".

USM Anywhere Correlation Rules

USM Anywhere provides built-in rules and adds more every week through the AT&T Alien
Labs™ Threat Intelligence Subscription. Some of these rules are generic, which means that
the rule can match data from different data sources. For example, the following rule matches
data from different application firewalls:

665 USM Anywhere™ User Guide

 Correlation Rules

Some rules are more specific, which means that the rule only matches a particular data
source. For example, the following rule only matches data from Watchguard XTM:

Note: When a more specific rule exists in USM Anywhere, it takes precedence over the
generic rule.

To see correlation rules

1. Go to Settings > Rules > Correlation Rules.

2. You can use the search field above the table to search for a rule by entering the search
text in the field and then clicking the icon.

3. Click the rule to expand the details of the rule.

You can see the strategy, the method, and the rule itself.

Important: Correlation rule details are not visible to users with a trial license.

4. Click the icon to open the Alarms List view page.

The page includes Rules Name as a filter so that you can see how many alarms match the
selected rule.

Note: The mute length indicates during how long that rule is not going to generate
an alarm.

Operators in the Correlation Rules

USM Anywhere™ User Guide 666

Correlation Rules

USM Anywhere provides built-in rules and adds more every week through the AT&T Alien
Labs™ OTX Subscription. These rules are the result of the combination of operators and USM
Anywhere fields.

Correlation Rules: Operators

Operator Meaning Example

== Equals: Compares the field to the plugin_device == 'GuardDuty'

specified value.

==* Equals, case insensitive: Compares event_activity ==* 'Executable

the field to the specified value, download'
ignoring case considerations.

>> Assign or equal: For use with source_canonical >> [source]

variables, it will assign a value if
empty or if the variable is populated it
will act like ==.

>>* Assign or equal, case insensitive: source_username >>* [username]

For use with variables, it will assign a
value if empty or if the variable is
populated it will act like ==*.

> Greater than. user_id > 500

< Less than. user_id < 505

in List contains: Will return true if the event_subcategory in ('Microsoft-

list contains the value. This will Windows-MountMgr', 'MountMgr')
perform a == comparison for every
value in the list returning true on the
first match.

in* List contains, case insensitive: Will event_name in* ('Update route in
return true if the list contains the route table','Update route table for
value. This will perform a ==* VPC')
comparison for every value in the list
returning true on the first match.

~ Match: Takes a regular expression hostname ~ /.*\.eng/

delimited by '/' as the argument.

~* Match case insensitive: Takes a (source_process_commandline ~* /

regular expression delimited by '/' as [a-z0-9]{15,45}\.[a-z0-9]{1,15}\.[a-z0-
the argument. 9]{1,4}/ )

667 USM Anywhere™ User Guide

 Correlation Lists

Correlation Rules: Operators(Continued)

Operator Meaning Example

==> Checks the value against a list filled source_country ==> |countries|
with previous events values. Will
validate the condition if the element
is not already included in the list.

|| Or: Can be used to chain two ((device_direction == 'outbound') ||

comparisons, return true if either (event_activity == 'C&C Response'
comparison evaluates to true. and device_direction == 'inbound))

&& And. Can be used to chain two rep_device_rule_id == '15457' &&

comparisons, will return true if both source_username >>* [username]
comparisons evaluate to true.

! Not. Will negate the return value of source_country != ''

the expression directly following it.

or Or: Alternative to ||. (source_process_commandline

contains* ' aaaa' OR source_process_
commandline contains* '=aaaa')

and And: Alternative to &&. event_subcategory == 'Microsoft-

Windows-Sysmon' AND rep_device_
rule_id == '1'

!-> Not in List: Checks that a value is not source_name !-> [[SAFE_NAMES]]
contained in a correlation list.

!->* Not in List, case insensitive: Checks source_name !->* [[SAFE_NAMES]]

that a value is not contained in a
correlation list, ignoring case
considerations.

Correlation Lists

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create correlation lists. Use a correlation list to group values
together to apply to a single rule. So instead of creating a rule for each value, you can save
time and effort by creating a correlation list and using it in a rule.

USM Anywhere™ User Guide 668

Correlation Lists

When creating correlation lists for rules, you can use a standard field, such as event_name or
event_description. A helpful use for correlation lists is the creation of user denylists,
allowlists, or both, like event_names. Or you can enter anything you want in the items of the
correlation lists, but only up to 500 characters per item. There is a limit of 1000 items per
correlation list.

To see an example of an alarm rule using a correlation list, see Example: Creating an Alarm
Rule Using a Correlation List.

To create a correlation list

1. Go to Settings > Rules > Correlation Lists.

2. Click New List.

669 USM Anywhere™ User Guide

 Correlation Lists

3. Enter a name for the correlation list in the Name field and, if desired, a description to cla-
rify its use in the Description field.

Important: The valid characters for the correlation list name are uppercase letters
(A–Z), lowercase letters (a–z), numerical digits (0–9), and underscore (_). You can
enter up to 64 characters.

4. Click Add Item to include items in your list.

Important: The list items are restricted to a string format to match the formats of
the tested event detail items.

5. Click Save.

To add a new item to a list

1. Go to Settings > Rules > Correlation Lists.

2. Click the list to expand the details of the list.

3. Click Add Item.

USM Anywhere™ User Guide 670

Correlation Lists

The Add Item dialog box opens.

4. Enter the value and click Save.

To modify a correlation list

1. Go to Settings > Rules > Correlation Lists.

2. Click the icon of the list you want to modify.

3. Modify the data of the items that need to be modified.

4. Click Save.

671 USM Anywhere™ User Guide

 Correlation Lists

To delete a correlation list

1. Go to Settings > Rules > Correlation Lists.

2. Click the icon of the list you want to delete.

The delete dialog box opens.

3. Click Delete.

To modify an item of a list

1. Go to Settings > Rules > Correlation Lists.

2. Click the list to expand the details of the list.

3. Click the icon of the item you want to modify.

4. Modify the item and click the icon.

USM Anywhere™ User Guide 672

Correlation Lists

To delete an item of a list

1. Go to Settings > Rules > Correlation Lists.

2. Click the list to expand the details of the list.
3. Click the icon of the item you want to delete.

Example: Creating an Alarm Rule Using a Correlation List

Role Availability Read-Only Investigator Analyst Manager

In this example, an orchestration rule is created to generate an alarm whenever a user, who is
included in a correlation list, generates an event.

Note: See Correlation Lists for more information.

To create an orchestration rule for generating an alarm when a user, included in a

correlation list, generates an event

1. Go to Settings > Rules > Correlation Lists.

2. Click New List.
3. Enter a name for the correlation list in the Name field and, if desired, a description to cla-
rify its use in the Description field.

Important: The valid characters for the correlation list name are uppercase letters
(A-Z), lowercase letters (a-z), numerical digits (0-9), and underscore (_). You are
allowed to enter from 1 to 64 characters.

4. Click Add Item to include the user names to your list.

5. Click Save.
6. Go to Settings > Rules.
7. Click Create Orchestration Rule > Alarm Rule.

8. Select a Boolean operator.

The options are AND, OR, AND NOT, and OR NOT.

9. Select a packet type in the Match drop-down list.

673 USM Anywhere™ User Guide

 Correlation Lists

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.

10. Click Add Conditions and select these property values.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 674

Correlation Lists

11. Click Next.

Important: A dialog box opens if there are warning messages. Click Cancel to
review the warning messages, or click Accept to continue creating the rule.

12. Enter a name for the rule (for instance "Alarm for undesirable users") and, if desired, a
description to clarify its use in the Description field.
13. Select an intent.

675 USM Anywhere™ User Guide

 Correlation Lists

The intent describes the context of the behavior that is being observed. These intents
roughly map to the stages of the intrusion kill chains but are collapsed to ensure that
each is discrete. See Intent for more information about the available threat categories.

14. Enter a method.

If known, it is the method of attack or infiltration associated with the indicator that
generated the alarm.

Note: This is a required field; if you do not complete this field, the Save button
remains inactive.

15. Select a strategy.

The strategy describes the broad-based strategy or behavior that is detected. The
intention is to describe the malicious user's strategy to achieve their goal.

16. Enter a priority.

See Priority Field for Alarms for more information.

17. Configure a mute duration set in seconds, minutes, and hours.

You can use the mute value to set the period of time during which, once an alarm is
createdUSM Anywhere will not create a new alarm based on the same conditions.

Note: Take care to set a mute duration that is long enough to cover the span of
time in which matching events will occur to maximize the efficacy of your mute.

Important: If your USM Anywhere™ is restarted when one of your alarm mutes is
active, or if there is an update or hotfix, the alarm mute will be canceled.

18. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

USM Anywhere™ User Guide 676

Correlation Lists

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

19. (Optional.) Select the fields that you want to display in the generated alarm.

You can select or remove the fields you want to include in the details of the alarm by
clicking the and the icons.

677 USM Anywhere™ User Guide

 Playbooks

20. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules. See
Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Playbooks

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and manage playbooks, with which you can
predetermine a set of steps that should be taken to remediate alarms generated from either
a correlation rule or a custom orchestration rule. These playbooks allow you to accelerate
your threat detection and incident response process by streamlining and automating
common or alarm-specific workflows.

This topic discusses these subtopics:

USM Anywhere™ User Guide 678

Playbooks

679 USM Anywhere™ User Guide

 Playbooks

Viewing Your Playbooks

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and manage playbooks, with which you can
predetermine a set of steps that should be taken to remediate alarms generated from either
a correlation rule or a custom orchestration rule.

Playbooks Page Overview

You can view your USM Anywhere playbooks via the History and My Playbooks tabs, and the
Playbooks in Progress dashboard. To view playbooks, go to Settings > Playbooks. The page
displays your playbooks on the following two tabs:

l History: This tab shows a history of all of the playbooks that have been run in your envir-
onment. This view also lists the status and owner of each playbook that has been run.
l My Playbooks: This tab displays all of the playbooks that have been created in your
instance, and includes the Create Playbook button which allows you to create new play-
books.

History Tab

The History tab shows a historic view of the playbooks that have been run in your instance,
along with some attendant information, like the current status and owner of each playbook.

USM Anywhere™ User Guide 680

Playbooks

You can use the panel on the left to search for a specific playbook or to filter the playbooks
displayed on this tab by criteria you choose.

The following table lists the criteria available for use in filtering playbooks.

Filtering criteria available on the Playbooks History tab

Filter Description

Status The three status buttons allow you to search for playbooks by
their current status.

l Overdue:

l In Progress:

l Completed:

Strategy Status notification of the rule. Each rule is classified by its

severity. Values are (in increasing severity): info, warning, and
error.

My Playbooks Tab

The My Playbooks tab shows the complete list of all playbooks that have been created in your
instance, and allows you to create new playbooks with the Create Playbook button. You can
enable or disable a playbook from this page by using the toggle next to any playbook.

Note: For complete instructions to guide you through creating a new playbook, see
Creating a Playbook.

681 USM Anywhere™ User Guide

 Playbooks

The following table lists the columns you see on the page.

Columns on the My Playbooks tab

Column Description

Name Name of the playbook.

Description Description of the playbook.

Apps Used AlienApps associated with actions in the playbook.

Enabled Toggle button to enable or disable the playbook.

Icons to edit or delete the playbook.

In addition, USM Anywhere provides some visibility into your existing playbooks from the My
Playbooks tab. Click the plus icon to the left of any playbook in the list to view its details.

You can see the following details:

l Created On: The timestamp from when this playbook was created
l Configured By: The user who created this playbook

l Apps Used: All apps referenced by actions in this playbook

l Updated On: The timestamp from when this playbook was last updated
l Last Run: The timestamp from when this playbook was last executed

USM Anywhere™ User Guide 682

Playbooks

l Updated By: The user who last updated this playbook

l Configured On: The timestamp from when this playbook was configured
l Events (Past 24 Hours): The number of events related to this playbook from the past 24
hours
l Actions: A sequential list of each action included in the playbook

Playbooks In Progress Dashboard

If you have begun any Playbooks, USM Anywhere will display these playbooks in a Playbooks
In Progress dashboard.

The following table lists the columns you see in the dashboard.

Columns on the Playbooks In Progress dashboard

Column Description

Playbook Name Name of the playbook

Alarm Name Name of the alarm this playbook is currently being run
against

Strategy The strategy type associated with this playbook

Last Action The most recent action taken in this playbook

Owner The owner of record for this playbook

683 USM Anywhere™ User Guide

 Playbooks

Creating a Playbook

Role Availability Read-Only Investigator Analyst Manager

Each playbook comprises one or more actions, and is associated with an alarm rule in USM
Anywhere. When an alarm is triggered based off of that alarm rule, users will have the option
to run a playbook and execute one or all of the actions within that playbook as part of their
response to the alarm in USM Anywhere.

Creating a New Playbook

To create a playbook from the Playbooks page

1. Go to Settings > Playbooks and navigate to the My Playbooks tab.

2. Click Create Playbook.

3. Enter a name and description for your playbook.

4. (Optional.) Use the Alarm Rule Assignment to associate your playbook with one or more
alarm rules. Your playbook will only be available on alarms generated from these alarm
rules.

Note: Toggle the Assign Now button to Assign Later if you would like to skip this step.
Your playbook will then be available on all alarms.

USM Anywhere™ User Guide 684

Playbooks

5. Under the Actions section, assign an action to your playbook.

If your playbook does not have at least one action configured, the Create Playbook but-
ton will be disabled until you add an action.

Actions in a playbook must be completed in the order in which they are configured. Take
care when assigning actions to your playbook to ensure that they are in the correct
sequence.
You can drag and drop individual actions within the Actions section to ensure that they
are in the right order.

Playbook Action Types

Action Types for Use in a Playbook

Column Description

App-Specific Actions that USM Anywhere will execute through or on

behalf of a specific AlienApp.
You can only select actions associated with apps that are
enabled in your instance.

Manual Actions that a user must complete manually.

These actions appear in USM Anywhere as text
descriptions of the action the user must execute.

System Actions related to USM Anywhere system events which

the product will execute.

l To assign an app-specific action:

1. Use the Action Type dropdown to select the appropriate AlienApp from the list.
2. Use the App Action dropdown to select an action from the list of actions available
for that app.
l To assign a manual action:
1. Use the Action Type dropdown to select Manual Action.
2. Use the App Action text field to type a description of the manual action that a user
should take at this step.
l To assign a system action:
1. Use the Action Type dropdown to select System Action.
2. Use the App Action dropdown to select a system action from the list.

685 USM Anywhere™ User Guide

 Playbooks

Warning: Actions in a playbook must be completed in the order in which they are
configured. Take care when assigning actions to your playbook to ensure that they are
in the correct sequence.
You can drag and drop individual actions within the Actions section to ensure that they
are in the right order before creating your playbook, or edit an existing playbook to
change the order of its actions.

6. (Optional.) Click Add Action to add another action to your playbook.

7. When you have completed all of your actions, click Create Playbook.
Your new playbook will now be visible in the My Playbooks tab.

Executing a Playbook

Role Availability Read-Only Investigator Analyst Manager

Each playbook comprises one or more actions, which are associated with one or more alarms
in USM Anywhere. When an alarm associated with a configured playbook is triggered users
will have the option to run that playbook, executing any or all of the actions within it. Once an
action is executed that playbook is considered In Progress. Once all of a playbook's actions
have been executed, the playbook is considered Complete.

Note: You can view all of your In Progress playbooks in the Playbooks In Progress
dashboard, and view a history of all of your executed playbooks in the Playbooks History
page. A list of all playbooks created in your instance can be found in the My Playbooks
page.

How to execute a playbook

1. Go to Activity > Alarms and select an alarm to open its detail pane.
This must be an alarm generated from an alarm rule associated with a playbook, unless
you have configured playbooks that apply to all alarms.

USM Anywhere™ User Guide 686

Playbooks

2. Click the Run Playbook drop-down to open a list of all playbooks available for that alarm.
A popup will open and list all of the actions in the playbook you selected.

Note: If this drop-down is not shown, then there are no playbooks available for the
alarm.

3. Click Run Action to execute the current action. Since actions are configured sequentially,
actions can only be executed in order.

l If this playbook has not yet been executed for this alarm, only the first action will be
available.

l If the playbook is already in progress for this alarm, the next action that has not yet
been run will be available.

687 USM Anywhere™ User Guide

 Playbooks

Important: If the playbook includes any manual actions, you will have to manually
execute the step or steps described in that action. Once you have completed the
steps this action describes, use the button to mark it Completed.

Once you have executed an action, you will see a notification message in the top right of
your USM Anywhere screen indicating whether the action was successfully executed. If so,
the status of that action will change to Completed and the next action's Run Action
button will be enabled.

4. (Optional.) Continue executing the remaining actions in this playbook.

If the Run Playbook popup is closed before all actions are successfully executed, the
playbook is considered In Progress.

5. Once all actions in a playbook are successfully executed, the playbook is considered
Completed.

USM Anywhere™ User Guide 688

 Vulnerability Assessment
Role Availability Read-Only Investigator Analyst Manager

USM Anywhere delivers vulnerability assessment as part of a complete package of security

monitoring and management capabilities for efficient threat detection. USM Anywhere does
this to improve security in your network, you first need to know what is vulnerable.

This topic discusses these subtopics:

About Vulnerability Assessment 690

System Settings for Authenticated Scans 695

Managing Credentials in USM Anywhere 700

Performing Vulnerability Scans 721

Viewing Vulnerabilities Scan Results 725

Searching Vulnerabilities 734

Viewing Vulnerabilities Details 745

Available Remediation Patches for Vulnerabilities 751

Labeling the Vulnerabilities 751

Create a Vulnerabilities Report 756

USM Anywhere Scans Best Practices 758

USM Anywhere™ User Guide 689

About Vulnerability Assessment

About Vulnerability Assessment

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere delivers vulnerability assessment as part of a complete package of security

monitoring and management capabilities for efficient threat detection. USM Anywhere does
this to improve security in your network. To generate a vulnerability assessment, you first
need to know what is vulnerable.

Vulnerability assessment is a functionality of USM Anywhere used for defining, identifying,

classifying, and prioritizing the vulnerabilities in your system. The universal open and
standardized method for rating IT vulnerabilities and determining the urgency of response is
the Common Vulnerability Scoring System (CVSS). This method assigns severity scores to
vulnerabilities. Scores range from 0 to 10, with 10 being the most severe.

USM Anywhere works on both CVSS version 3 (CVSSv3) and the previous version 2 (CVSSv2)
for scoring.

About Vulnerability Assessment in USM Anywhere

USM Anywhere detects vulnerabilities in assets and controls these scanning functions:

l Running and scheduling vulnerability scans (see Performing Vulnerability Scans for more
information)
l Generating and examining reports (see Viewing Vulnerabilities Scan Results for more
information)

USM Anywhere detects vulnerabilities using an authenticated scan, where the USM Anywhere
Sensor initiates a credentialed SSH (in Linux systems) or Microsoft Windows Remote
Management (WinRM) (in Windows systems) connection to the asset, and remotely runs a
series of commands for host-based assessment.

Vulnerability detection is based on an implementation of the Security Content Automation

Protocol (SCAP) and the Open Vulnerability and Assessment Language (OVAL) 5.11.2 schema
version. The National Vulnerability Database (NVD) is the U.S. government's content
repository for SCAP. The OVAL schema is maintained by The MITRE Corporation and
developed by the public OVAL Community website at http://oval.mitre.org.

AT&T Alien Labs™ Open Threat Exchange® (OTX™) queries NVD and MITRE every hour looking
for the latest vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries
OTX for updating the vulnerabilities information.

690 USM Anywhere™ User Guide

 About Vulnerability Assessment

For Linux variants, USM Anywhere performs a series of generic UNIX and independent schema
tests in addition to flavor-specific tests for IBM AIX, FreeBSD, Hewlett Packard Enterprise HP-
UX, and Linux. For Windows, USM Anywhere performs a series of Windows schema and
independent schema tests.

Warning: USM Anywhere removes vulnerabilities older than 90 days from the database.

About Vulnerability Severity

Discovering a vulnerability by itself is important, but can be of little use without the ability to
estimate the associated severity to an asset. For this reason, USM Anywhere assigns a
severity to each vulnerability found in the system and according to the severity score of the
CVSS.

The following table shows the CVSS v2.0 and v3.0 ratings.

CVSS v2.0 and v3.0 Ratings

Severity v2 Score Range v3 Score Range

None n/a 0.0

Low 0.0-3.9 0.1-3.9

Medium 4.0-6.9 4.0-6.9

High 7.0-10.0 7.0-8.9

Critical n/a 9.0-10.0

Important: There is also an Under Analysis severity. This severity displays when the
National Vulnerability Database (NVD) has not assigned a CVSS base score to the
vulnerability. OTX queries NVD and MITRE every hour looking for the latest
vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries OTX to
update the vulnerabilities information. If the NVD has updated the CVSS base score for
that vulnerability, USM Anywhere will update the status after you run a new vulnerability
scan.

USM Anywhere™ User Guide 691

About Vulnerability Assessment

To see the CVSS score of a vulnerability

1. Go to Environment > Vulnerabilities.

2. Click the vulnerability to display its details.

About Active and Inactive Vulnerabilities

In USM Anywhere you can find active vulnerabilities and inactive vulnerabilities. When you run
a scan on an asset and USM Anywhere finds a vulnerability, this vulnerability is active for that
specific asset. If you later run a new scan over the same asset and USM Anywhere finds more
vulnerabilities, but the vulnerability found in the previous scan has not been found in this new
scan, this vulnerability is inactive and the new vulnerabilities are active. Inactive vulnerabilities
are those who are not present in the latest scan but were in a previous one.

A Practical Example
USM Anywhere finds 15 vulnerabilities when you run a scan over an asset, so you will see
"active: 15, inactive: 0". Then you fix these vulnerabilities. A week later, you run a scan over the
same asset. This new scan finds 3 vulnerabilities, so you will have 3 vulnerabilities active out of
15 vulnerabilities found and USM Anywhere will display "active: 3, inactive: 12".

692 USM Anywhere™ User Guide

 About Vulnerability Assessment

Searching Active or Inactive Vulnerabilities

When you go to Environment > Vulnerabilities, USM Anywhere displays, by default, all active
vulnerabilities. The Active filter is selected.

If you want to see the inactive vulnerabilities, select the filter Inactive. USM Anywhere
displays the list of your inactive vulnerabilities.

USM Anywhere™ User Guide 693

About Vulnerability Assessment

You can also see if a vulnerability is active or inactive from the full details screen of a
vulnerability.

694 USM Anywhere™ User Guide

 System Settings for Authenticated Scans

System Settings for Authenticated Scans

An authenticated scan is a vulnerability testing measure performed from the vantage of a

logged-in user. The quality and depth of an authenticated scan depends on the privileges
granted to the authenticated user account. The following table lists the recommended
settings for creating a designated account on different operating systems (OSes). See
Creating Credentials for information about creating credentials for authenticated scans in
USM Anywhere.

Escalation Options for Authenticated Scans by OS

Operating
Methods and Credentials Escalation
System

Linux SSH password or private key authentication sudo, su

Windows Microsoft Windows username and password through Microsoft None

Windows Remote Management (WinRM)

Requirements for Linux

You must have the following on the Linux host to perform an authenticated scan:

l The OpenSSH server installed

l Network connectivity between the USM Anywhere Sensor and the SSH port on the Linux
host

Note: Additionally, the user account performing the authenticated scan must have
permissions to connect to the host via SSH server.

Installing the OpenSSH Server

Refer to your Linux distribution vendor documentation for instructions on how to install and
configure the OpenSSH server:

l Red Hat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_

linux/6/html/deployment_guide/s2-ssh-configuration-sshd

l Fedora: https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-
guide/infrastructure-services/OpenSSH

USM Anywhere™ User Guide 695

System Settings for Authenticated Scans

l Ubuntu: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

l Debian: https://wiki.debian.org/SSH

l FreeBSD: https://www.freebsd.org/doc/handbook/openssh.html

Requirements for Windows

For Microsoft Windows hosts, USM Anywhere uses Windows Remote Management (WinRM) to
perform authenticated scans. Therefore, you need to have the following items on the
Windows machine:

l WinRM version 2.0 or later.

l PowerShell version 5.1 or later. USM Anywhere performs some tests prior to running the
authenticated scans to make sure that the scans can succeed. These tests require
PowerShell 5.1 or later to be installed on your machine.

l Port 5985 open on your firewall. WinRM listens for HTTP traffic at port 5985 by default.
Make sure that your firewall allows incoming connections through this port.

l The Windows Management Instrumentation (WMI) service enabled. WinRM supports WMI
classes and operations. It also leverages WMI to collect data about disks, network adapters,
services, or processes in your environment.

Note: Permitting WMI access over the Distributed Component Object Model (DCOM)
network is not necessary to perform authenticated scans for USM Anywhere.

In addition, using the Group Policy Editor, go to Computer Configuration\Administrative

Templates\Windows Components\Windows Remote Shell, and make these changes:

l Enable Allow Remote Shell Access.

l Set the MaxConcurrentOperationsPerUser parameter to at least 3, ideally 10 or 15.
l Set the MaxMemoryPerShellMB parameter to 1024.

See Microsoft Documentation for more information on WinRM parameters.

Important: For a Windows server that is hardened according to the Center for Internet
Security (CIS) benchmarks, such as the CIS Amazon Machine Image (AMI) for Windows
Server 2016 available in the Amazon Web Services (AWS) Marketplace, there are local
group policies that block these connectivity requirements. For these servers, you must
open the port and re-enable WinRM and remote access each time you boot the server.

696 USM Anywhere™ User Guide

 System Settings for Authenticated Scans

Note: In addition, you must have the Windows Remote Registry service enabled on each
asset you want to scan. When not in use, this service stops after 10 minutes and
authenticated scans will not be able to scan Windows registries while service is stopped.
To prevent the service from stopping when idle, the following registry needs to be set to
1 on the Windows endpoints:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\RemoteRegistry\DisableIdleStop

Creating a Windows Admin Account

AT&T Cybersecurity recommends that you create a designated admin account solely for the
authenticated scans rather than using an established admin account or a guest account. The
most important aspect about Windows credentials is that the account used to perform the
scans should have privileges to access all required files and registry entries, which in many
cases means administrative privileges.

Warning: While any account that is a member of the "Remote Management Users"
group can perform some of the required actions, AT&T Cybersecurity strongly
recommends using an admin account with all of the attendant privileges. While some
operations will work without explicit admin rights, other operations require admin-level
privileges and will return an "unknown", "error", or "fail" message without them.

When creating such an account, you must keep in mind the following:

l This account needs to be able to create temporary files and temporary registry values.
l This account must have remote and local logon rights. See Setting Log on Locally and the
Security Policy for more information.
l If using Active Directory (AD), assign user rights to either the Remote Management Users
group or the Administrators group because only these two groups can log in through
WinRM. This authentication uses sAMAccountName, which is limited to 20 characters.

l When configuring network access policy for this account, select Classic: Local Users
Authenticate as Themselves.
l If your machine is joined to a domain, a local account won't be able to log in. In this case,
you must add a new registry named LocalAccountTokenFilterPolicy:

Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: LocalAccountTokenFilterPolicy
Type: DWORD
Value: 1

USM Anywhere™ User Guide 697

System Settings for Authenticated Scans

See Microsoft Documentation for a better understanding of Windows authentication for

remote connections.

Setting Log on Locally and the Security Policy

USM Anywhere enables you to add a WinRM credential. The account you use to log on to the
target system must have remote and local logon rights.

Note: Set the local logon rights to avoid large numbers of processes and large amounts
of memory usage.

Important: The vulnerability scan needs to be able to perform a local logon on the
target device because it needs to create a "delegatable" identity token to access
domain resources from its session on the target device. Although it is possible to run a
scan without having the local logon privileges and without the correct token, the
attempts to collect certain information can fail with errors, for example "Access Denied",
which might impact the rule results.

To set the local logon rights1

1. Select Start > All Programs > Accessories > Run, and then enter gpedit.msc to open
the Local Group Policy Editor.

2. In the console tree, select Computer Configuration > Windows Settings > Security
Settings > Local Policies > User Rights Assignment.

1These instructions may vary depending on your Windows version.

698 USM Anywhere™ User Guide

 System Settings for Authenticated Scans

3. Click Allow Log on Locally to open its properties.

USM Anywhere™ User Guide 699

Managing Credentials in USM Anywhere

4. Assign the rights to your user.

5. Click OK.
6. Repeat these steps for Allow log on through Remote Desktop Services.

Enabling Remote Registry on an Asset

USM Anywhere requires that the Windows Remote Registry service is enabled on every asset
you intend to scan. While the scan will run without Remote Registry enabled, it will be an
incomplete scan as some definitions may not be evaluated.

Note: These instructions are to enable Windows Remote Registry on one asset. Enabling
Remote Registry from group policy is possible, but those instructions will depend on
your environment. See these steps for an example of that process, though your
environment may require different steps.

Enabling Remote Registry on an Asset

1. Open the Control Panel on the asset you intend to scan.

2. Select Administrative Tools.

3. Select Services.

4. Right-click the Remote Registry Service, and then select Properties.

5. Under Startup Type, use the drop-down menu to select Automatic.

Managing Credentials in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

When running a scan in USM Anywhere, you can run it with or without authentication, a
process used to verify the identity of a user, user device, or other entity, usually through a
username and password. A credential is an identification that proves you are who you claim
to be, and you are, therefore, a reliable source.

When running a scan without authentication, USM Anywhere probes the network services
available on the target machine. Using known protocol behaviors, it attempts to identify the
software that is running as well as its configuration and version. With this information, USM

700 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

Anywhere then attempts to match the identified software with the known vulnerabilities to
produce a report. The benefit of this approach is that the detection can be very specific in
identifying known vulnerable behaviors.

When you choose to run a scan with authentication, your credentials allow USM Anywhere to
query the running machine to gain detailed and accurate information about the running
software and its configuration. This prevents false positives from misidentified services that
can sometimes occur in the unauthenticated approach. In addition, an authenticated scan
ensures that all services and software are analyzed regardless of whether the service is
running or accessible from the network.

Important: A vulnerability scan requires credentials to perform an authenticated scan

on a host.

Keep in mind these points:

l USM Anywhere uses the credentials available for a given asset, no matter what the priv-
ileges are for those credentials.
l When you run a scan for an asset, USM Anywhere uses the asset credential if the asset has
one; if the credential does not work or the asset does not have an assigned credential,
USM Anywhere uses the credential of the group which the asset is a member of, if it is part
of an asset group.

Important: Credentials assigned directly to an asset have higher priority than those
assigned to an asset group.

l When the asset does not have an assigned credential and the asset is a member of several
asset groups with different assigned credentials, USM Anywhere tests every credential and
uses the first one that works.
l When you assign a credential to an asset group, USM Anywhere assigns the credential to
the group instead of assigning it to all of its members. If you want to assign a credential to
all members of a group, see Assign Credentials to Group Members.
l USM Anywhere supports these cipher types:
aes128-ctr
3des-ctr
blowfish-cbc
aes256-cbc
aes192-cbc
aes128-cbc
3des-cbc
aes256-ctr

This topic discusses the following subtopics:

USM Anywhere™ User Guide 701

Managing Credentials in USM Anywhere

l Creating Credentials
l Assigning Credentials to Assets
l Removing Credentials from Assets

Scan Target Platform Support

USM Anywhere supports running vulnerability scans on the following platforms and devices:

Important: Any operating systems (OSes) not listed here are unsupported. USM
Anywhere operations, such as vulnerability scans, may not behave as intended on
unsupported platforms.

Microsoft Windows:

l Windows 7, 8.1, and 10

l Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016 and 2019

Linux:

l Amazon Linux and Linux 2

l CentOS 6, 7, and 8
l Debian 10
l Fedora 32 and 33
l Linux Mint 18, 19, 20, and Debian Edition 4
l Oracle Linux 6, 7, and 8
l Redhat Enterprise Linux 6, 7, and 8
l Ubuntu 16.04, 18.04, 20.04, and 20.10

Apple macOS:

l macOS 10.10, 10.11, 10.12, 10.13, 10.14, 10.15, and 11

Creating Credentials

702 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to assign credentials to your assets. If the required credential set
is not yet defined in USM Anywhere, you must add it before you can associate it with one or
more assets. The Credentials page displays a list of all credential sets that are defined and
available to be associated with an asset or asset group.

To add a new credential

1. Go to Settings > Credentials.

2. Click New Credentials.

The Add New Credential dialog box opens.

USM Anywhere™ User Guide 703

Managing Credentials in USM Anywhere

3. Enter a name for the credential in the Name field and, if desired, a description to clarify its
use in the Description field.

4. In Credential Type, select SSH or Windows RM based on the operating system of the
asset.

Windows RM

Important: Only members of the Administrators or Remote Management Users

groups are able to log in through WS-Management. The account used to log in to
the target system must have remote and local log-on rights. See Setting Log on
Locally and the Security Policy for more information.

Use the Windows RM credential for a Windows operating system. After selecting Windows
RM, complete these fields:

l Username: Enter the username for the account with the required privileges.

Important: The username must have 20 characters or less.

l Password: Enter the password for the user account.

704 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

l Domain: (Optional.) Enter the domain name registered in the Domain Name System
(DNS).

Note: Use a fully qualified domain name (FQDN) instead of a Network Basic
Input/Output System (NetBIOS) name. If you use a NetBIOS name, you will get an
invalid SSH gateway error.

l Port: If an alternative port number is required, enter the port number. The default port,
5985, is standard.

SSH

Use the SSH credential for a Linux, Apple macOS, or any other device that supports an
SSH connection. After selecting SSH, complete these fields:

USM Anywhere™ User Guide 705

Managing Credentials in USM Anywhere

l Username: Enter the username for the account with the required privileges.
l Authentication method: Set the SSH authentication mode and enter the password,
private key, or both.

l Password: Select this option to use a simple password to authenticate the user
account. It is mandatory if you do not use a private key.
l Private key (no passphrase): Select this option to use a private key to authen-
ticate the user account.
l Private key with passphrase: Select this option to use a private key and password
combination to authenticate the user account.

Important: A private key must start with an appropriate header, such as "---
--BEGIN RSA PRIVATE KEY----" and "-----END RSA PRIVATE KEY-----".
Always copy the certificate in the form with the header.

l Password: This field only appears if you select Password as authentication method.
Enter the password that authenticates the user.
l Privilege elevation: Select the elevated privilege to use for the credentials.

l sudo: Use this option to run single commands with root privileges. For example:

sudo 'command1'; sudo 'command2'; sudo 'command3' ...

l su: Use this option to run single commands with superuser privileges. This requires
you to enter the username and password for the superuser account. For example:

su username -c 'command1'; su username -c 'command2'; su username -c

'command3' ...
l Port: This is automatically set (SSH listens on port 22 by default) and cannot be
changed.

706 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

5. Click Save.

SSH Key Manual Generation

There are a variety of ways to create an SSH key, and your company may already have
predefined rules regarding an algorithm to use and what strength the key needs to be.
However, if you need to create an SSH key manually and don't have a predefined company
policy for the creation of the SSH key, you can use the following procedure to make a basic
RSA SSH key to add to your credentials.

USM Anywhere™ User Guide 707

Managing Credentials in USM Anywhere

To create an SSH key manually

1. Open the command line for Linux or Terminal for macOS.

2. Enter ssh-keyken to create a 2048-bit SSH key or ssh-keygen -b 4096 to create a 4096-
bit SSH key, and then press Enter.

The command line prompts you to specify a file location.

3. Press Enter to use the default location (/home/<username>/.ssh/id_rsa for Linux, or

/users/<username>/.ssh/id_rsa for macOS), or designate another location for the file.

The command line prompts you to specify a passphrase and enter it again to confirm it.

4. Specify a passphrase or, if you don't want to use a passphrase, leave the line blank, and
then press Enter.

5. The SSH key is saved to either the default location or the location you specified.

Assigning Credentials to Assets

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to assign credentials to an asset, to an asset group, or to

members of an asset group.

Note: Credentials assigned directly to an asset have higher priority than those assigned
to an asset group.

When USM Anywhere runs a scan or executes a system-level action, it uses the
credential set assigned directly to the asset, if there is one. If those credentials don't
connect or the asset doesn't have an assigned credential set, it uses the credential set
assigned to the group where the asset is a member, if that asset is a member of an asset
group.

708 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

Assigning Credentials to an Asset

In USM Anywhere, you assign a defined credential set to an individual asset in order to use the
credentials for authenticated scans, active directory (AD) scans, and AlienApp for Forensics
and Response actions on the host. You can assign assets to a credential set in the Credentials
page, or you can perform this task from the Assets page.

To assign a credential on the Credentials page

1. Go to Settings > Credentials.

2. In the line of the credential you want to assign, click the icon.

USM Anywhere™ User Guide 709

Managing Credentials in USM Anywhere

A dialog box opens.

3. Enter part of the asset name in the field at the bottom of the dialog box

710 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

This displays the matching items below the field. You can enter more text to filter the list
further.

4. Select the asset to assign to the credential set.

The credentials overwrite dialog box opens.

USM Anywhere™ User Guide 711

Managing Credentials in USM Anywhere

Warning: If the asset has already assigned credentials, these credentials are going
to be overwritten.

5. Next to the displayed asset name, click Test to execute a test connection to the asset
using the credentials.

If the test detects any warnings, a Permissions Warnings section displays. This section
contains a Warning column that lists the individual warnings.

A permissions error doesn't prevent the scan from running, but it can result in the
incomplete information being detailed in the scan results.

712 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

6. Click the icon to close the dialog box.

To assign a credential on the Assets page

1. Go to Environment > Assets and locate the asset.

2. Next to the asset name, click the icon and select Assign Credentials.

The assign credentials dialog box opens.

3. In the Available Credentials drop-down list, select the credential to use.

USM Anywhere™ User Guide 713

Managing Credentials in USM Anywhere

Note: If the needed credentials do not already exist, you can select Add New
Credentials to define them in USM Anywhere. See Creating Credentials for more
information. Use the icon to modify any information.

4. (Optional.) Select the Jump Box option if you want to authenticate through another
asset.

Select the checkbox and use the field to search for the asset you want to use as an
authentication server.

5. Click Test to execute a test connection to the asset using the selected credentials.

If the test detects any warnings, a Permissions Warnings section displays. This section
contains a Warning column that lists the individual warnings and a Remediation that
provides a suggested solution to resolve each warning. A permissions error doesn't
prevent the scan from running, but it can result in the incomplete information being
detailed in the scan results.

6. Click Save.

Assigning Credentials to an Asset Group

In USM Anywhere, you assign a defined credential set to an asset group to use the credentials
for authenticated scans, AD scans, and AlienApp Forensics and Response actions on members
of the group. You can assign asset groups to a credential set in the Credentials page, or you
can perform this task from the Asset Groups page.

Important: When you assign a credential to an asset group, USM Anywhere assigns the
credential to the asset group instead of assigning it to all of its members. If you want to
assign a credential to all members of a group, see Assign Credentials to Group Members.

714 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

To assign a credential on the Credentials page

1. Go to Settings > Credentials.

2. In the line of the credential you want to assign, click the icon.

A dialog box opens.

3. Click the Asset Groups tab.

4. At the bottom of the dialog box, enter part of the asset group name in the field.

USM Anywhere™ User Guide 715

Managing Credentials in USM Anywhere

This displays the matching items below the field. You can enter more text to filter the list
further.

5. Select the asset group to assign to the credential set.

After you select the asset group, the dialog displays the item at the top. If needed, you
can enter text for another asset group name and select it to assign multiple asset groups
for the credential set.

6. Click the icon to close the dialog box.

To assign a credential on the Asset Groups page

1. Go to Environment > Asset Groups.

2. Next to the asset name, click the icon and select Assign Credentials.

The assign credentials dialog box opens.

716 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

3. In the Available Credentials drop-down list, select the credential to use.

Note: If the needed credentials do not already exist, you can select Add New
Credentials to define them in USM Anywhere. See Creating Credentials to create
the new credential set. Use the icon to modify any information. Click Remove

Current Credentials From Asset Group to remove that credential from the asset
group.

4. Click Save.

Assigning Credentials to Group Members

1. Go to Environment > Asset Groups.
2. Click the icon next to the asset group name and select Full Details.

3. Click Actions > Assign Credentials to Group Members.

The Configure Asset Group Members dialog box opens.

USM Anywhere™ User Guide 717

Managing Credentials in USM Anywhere

4. Select the credentials to use or create a new one, see Creating Credentials
5. Click Save.

Removing Credentials from Assets

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to remove credentials from your environment.

718 USM Anywhere™ User Guide

 Managing Credentials in USM Anywhere

Removing a credential from the Credentials page

1. Go to Settings > Credentials to open the credentials main page.

2. Click the icon in the line of the credential you want to remove the association from.

Note: You can use the icon from the main credentials page to check the assets

assigned to the credential. Once you delete the credential, the association between
the asset and the credential finishes.

3. Click Accept to confirm the process or click Cancel to exit.

Removing a credential associated with an asset from the Assets page

1. Go to Environment > Assets.
2. Select the asset. See Selecting Assets in Asset List View for more information.
3. Click the icon you want to remove the credential from and select Assign Credentials.

4. Click Remove Current Credentials From Asset.

USM Anywhere™ User Guide 719

Managing Credentials in USM Anywhere

Note: You can also remove a credential from the assets details page. See Viewing
Assets Details for more information.

5. Click Save.

Remove a Credential Associated with an Asset Group from the Asset Groups
Page
1. Go to Environment > Asset Groups.
2. Locate the asset group that you want to remove the credential from and click the icon

and select Full Details.

3. Click Modify Credentials to open the Assign Credentials to Asset Group dialog box.

720 USM Anywhere™ User Guide

 Performing Vulnerability Scans

4. Click Remove Current Credentials From Asset Group.

5. Click Save

Performing Vulnerability Scans

Role Availability Read-Only Investigator Analyst Manager

In USM Anywhere you can run:

USM Anywhere™ User Guide 721

Performing Vulnerability Scans

Authenticated scans

An authenticated scan verifies scanned IPs and detects vulnerabilities, configuration issues,
and software. The USM Anywhere Sensor initiates a credentialed SSH (Linux), WinRM
(Windows), or MacOS connection to the asset and remotely runs a series of commands for
host-based assessment. See Managing Credentials in USM Anywhere. You can run
authenticated asset scans from these pages:

l Environment > Assets for running an authenticated scan in that precise moment. See
Running Authenticated Asset Scansfor more information.
l Environment > Asset Groups for running an authenticated asset groups scan in that pre-
cise moment. See Running Authenticated Asset Groups Scans for more information.
l Settings > Scheduler for scheduling an authenticated scan job during a specific period of
time. See Scheduling Asset Scans from the Job Scheduler Page and Scheduling Asset
Groups Scans from the Job Scheduler Page for more information.
l Environment > Vulnerabilities for running an asset scan. You can scan a single asset, an
asset group, or enter a network range. See Running an Asset Scan from Vulnerabilities for
more information.

Warning: An authenticated scan may fail if the local mail exchanger, which applies to
Linux hosts, is enabled in the target asset.

You cannot scan USM Anywhere sensors.

Unauthenticated scans

Use an asset scan to discover services, operating systems, hostnames, IP and MAC addresses,
and vulnerabilities of known hosts in the deployed network. You can run non-authenticated
asset scans from these pages:

l Environment > Assets for running an asset scan in that precise moment. See Running
Asset Scans for more information.
l Environment > Asset Groups for running an asset group scan in that precise moment.
See Running Asset Groups Scans for more information.
l Settings > Scheduler for scheduling an asset scan job during a specific period of time. See
Scheduling Asset Scans from the Job Scheduler Page and Scheduling Asset Groups Scans
from the Job Scheduler Page for more information.

Note: See USM Anywhere Scans Best Practices for more information.

722 USM Anywhere™ User Guide

 Performing Vulnerability Scans

Commands Used in Authenticated Scans

When you run an authenticated scan in USM Anywhere, there are multiple commands
executing at the same time. These commands change constantly and there are new
definitions released every day. You can also verify which commands have been executing at
any given moment.

Linux

Linux-authenticated scans use privilege escalation over ssh. Commands are logged in the
audit log:
l
/var/log/secure*
l
/var/log/auth*

Windows

Windows-authenticated scans perform file and registry checks to determine the version of
the installed patch.

Running an Asset Scan from Vulnerabilities

1. Go to Environment > Vulnerabilities.

2. Click New Scan.

The Authenticated Asset Scan dialog box opens.

USM Anywhere™ User Guide 723

Performing Vulnerability Scans

3. Select the assets you want to scan:

l Single Asset. You need to enter the name of the target you want to scan or select it
from a list of your targets.
l Asset Group Name. You need to enter the name of the asset group you want to scan
or click Select from List for selecting it from a list of your asset groups.
l Network ranged. You need to enter the network range you want to scan.

4. Click Next.

A new Authenticated Asset Scan dialog box opens.

724 USM Anywhere™ User Guide

 Viewing Vulnerabilities Scan Results

5. Click Assign Credentials for assigning credentials to the assets and devices you want to
scan. Click Create New Credentials for creating a credential. See Managing Credentials in
USM Anywhere for more information.
6. Click Select Another Target if you want to come back.
7. You can select the targets to scan if you have more than one.
8. Click Start Scan.

The scan starts. Depending on the selected asset, the scan can last several minutes. When
the scan finishes, you can see the status and if the scan found vulnerabilities. If you want
to view the results of your scan, you need to go to the asset details page. See Viewing
Assets Details for more information.

9. Click Continue Scanning And Close.

While the scan is running, a Scanning button shows. When the scan finishes, the message
Scan finished. Refresh to view scan results displays.

10. Click Refresh Scan Results to update the list.

Viewing Vulnerabilities Scan Results

Role Availability Read-Only Investigator Analyst Manager

A vulnerability is a weakness in your system, which reduces your system's information

assurance. USM Anywhere helps you to define, identify, classify, and prioritize the
vulnerabilities in your system.

USM Anywhere™ User Guide 725

Viewing Vulnerabilities Scan Results

USM Anywhere provides a centralized view of your vulnerabilities. Go to Environment >

Vulnerabilities to see this centralized view.

These are the different parts of the page:

l On the left side of the page are the search and filters options. Use filters to delimit your
search.
l At the top of the page, you can see any filters you have applied, and you have the option to
create and select different views of the vulnerabilities.
l The main part of the page is the list of vulnerabilities, where each row describes an indi-
vidual vulnerability. Click a vulnerability to open its details. See Viewing Vulnerabilities
Details for more information. Each vulnerability includes a checkbox that you can use to
select it. You can select all vulnerabilities in the same page by clicking the checkbox in the
first column of the header row.

If you want to analyze the data, you can maximize the screen and hide the filter pane. Click
the icon to hide the filter pane. Click the icon to expand the filter pane.

Refreshing the Page

USM Anywhere gives you the option of refreshing the page manually by clicking the icon.

726 USM Anywhere™ User Guide

 Viewing Vulnerabilities Scan Results

Vulnerabilities from Assets Main Page

To explore vulnerabilities from assets

1. Go to Environment > Assets.

2. Click the filter Has Vulnerabilities.

3. Next to the asset name that you want to explore, Click the icon and then select

Vulnerabilities.

The asset details page opens with the list of vulnerabilities.

USM Anywhere™ User Guide 727

Viewing Vulnerabilities Scan Results

4. Click the vulnerability you want to explore.

5. (Optional.) Click the star symbol to the left of the vulnerability name to mark it for quick
access. Clicking the icon on the secondary menu shows the bookmarked items and a

link to it.

Vulnerabilities List Columns

Role Availability Read-Only Investigator Analyst Manager

For each vulnerability in the vulnerabilities columns list, USM Anywhere displays useful
information to help you manage that vulnerability.

The following table lists the fields you see on the page.

List of the Default Columns in Vulnerabilities

Column Field Name Description

Last Seen Last date on which the vulnerability was seen in the asset. The displayed
date depends on your computer's time zone.

Vulnerability ID Displays the associated Common Vulnerabilities and Exposures (CVE) ID,
in case of having it.

728 USM Anywhere™ User Guide

 Viewing Vulnerabilities Scan Results

List of the Default Columns in Vulnerabilities(Continued)

Column Field Name Description

Suppressed Indicates whether this vulnerability is marked as suppressed. See

Viewing Vulnerabilities Details for more information.

Vulnerability Description Displays the description of the vulnerability.

Labels Label applied to the vulnerability. See Labeling the Vulnerabilities for
more information.

Source Source that found the vulnerability.

Asset Asset that is vulnerable.

Severity Indicates the severity of the vulnerability. Values are High, Medium, Low,
and Under Analysis. See About Vulnerability Severity.

Score Displays the score in the Common Vulnerability Scoring System (CVSS).
See Common Vulnerability Scoring System SIG for more information.

First Seen Detection date of the vulnerability in the asset. The displayed date
depends on your computer's time zone.

Available Patches Displays the name of the patch and the number of additional available
patches (for example, patch name [2 more patches]).

IP of the Assets Displays the IP of the assets, if available.

From the list of vulnerabilities, you can click any individual vulnerability row to display more
information on the selected vulnerability. See Viewing Vulnerabilities Details for more
information.

To select a vulnerability, select the checkbox to the left of the vulnerability. You can select all
vulnerabilities at the same time by selecting the first checkbox in the column. These buttons
display when you select a vulnerability:

l Apply Labels: You can add a label to a vulnerability, which enables you to have classified
vulnerabilities. See Labeling the Vulnerabilities for more information.
l New Scan: This button runs a new authenticated asset scan. See Running an Asset Scan
from Vulnerabilities for more information.

You can choose the number of items to display by selecting 20, 50, or 100 below the table.
You can classify some columns by clicking the icons to the right side of the heading. You can
sort the item information in ascending or descending order.

USM Anywhere™ User Guide 729

Viewing Vulnerabilities Scan Results

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and click-
ing the icon. This will display all of your bookmarked items and provide direct links to

each of them.

Click Generate Report to open the Configure Report dialog box. See Create a Vulnerabilities
Report for more information.

Click the icon displayed next to the asset name below the asset column to access these

options:

l Add to Current Filter: Use this option to add the asset name as a search filter. See Search-
ing Events for more information.
l Find in Events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Configure Asset: See Editing Assets for more information.
l Delete Asset: See Deleting the Assets for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Configuration Issues: This option opens the Assets Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selec-
ted in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Assets Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

Vulnerabilities Views

730 USM Anywhere™ User Guide

 Viewing Vulnerabilities Scan Results

Role Availability Read-Only Investigator Analyst Manager

You can configure the view you want for the list of items in the page.

To create a view configuration

1. From the List view, select the filters you want to apply.

2. Go to Save View > Save As.

The Save Current View dialog box opens.

3. Enter a name for the view.

4. Select Share View if you want to share your view with other users.
5. Click Save.

The created view is already selected.

USM Anywhere™ User Guide 731

Viewing Vulnerabilities Scan Results

To select a configured view

1. From the List view, click View above the filters.

2. Click Saved Views and then select the view you want to see.

Note: A shared view includes the icon next to its name.

3. Click Apply.

To delete a configured view

1. From the Vulnerabilities list view, click View above the filters.
2. Click Saved Views and then click the icon next to the saved view you want to delete.

A dialog box opens to confirm the deletion.

Note: You can delete the views you have created.

3. Click Accept.

Important: The icon does not display if the view is selected.

Report Templates in Vulnerabilities

732 USM Anywhere™ User Guide

 Viewing Vulnerabilities Scan Results

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a wide range of report templates classified according to the
compliance templates for alarms, vulnerabilities, and events collected in the system. The
templates are combined into these three groups:

l PCI: Payment Card Industry Data Security Standards (PCI DSS) is a set of security stand-
ards designed to ensure that all companies that accept, process, store, or transmit credit
card information maintain a secure environment. These reports are identified and based
on specific PCI DSS requirements to provide the auditor with the specific information
requested. For example, PCI DSS requirement 10.7.a: Retain audit trail history for at least
one year, with a minimum of three months immediately available for analysis.
l NIST CSF: The National Institute of Standards Technology (NIST) Cybersecurity Frame-
work provides a policy framework of computer security guidance for how private sector
organizations can assess and improve their ability to prevent, detect, and respond to cyber
attacks.
l ISO 27001: ISO/IEC 27001 provides guidance for implementing information security con-
trols to achieve a consistent and reliable security program. The ISO and the International
Electrotechnical Commission (IEC) developed 27001 to provide requirements for an inform-
ation security management system (ISMS).

To apply a report template

1. Go to Environment > Vulnerabilities.

2. From the Vulnerabilities list view, click View above the filters and then select Report Tem-
plates.

3. Select a report.

You can use the search field or scroll down the list.

USM Anywhere™ User Guide 733

Searching Vulnerabilities

4. Click Apply.

The result displays with the filters applied.

Searching Vulnerabilities

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes the option of searching items of interest on the page. There are
several filters displayed by default. You can either filter your search or enter what you are
looking for in the search field.

You can configure more filters and change which filters to display by clicking the Configure
Filters link located in the upper-left side of the page. The management of filters is similar to
that for assets. See Managing Filters for more information.

The following table lists the filters you see on the page.

734 USM Anywhere™ User Guide

 Searching Vulnerabilities

Filters Displayed by Default in the Main Vulnerabilities Page

Filter Name Meaning

Last 24 Hours Filter vulnerabilities triggered in the last hour, last 24 hours, last 7 days, last
30 days, or last 90 days. You can also configure your own period of time by
clicking the Custom Range option. This option enables you to customize a
range. When you click Custom Range, a calendar opens. You can choose
the first and last day to delimit your search by clicking the days on the
calendar or entering the days directly. Then select the hours, minutes, and
seconds by clicking the specific box. Finally, select AM or PM.

Active/Inactive Filter vulnerabilities by the active or inactive vulnerabilities. See About

Active and Inactive Vulnerabilities.

Labels Filter vulnerabilities by the labels applied to the vulnerability. See Labeling
the Vulnerabilities for more information.

Suppressed Filter vulnerabilities by whether they are marked as suppressed. See

Viewing Vulnerabilities Details for more information.

Vulnerability Name Filter vulnerabilities by name of the vulnerability.

Severity Filter vulnerabilities by severity of the vulnerability. Values are High,

Medium, and Low. See About Vulnerability Severity.

Source Filter vulnerabilities by the source that found the vulnerability.

Asset Filter vulnerabilities of the asset that is vulnerable.

Asset Groups This is the asset group that has vulnerable asset. The number between
parentheses indicates the number of assets in the asset group.

The number between brackets displayed by each filter indicates the number of items that
matches the filter. You can also use the filter controls to provide a method of organizing your
search and filtered results.

The following table shows the icons displayed with each filter box.

Icons Next to the Filter Title

Icon Meaning

Sort the filters alphabetically.

Sort the filters by number of items that matches them.

USM Anywhere™ User Guide 735

Searching Vulnerabilities

In the upper-left side of the page, you can see any filters you have applied. Remove filters by
clicking the icon next to the filter. Or clear all filters by clicking Reset.

Note: When applying filters, the search uses the logical AND operator if the used filters
are different. However, when the filter is of the same type, the search uses the logical
OR operator.

Those filters that have more than 10 options include a Filter Values search field for writing

text and making the search easier. If there are more than 50 search results, a icon appears
to the right of the Filter Values search field. Click this icon to download a CSV containing up
to 1024 results.

736 USM Anywhere™ User Guide

 Searching Vulnerabilities

To search for Vulnerabilities using the search field

1. Go to Environment > Vulnerabilities.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

USM Anywhere™ User Guide 737

Searching Vulnerabilities

The result of your search displays with the items identified.

Standard and Advanced Modes on Vulnerabilities

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to toggle the mode of search. The available modes are Standard
and Advanced. You can change from one mode to the other by clicking the icon or
clicking the icon located in the upper left corner of the page.

Standard Mode
This mode enables you to select one value per filter at the same time, and then the search is
automatically performed. This mode is on by default.

To activate the standard mode when the advanced mode is on

1. Go to Environment > Vulnerabilities.

2. In the upper-left corner of the page, click the icon.

3. This turns the icon gray, .

Note: If you exit the advanced mode and the selected filters are not compatible with
the standard mode, a warning dialog box opens to inform you the current filters will
be removed.

Advanced Mode
Advanced mode enables you to select more than one value per filter at the same time. This
mode is off by default.

738 USM Anywhere™ User Guide

 Searching Vulnerabilities

To activate the advanced mode

1. Go to Environment > Vulnerabilities.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

To perform a search in the advanced mode

1. Go to Environment > Vulnerabilities.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

This turns the icon green, .

3. Click the filters that you want to select.

The selected filters display inside a dashed rectangle.

4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page,
click Apply.

The result of your search displays.

To search using the NOT operator

1. Go to Environment > Vulnerabilities.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Click the filter that you want to exclude.

4. In the filter group, click Not.

Important: You have to select a filter to see this operator.

Note: The selected filter displays the icon and the filter chiclet is labeled in red.

USM Anywhere™ User Guide 739

Searching Vulnerabilities

740 USM Anywhere™ User Guide

 Searching Vulnerabilities

USM Anywhere™ User Guide 741

Searching Vulnerabilities

742 USM Anywhere™ User Guide

 Searching Vulnerabilities

USM Anywhere™ User Guide 743

Searching Vulnerabilities

744 USM Anywhere™ User Guide

 Viewing Vulnerabilities Details

Important: Some filters don't include the NOT operator (for example, Services or
Software).

5. Click Apply.

To search all values of a filter

1. Go to Environment > Vulnerabilities.

2. In the upper-left corner of the page, click the icon to activate the advanced mode.

3. Select a filter title to select all filters below that title.

To search for Vulnerabilities using the search field

1. Go to Environment > Vulnerabilities.

2. Enter your query in the search field.

If you want to search for an exact phrase having two or more words, you need to put
quotation marks around the words in the phrase. This includes email addresses (for
example, "[email protected]").

Note: Wildcard characters are considered as literal characters.

3. Click the icon.

The result of your search displays with the items identified.

Viewing Vulnerabilities Details

USM Anywhere™ User Guide 745

Viewing Vulnerabilities Details

Role Availability Read-Only Investigator Analyst Manager

The vulnerabilities details page provides in-depth information on vulnerabilities.

To view the details of a vulnerability

1. Go to Environment > Vulnerabilities.

2. Click the vulnerability to display a summary view, and then click the vulnerability name to
open the full details of the vulnerability.

746 USM Anywhere™ User Guide

 Viewing Vulnerabilities Details

USM Anywhere™ User Guide 747

Viewing Vulnerabilities Details

Click the icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and
clicking the icon. This will display all of your bookmarked items and provide direct

links to each of them.

The Vulnerabilities Details page includes the Select Action button that is supported for
your assigned user role. Use this button to launch an authenticated asset scan. See
Applying Actions to Vulnerabilities for more information.

You can see the vulnerabilities details, then a description, the affected software, and the
associated asset. If you want more information, click the icon. See Viewing Assets

Details for more information.

The Labels field indicates if the vulnerability has been classified by using a label. You can
click the icon to manage the labels of the vulnerability. See Labeling the

Vulnerabilities for more information.

The Suppressed field enables you to indicate whether this vulnerability has been
suppressed. You can click the icon to select a suppression option (Yes or No). A

vulnerability marked Yes will continue to be marked as suppressed on all future scans or
until this field is updated.

3. In the upper right corner, click previous and next to navigate between items.
4. Click the icon to close the dialog box.

5. Click the vulnerability title to expand its details.

Applying Actions to Vulnerabilities

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to respond to the vulnerability. Use this button to launch an
authenticated scan of an asset. You need to select the sensor, if you have more than one
installed in your environment, and then indicate the asset to scan.

748 USM Anywhere™ User Guide

 Viewing Vulnerabilities Details

To apply an action to a vulnerability

1. Go to Environment > Vulnerabilities.

2. Search for the vulnerability for which you want to launch an authenticated scan.
3. Click the vulnerability.

4. The vulnerability details dialog box opens with the information about the specific

USM Anywhere™ User Guide 749

Viewing Vulnerabilities Details

vulnerability.

5. Click Select Action.

A dialog box opens, but depending on the sensor installed in your environment and the
advanced AlienApps available for that or those sensors, you can see a different dialog box
with different options. See Advanced AlienApps for more information.

6. Depending on the selected option, you should fill in different fields.

7. Click Run.

750 USM Anywhere™ User Guide

 Available Remediation Patches for Vulnerabilities

Available Remediation Patches for Vulnerabilities

USM Anywhere enables you to display the available remediation patches for a vulnerability. In
case of an existing remediation patch for a vulnerability, USM Anywhere displays the patch
name, a description, the source, and the reference identification (ID).

To display the available remediation patches on a vulnerability

1. Go to Environment > Vulnerabilities.

2. Search for the vulnerability where you want to see the available remediation patches. See
Searching Vulnerabilities for more information.
3. Click the vulnerability to open a dialog box with the vulnerability.
4. Click the vulnerability title to open the full details of the vulnerability.

5. Click the Available Patches tab.

Labeling the Vulnerabilities

USM Anywhere™ User Guide 751

Labeling the Vulnerabilities

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a set of labels that you can use to classify your vulnerabilities, to
track the status of the vulnerabilities, and to search vulnerabilities using them as a filter. See
Searching Vulnerabilities for more information on how to search vulnerabilities.

You can't edit or delete the set of default labels:

l In Progress
l Closed
l Open
l False Positive

USM Anywhere enables you to create, edit, and delete your own labels. You can apply a label
to one or more vulnerabilities. You can also apply multiple labels to the same vulnerability.

To label a vulnerability from the vulnerabilities main page

1. Go to Environment > Vulnerabilities.

2. Search for the vulnerability or vulnerabilities to which you want to apply a label. See
Searching Vulnerabilities for more information.

3. Do one of these options:

752 USM Anywhere™ User Guide

 Labeling the Vulnerabilities

l Click the icon in the labels column of the vulnerability you want to label, select the

label, and click Apply.

l Select the checkbox to the left of a vulnerability, click Apply Labels, select the label,
and click Apply.

USM Anywhere™ User Guide 753

Labeling the Vulnerabilities

To label a vulnerability from the vulnerabilities details page

1. Go to Environment > Vulnerabilities.

2. Search for the vulnerability to which you want to apply a label. See Searching Vul-
nerabilities for more information.
3. Click the vulnerability.

754 USM Anywhere™ User Guide

 Labeling the Vulnerabilities

4. In the Labels field, click the icon to select a label.

5. Click Save.

To create a new label

1. Go to Environment > Vulnerabilities.

2. Select the checkbox to the left of the vulnerability.
3. Click Apply Labels.
4. Click Manage Custom Labels.
5. Click Create New Label.

USM Anywhere™ User Guide 755

Create a Vulnerabilities Report

6. Enter a name for the label.

7. Click Save.

To edit a label

1. Go to Environment > Vulnerabilities.

2. Select the checkbox to the left of the vulnerability.
3. Click Apply Labels.
4. Click Manage Custom Labels.
5. Click the icon next to the label you want to edit.

6. Modify the name of the label.

7. Click the icon to apply the changes.

To remove a label from a vulnerability

1. Go to Environment > Vulnerabilities.

2. Select the checkbox to the left of a vulnerability. You can also select several vul-
nerabilities or select all vulnerabilities at the same time by selecting the first checkbox in
the column.
3. Click Remove Vulnerabilities Labels.
4. Select the label or labels you want to remove.
5. Click Remove.

To remove a label from a vulnerability

1. Go to Environment > Vulnerabilities.

2. Do one of these options:
l Select the checkbox to the left of a vulnerability. You can also select several vul-
nerabilities or select all vulnerabilities at the same time by selecting the first checkbox
in the column. Then click Remove Vulnerabilities Labels, click the label, and click
Remove.
l In the labels column of the vulnerability from which you want to remove the label, click
the icon next to the label.

Create a Vulnerabilities Report

756 USM Anywhere™ User Guide

 Create a Vulnerabilities Report

Role Availability Read-Only Investigator Analyst Manager

You can create a PDF or CSV report of the vulnerabilities directly from the vulnerabilities
page.

Important: AT&T Cybersecurity recommends Google Chrome as the preferred browser

for generating reports. The use of alternative browsers may result in poor formatting.

To create a vulnerabilities report

1. Go to Environment > Vulnerabilities.

2. You can use filters to define the vulnerabilities content you want to display in your report,
or select the vulnerabilities you want to include in your report.

3. Click Generate Report to open the Configure Report dialog box.

The filters selected and displayed for the page view are the ones that are populated in the
report.

4. Click Edit Filters if you want to modify the selected filters, and then click Continue to Fil-
ters. Do the modifications you need, and then click Edit Report.

5. Click the Date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
to set a particular date range.

Note: This option is not available when generating reports for assets or asset
groups.

USM Anywhere™ User Guide 757

USM Anywhere Scans Best Practices

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and then choose Never, Daily, Weekly,
Bi-weekly, or Monthly.
8. Enter an email address to send the report.
Select the Send to my Email Address option to add your email automatically.
9. Select the Enable Link Expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report.
This name will be displayed in the Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report. For CSV the options are 20, 50, 100, 500, 1000, or 50 K. For PDF the options
are 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views.
You can add or remove graphs included in the report by clicking the and icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

USM Anywhere Scans Best Practices

USM Anywhere provides several kinds of scans that can be done in different ways. This page
gives you clearer information about scans, types of scans, the specific ways of doing a scan,
the right order for doing scans and avoid asset duplicity, and so on. See USM Anywhere
Scheduler Best Practices for more information.

Discovery Methods
The following table shows the types of scans that you can run using USM Anywhere.

758 USM Anywhere™ User Guide

 USM Anywhere Scans Best Practices

Types of Scans in USM Anywhere

Information From Where

Types of Scans Sensors References
Collected You Can Do It

Active directory Inventory l Setup Wizard Microsoft Azure, Completing the

(AD) Information during your Microsoft Hyper- Azure Sensor
sensor's V, and VMware Setup, Completing
deployment the Hyper-
V Sensor Setup,
l At any time
and Completing
from the
the VMware
sensor details
Sensor Setup
page
l Job Scheduler
page

Asset discovery Discovers assets l Setup Wizard All Completing the

in your Hyper-V Sensor
l Adding new
environment, Setup, Completing
assets both in
detects changes the VMware
a quick and in
in assets, and Sensor Setup,
an advanced
discovers Adding Assets
way
malicious assets
in the network
l Job Scheduler
page

Asset group scans Assets l Asset groups All Running Asset

Groups Scans
l Job Scheduler
page

Asset scans Assets l Assets All Running Asset

Scans
l Job Scheduler
page

Authenticated Assets l Asset Groups All Running

asset group scans Authenticated
l Job Scheduler
Asset Groups
page
Scans

Authenticated Assets l Assets All Running

asset scans Authenticated
l Job Scheduler
Asset Scans
page

USM Anywhere™ User Guide 759

USM Anywhere Scans Best Practices

Types of Scans in USM Anywhere(Continued)

Information From Where

Types of Scans Sensors References
Collected You Can Do It

Log collection Log files from an Job Scheduler All USM Anywhere
scans external data page: log Scheduler
source collection jobs are
initially preset at
installation and
can't be modified
by a user

Scheduled AD Inventory Job Scheduler Microsoft Azure, Scheduling Active

scan jobs Information page Microsoft Hyper- Directory Scans
V, and VMware from the Job
Scheduler Page

Scheduled API Assets Job Scheduler GCP, Microsoft USM Anywhere

scans page Azure, Microsoft Scheduler
Hyper-V, and
VMware

Scheduled asset Assets Job Scheduler All Scheduling Asset

scans page Scans from the
Job Scheduler
Page

Scheduled asset Assets Job Scheduler All Scheduling Asset

group scans page Groups Scans
from the Job
Scheduler Page

Scheduled Assets Job Scheduler All Scheduling Asset

Authenticated page Scans from the
Asset Scans Job Scheduler
Page

Scheduled Assets Job Scheduler All Scheduling Asset

authenticated page Groups Scans
asset group scans from the Job
Scheduler Page

User scans Scheduled user Job Scheduler All Scheduling User

behavior Page Discovery Jobs
monitoring scan from the Job
jobs Scheduler Page

760 USM Anywhere™ User Guide

 USM Anywhere Scans Best Practices

Performance Issues Associated with Scans

When running a scan, keep the following in mind:

l Run API scans first to avoid duplicates and discover the most assets in your environment,
and then run asset discovery/asset (group) scans with the Asset Scanner to update the
asset. When an asset is discovered through a network scan, and then that asset is dis-
covered through an APIs method, the asset will be duplicated.
l After deploying an agent, link it to existing assets.
l When an AD scan discovers an asset, any asset discovery/asset (group) scan updates the
existing asset created by the AD scan.
l Assets discovered by API methods contain far more information than assets discovered by
network scans and greatly reduce the risk of having duplicate assets. For example, assets
discovered by API methods can include information such as the asset state (powered on,
powered off, terminated, and so on), the resources allocated to the asset, or the asset
operating system.
l If multiple API methods return the same assets, then use only the method that provides
the most assets to prevent duplicate assets. The other API methods can be disabled in the
Job Scheduler page. See USM Anywhere Scheduler for more information.
l The following table gives you information about the use of some scan types over other:

Scans Differences

Discovery AD VMware AWS Azure GCP Network Manually

Agent
Type Scan Scan Scan Scan Scan Scan Created

API Yes Yes Yes Yes Yes No No No

Asset OS Yes Yes Yes Yes Yes Yes Depends on No

information
gathered

Host Yes Yes Yes Yes Yes No No No

resources

Asset info Yes Yes Yes Yes Yes Yes Depends on Depends on
updates information information
gathered gathered

Asset state No Yes Yes Yes Yes No only No No

agent
state

USM Anywhere™ User Guide 761

 Open Threat Exchange® and USM
Anywhere
AT&T Alien Labs™ Open Threat Exchange® (OTX™) is an open information-sharing and
analysis network that provides access to real-time information about issues and threats that
may impact your organization, allowing you to learn from and work with others who have
already experienced such attacks.

Information in OTX derives from both public and private entities. Alien Labs and other security
researchers constantly monitor, analyze, reverse engineer, and report on sophisticated
threats including malware, botnets, phishing campaigns, and more. An OTX pulse consists of
one or more Indicators of Compromise (IOCs) that constitute a threat or define a sequence of
actions that could be used to carry out an attack.

Topics covered in this section include:

About OTX 763

Using OTX in USM Anywhere 765

Entering Your OTX Key 771

USM Anywhere™ User Guide 762

About OTX

About OTX

AT&T Alien Labs™ Open Threat Exchange® (OTX™) is a threat data platform that provides
open access for all, allowing you to collaborate with a worldwide community of threat
researchers and security professionals.

On the OTX page, you can connect the deployed USM Anywhere Sensor to your OTX account.
Once connected, the sensor starts to receive raw pulse data from OTX and USM Anywhere
correlates that data.

When it detects Indicators of Compromise (IOCs) interacting with assets in your environment,
USM Anywhere generates related OTX pulse and IP Reputation-related security events and
alarms. The platform consists of these two chief components:

l Pulses: Collections of indicators of compromise (IOCs), reported by the OTX community,

which other community members review and comment on. Pulses provide you with a sum-
mary of the threat, a view into the software targeted, and the related IOCs, reported by
the OTX community worldwide. See About OTX Pulses and IOCs.
l IP Reputation: Provides notification of communication between known malicious hosts
and your assets. See About OTX IP Reputation.

About OTX Pulses and IOCs

The OTX community reports on and receives threat data in the form of pulses. A pulse
consists of at least one, but more often multiple, Indicators of Compromise (IOCs).

An IOC is an artifact observed on a network or in an end point, judged with a high degree of
confidence to be a threat vector. Examples of threat vectors include campaigns or
infrastructures used by an attacker. This table provides a list of IOC types:

Indicator of compromise (IOC) types

IOC Type Description

CIDR Rules Classless inter-domain routing. Specifies a range of IP addresses on a network

that is suspected of malicious activity or attack.

CVE number Standards group identification of Common Vulnerabilities and Exposures

(CVEs).

Domains A domain name for a website or server suspected of hosting or engaging in

malicious activity. Domains may also encompass a series of hostnames.

763 USM Anywhere™ User Guide

 About OTX

Indicator of compromise (IOC) types (Continued)

IOC Type Description

Email An email address associated with malicious activity.

File Hashes (MD5, A hash computation for a file that can be used to determine whether contents
SHA1, SHA256, of a file may have been altered or corrupted.
PEHASH, IMPHASH)

File Paths Unique location in a file system of a resource suspected of malicious activity.

Hostnames The hostname for a server located within a domain, suspected of malicious
(subdomains) activity.

IP Addresses An IP address used as the source/destination for an online server or other

device suspected of malicious activity.

MUTEX Name Mutual exclusion object allowing multiple program threads to share the same
resource. Mutexes are often used by malware as a mechanism to detect
whether a system has already been infected.

URI A uniform resource identifier (URI) that describes the explicit path to a file
hosted online, which is suspected of malicious activity.

URL Uniform resource locations (URLs) that summarizes the online location of a file
or resource associated with suspected malicious activity.

About OTX IP Reputation

OTX IP Reputation identifies IP addresses and domains worldwide that are submitted by the
OTX community. IP Reputation verifies them as either malicious or, at least, suspicious until
more data comes in to increase their threat ranking. Through its incoming IP data from all of
these sources, IP Reputation supplements OTX data with valuable data about actively or
potentially malicious activity appearing worldwide that can affect your systems.

IP Reputation Data Sources

IP Reputation receives data from a variety of sources:

l Open-source intelligence: Public and private security research organizations.

l USM Anywhere deployments: Consists of users who have voluntarily agreed to anonym-
ously share information about external traffic into their network with AT&T Cybersecurity.

USM Anywhere™ User Guide 764

Using OTX in USM Anywhere

Note: AT&T Cybersecurity ensures that none of the data shared with OTX can be traced
to the contributor or their USM Anywhere deployment.

Who Has Access to IP Reputation?

All USM Anywhere users receive the benefit of IP Reputation data whether or not they sign up
for an OTX account.

When you open an OTX account, you may elect to share IP Reputation data with other OTX
users. Any data you contribute are anonymous and secure.

Note: You can configure USM Anywhere to stop sharing IP Reputation data with OTX at
any time by visiting the Open Threat Exchange Configuration page.

IP Reputation Ranking Criteria

IP Reputation uses ranking criteria based on IP Reliability and IP Priority that OTX updates on
an ongoing basis to calculate changing assessments to risk level. This helps prevent false
positives.

IP Reliability
IP Reputation data derives from many data sources of differing reliability. Ranking in this case
is based on the relative number of reports regarding a malicious IP in relation to others
reported. If, for example, OTX receives 10 reports on a given IP address versus 20 on another,
it gives the IP with 10 reports a lower reliability ranking than the IP with 20 reports.

IP Priority
OTX ranks IP address priority, based on the behavior associated with each IP address listed.
For example, an IP address used as a scanning host receives a lower priority than an IP
address known to have been used as a Botnet server.

Ongoing Ranking Reassessment

OTX constantly updates its IP Reputation data as new information emerges, affecting IP
reliability or priority criteria. Each update re-prioritizes IP reliability and priority values and the
threat level of an IP accordingly.

Using OTX in USM Anywhere

765 USM Anywhere™ User Guide

 Using OTX in USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

When you sign up for and connect your Open Threat Exchange® (OTX) account to your USM
Anywhere deployment, it configures USM Anywhere to receive raw pulse data and other IP
reputation information. (Reputation data is updated separately from OTX pulse information.)

USM Anywhere then correlates that data with incoming events, alerting you to OTX pulse and
IP Reputation-related security events and alarms when it detects IOCs interacting with assets
in your environment. Such interactions might consist of malicious IPs communicating with
systems, malware detected in your network, or outbound communication with command-
and-control (C&C) servers.

Connecting OTX to USM Anywhere helps manage risks and threats in these ways:

l USM Anywhere receives threat updates every 15 minutes in the form of raw data for all
pulses to which you subscribe, either directly or through subscriptions to other OTX users.
l You receive updates on your subscribed pulses by email, either individually as they occur or
in digest mode.
l You can review an OTX pulse activity feed containing detailed analytics about related
threat vectors reported by OTX.
l As soon as you log into USM Anywhere, you can see which pulses are most active in your
environment by looking at Open Threat Exchange Dashboard.
l USM Anywhere evaluates IOCs against all events as long as they are generated and gen-
erates an alarm when a malicious IP address communicates with any of your assets, or
when any other IOCs become active in your network.

OTX Account and OTX Key

USM Anywhere enables you to display OTX information if you have a valid OTX key. Go to
Settings > OTX to see the AlienVault Open Threat Exchange (OTX) page.

See Entering Your OTX Key for more information about how to enter your OTX key.

OTX IP Reputation Data Correlated with Events

USM Anywhere maintains an IP reputation list that stores data it receives from OTX about
public IP addresses involved in malicious or other suspect activities. Whenever an event has
its source or destination IP addresses listed in the IP Reputation list, reputation data will be

USM Anywhere™ User Guide 766

Using OTX in USM Anywhere

added to the data stored for the event. This enables USM Anywhere to support some
additional features like re-prioritization of events and alarms depending on the IP of the hosts
involved.

The IP reputation list maintained by USM Anywhere is stored on the USM Anywhere Cloud.
Activity, Reliability, and Priority values provided by OTX are saved with event information for
those events having reputation data for either source or destination IP addresses.

The main purpose of the IP reputation list is to provide a list of known or potentially
dangerous IP addresses. If any alarm or event is generated by the action of a listed dangerous
IP address, then this event will have a smaller probability of being a false positive. This also
enables for the recalculation of event/alarm risk depending on its "IP Reliability" and "IP
Priority" values.

Note: Reputation events are anonymized and submitted to the AT&T Cybersecurity
OTX service for those customers who enable that capability in USM Anywhere. With the
feedback received from customer systems and all the other sources AT&T
Cybersecurity uses, the IP Reputation values are updated before being redistributed to
customers.

Displaying Alarms and Events Based on OTX Pulse and IP Reputation

The USM Anywhere Alarm and Events web UI provides methods of searching for and filtering
alarm and security events based on OTX pulse and IP Reputation information. For each event,
the database stores associated information on the source and destination IP address
provided by OTX, in addition to the activity reported in the event, for example, spamming,
phishing, scanning, malware distribution, and so on.

Searching, Filtering, and Viewing Alarms

Different from the way other alarms are processed, USM Anywhere generates an alarm
whenever it detects even one event associated with an OTX pulse. Alarm correlation begins at
that point and proceeds for a period of 24 hours. During this time, USM Anywhere adds any
new events related to that pulse to the same alarm.

If any new events related to the pulse occur after that 24-hour period, USM Anywhere
generates a second alarm and a new correlation period begins. As an exception to this rule,
should an event contain data on record with OTX IP Reputation information, USM Anywhere
correlates the alarm, using its standard directive taxonomy.

767 USM Anywhere™ User Guide

 Using OTX in USM Anywhere

Note: If an OTX pulse is creating too much noise and generating too many false positive
alarms, you can always just unsubscribe from the pulse.

USM Anywhere does not offer a filter for IP Reputation-based alarms. However, you can view
these within the Alarms list, where they occur. See Alarms List View for more information.

You can configure the columns/fields related to OTX information to be displayed in the list
and save your columns configuration to get back to it whenever you need it. See Configuring
Columns within List View for more information.

Important: The "Suspicious Behavior - OTX Indicators of Compromise" correlation rule

generates alarms if the pulse comes from the AlienVault OTX account.

Searching, Filtering, and Viewing Events

From the USM Anywhere Events main page, you can search for and filter events based on
whether OTX pulses exist for source or destination IP addresses, as well as the severity of
different IP Reputation scores. See Events List View for more information.

This screenshot displays the search and filter OTX options:

USM Anywhere™ User Guide 768

Using OTX in USM Anywhere

You can configure the columns and fields related to OTX information to be displayed in the
list and save your columns configuration to get back to it whenever you need it. See
Configuring Columns for more information.

Once you have made your selection, the Event list display will be updated to show only those
events matching the IP Reputation criteria you specified, plus OTX pulse information, if you
selected that option.

In the Events main page, you can click the icon to display the OTX IP Reputation

information available for an event. This icon opens the AlienVault OTX page.

Creating rules using OTX and Threat Intelligence IOC fields

USM Anywhere enables you to create orchestration rules using OTX and threat intelligence
Indicator of Compromise (IOC) fields and functions. You can select the OTX and threat
intelligence fields as conditions to create an orchestration rule. See Orchestration Rules for
more information and this example of how to create an alarm rule using threat intelligence
IOC fields.

To create an alarm rule using threat intelligence IOC fields

1. Go to Settings > Rules > Orchestration Rule.

2. Select Create Orchestration Rule > Alarm Rules.
3. Click Add Condition and select the property values you want to include in the rule to cre-
ate a matching condition.

Note: If the field is related to the name of a country, you should use the country
code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique
identifier (UUID) of the event or alarm. You can use the Source Name or Destination
Name field instead.

Important: Instead of using the equals and equals, case insensitive operators
for array fields, AT&T Cybersecurity recommends the use of the in or contains
operators.

769 USM Anywhere™ User Guide

 Using OTX in USM Anywhere

Note: If you need to add a property value that maps with a property key, you need
to know the mapping of the field. See Determining the Mapping of a Field for more
information.

4. (Optional.) Click Add Group to group your conditions.

Note: See Operators in the Orchestration Rules for more information.

5. Click Next.
6. Enter a name for the rule.
7. Select an intent.

The intent describes the context of the behavior that is being observed. These intents
roughly map to the stages of the intrusion kill chains but are collapsed to ensure that
each is discrete. See Intent for more information about the available threat categories.

8. Enter a method.

If known, it is the method of attack or infiltration associated with the indicator that
generated the alarm.

Note: This is a required field; if you do not complete this field, the Save button
remains inactive.

9. Select a strategy.

The strategy describes the broad-based strategy or behavior that is detected. The
intention is to describe the malicious user's strategy to achieve their goal.

10. Enter a priority.

See Priority Field for Alarms for more information.

11. Configure a mute duration set in seconds, minutes, and hours.

You can use the mute value to set the period of time during which, once an alarm is
createdUSM Anywhere will not create a new alarm based on the same conditions.

Note: Take care to set a mute duration that is long enough to cover the span of
time in which matching events will occur to maximize the efficacy of your mute.

USM Anywhere™ User Guide 770

Entering Your OTX Key

Important: If your USM Anywhere™ is restarted when one of your alarm mutes is
active, or if there is an update or hotfix, the alarm mute will be canceled.

12. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

13. Select the fields that you want to display in the generated alarm.

You can select or remove the fields you want to include in the details of the alarm by
clicking the and the icons.

14. Click Save

The created rule displays in the list of rules. See Alarm Rules from the Orchestration Rules
Page for more information.

Entering Your OTX Key

771 USM Anywhere™ User Guide

 Entering Your OTX Key

Role Availability Read-Only Investigator Analyst Manager

You need to sign up for an AT&T Alien Labs™ Open Threat Exchange® (OTX™) account and
have an OTX key if you want USM Anywhere to receive alerts based on threats identified in
OTX.

To enter your OTX key in USM Anywhere

1. Go to Settings > OTX.

2. Enter the OTX key you obtained from the OTX API page.
3. Select the look-back period. See The Look-Back Period for more information.

4. Click Validate OTX Subscription Key.

A message displays at the top of the page to inform you about the success of the

USM Anywhere™ User Guide 772

Entering Your OTX Key

subscription and the Valid OTX Key is green.

Note: USM Anywhere displays if the subscription is enabled and if the OTX pulses are
up-to-date. If the OTX pulses are not up-to-date, USM Anywhere displays when they
have been updated.

To delete the OTX Subscription

1. Go to Settings > OTX.

2. Click Delete OTX Subscription.

A message displays at the top of the page to inform you about that the subscription has
been deleted.

The Look-Back Period

USM Anywhere enables you to configure a period of time, called a look-back period, for
receiving raw pulse data from OTX. The look-back period helps your environment to be more
effective and agile. Threats are continuously changing, and it is important to have this data
updated. In addition, Indicators of Compromise (IOCs) get old quickly and an IP address that
was a threat three months ago may not be now.

Note: The configuration of a look-back period helps you to avoid alarms generated by
old pulses and without a current value.

You can define a look-back period, which uses pulses from the current date back for a certain
range of time that you choose. These are the look-back period options from which you can
choose:

773 USM Anywhere™ User Guide

 Entering Your OTX Key

l 1 month: Select this option to use pulses from the current day to the previous month.
l 3 months: Select this option to use pulses from the current day to the previous 3 months.
l 6 months: Select this option to use pulses from the current day to the previous 6 months.
l 1 year: Select this option to use pulses from the current day to the previous year.
l Unlimited: Select this option to use pulses without a restriction of time.

Important: The longer the selected period is, the higher the chance to get false
positives on obsolete information.

Note: The range of the look-back period that you choose adjusts according to what is
the current day of the month. This means that, for example, if you have chosen the 1
month option and it is the first day of the month, you will receive pulses from the
previous month, and when it is the fifth day of the month, you will receive pulses from
that fifth day of the month to the fifth day of the previous month.

To update the look-back period

1. Go to Settings > Threat Intelligence.

2. Change the look-back period.

3. Click Update.

A message displays at the top of the page to inform you that the OTX Subscription has
been updated.

Important: It takes some time if you update the look-back period, depending on
your selection.

USM Anywhere™ User Guide 774

 USM Anywhere Sensor Management
USM Anywhere Sensors deploy into each environment and help you gain visibility into all of
your on-premises and cloud environments. USM Anywhere Sensors collect and normalize
logs, monitor networks, and collect information about the assets deployed in your
environments.

After you install and set up the USM Anywhere Sensor, it communicates with USM Anywhere
in the cloud about the assets in your network. The USM Anywhere Sensor then transfers any
available raw log data to USM Anywhere in the cloud for correlation and event generation,
among other things.

Note: The number of sensors that you can add to your environment depends on your
USM Anywhere license. You can go to Settings > My Subscription to view the number
of licensed sensors. See Subscription Management for more information.

This topic discusses these subtopics:

Sensors Page Overview 776

Adding a New Sensor 778

Configuring a Sensor 782

Editing a Sensor 782

Assigning a Sensor 783

Redeploying a Sensor 786

Deleting a Sensor 787

Sensor Disconnected from the USM Anywhere Service 788

USM Anywhere™ User Guide 775

Sensors Page Overview

Sensors Page Overview

Role Availability Read-Only Investigator Analyst Manager

The Sensors page enables you to add new sensors, configure the deployed sensors, delete
and redeploy sensors, and edit a sensor for modifying the name or description. Go to Data
Sources > Sensors to open the Sensors main page. The page displays the list of sensors you
have deployed in your environment.

The following table lists the default columns in the Sensors page.

List of the Default Columns in the Sensors Page

Column Field Name Description

Sensor Name Name of the deployed sensor. The type of sensor is displayed below the
name.

Description Text identifying the sensor.

IP Address IP address assigned to the sensor.

Version Installed version of the sensor.

776 USM Anywhere™ User Guide

 Sensors Page Overview

List of the Default Columns in the Sensors Page(Continued)

Column Field Name Description

Connection Status Status of the sensor, which can be the following:

Waiting for connection: The sensor has been added to the system, but
it is not connected.

Connected: The sensor is connected, but it is still initializing and

performing configurations.

Connection lost: The sensor has lost the connection. (Logs, including
NXLog messages, are cached locally and will be forwarded to USM
Anywhere when the connection resumes.)

Ready: The sensor is connected and configured.

Configured Icon to indicate if the sensor is configured ( ) or not ( ).

The icon only displays when the sensor is not configured. Use this icon to go back to the

wizard and finish the sensor configuration.

Use the icon to modify the sensor name or the sensor description. See Editing a Sensor

for more information.

Use the icon to delete the sensor and deploy a new one. See Redeploying a Sensor for

more information. You can also use this button to delete the sensor permanently. See
Deleting a Sensor for more information.

You can also click a sensor to display the specific information about that sensor. See
Configuring a Sensor for more information.

Sensors Running on an Outdated Version of USM Anywhere

USM Anywhere doesn't support sensors running on an outdated version of USM Anywhere.
When USM Anywhere identifies a configured sensor running on an outdated version, a yellow
announcement displays to warn you about it. See Configure Network Interfaces for On-
Premises Sensors to confirm that the sensor on an outdated version meets the proper
requirements and contact AT&T Cybersecurity Technical Support for assistance.

USM Anywhere™ User Guide 777

Adding a New Sensor

Adding a New Sensor

Role Availability Read-Only Investigator Analyst Manager

After your USM Anywhere service is provisioned and running, you can add and deploy new
sensors as needed. For these sensors, instead of receiving an authentication code from AT&T
Cybersecurity, you must generate the license key for any new sensor you intend to add from
within the USM Anywhere web user interface (UI). The rest of the sensor deployment process
is the same as the first one.

Note: The number of sensors that you can add to your environment depends on your
USM Anywhere license. You can go to Settings > My Subscription to view the number
of licensed sensors. See Subscription Management for more information.

778 USM Anywhere™ User Guide

 Adding a New Sensor

To check your allowed USM Anywhere Sensors

1. Go to Settings > My Subscription to open the page.

2. Check the allowed sensors you have and the license end date. The displayed date
depends on your computer's time zone.

Note: If you want to modify your USM Anywhere license, please contact the AlienVault
Sales department.

To add a new sensor

1. Deploy your sensor.

Follow the instructions based on your sensor type:

l AWS Sensor: See Deploy the AWS Sensor for more information.
l Azure Sensor: See Deploy the USM Anywhere Sensor from the Azure Marketplace for
more information.
l GCP Sensor: See Deploy the GCP Sensor for more information.
l Hyper-V Sensor: See Create the Hyper-V Virtual Machine fore more information.
l VMware Sensor: See Create the VMware Virtual Machine fore more information.
2. Obtain an authentication code for the new sensor.
a. In USM Anywhere, go to Data Sources > Sensors.

b. Click New Sensor.

Note: Users in an Investigator role are restricted from creating more than one
sensor. If your USM Anywhere License does not allow you to create more
sensors, this button will remain inactive.

USM Anywhere™ User Guide 779

Adding a New Sensor

The dialog box displays an authentication code for the new sensor. This code starts
with an "S".

Important: This code will expire in 24 hours.

Note: While the authentication code used for the very first sensor you create
begins with a "C", any additional sensors are authenticated with codes beginning
with "S".

c. Click the icon to copy the code to your clipboard.

3. Register your sensor.

Click or enter the URL of your sensor to get to the setup page. It prompts you to provide
the following information:

a. Enter a name and description for the sensor.

b. In the field with the key icon ( ), paste the sensor authentication code you copied.

c. In the field with the computer icon ( ), copy and paste the URL of your existing

instance.

780 USM Anywhere™ User Guide

 Adding a New Sensor

For example, if the subdomain with which you registered with AT&T Cybersecurity
was "mycompany", the URL would be mycompany.alienvault.cloud for USM
Anywhere, or mycompany.gov.alienvault.us for AT&T TDR for Gov.

d. Click Start Setup.

A progress dialog box displays a status message.

Connecting USM Anywhere Sensor

When the connection is complete, a confirmation message opens.

e. Click the link to open the USM Anywhere web UI.

Upon login, this displays the USM Anywhere Sensor Configuration page with the
connected sensor listed in the page.

USM Anywhere™ User Guide 781

Configuring a Sensor

4. Configure your sensor.

Follow the instructions based on your sensor type:

l AWS Sensor: See Complete the AWS Sensor Setup for more information.
l Azure Sensor: See Complete the Azure Sensor Setup for more information.
l GCP Sensor: See Complete the GCP Sensor Setup for more information.
l Hyper-V Sensor: See Complete the Hyper-V Sensor Setup for more information.
l VMware Sensor: See Complete the VMware Sensor Setup for more information.

Note: If you do not want to complete the sensor setup immediately, you can click
Start Using USM Anywhere at the bottom of the page. However, AT&T
Cybersecurity strongly recommends that you do so now, because you must
complete the sensor setup before you can use it.

5. Go to Data Sources > Sensors to open the page.

6. Check in the list of sensors that your new sensor is on the list, ready, and well-configured.

Configuring a Sensor

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to modify the configuration data of your sensor.

To configure a sensor

1. Go to Data Sources > Sensors to open the page.

2. Click the sensor you want to configure.

The specific information about the sensor displays. The tabs are similar to the Setup
Wizard. See the Setup Wizard documentation for more information.

3. Click the available tabs to modify the data of the items that need to be modified.

Editing a Sensor

Role Availability Read-Only Investigator Analyst Manager

This option enables you to change the sensor name and the description of a sensor.

782 USM Anywhere™ User Guide

 Assigning a Sensor

To edit a sensor

1. Go to Data Sources > Sensors to open the page.

2. Click the icon of the sensor you want to edit.

3. Modify the sensor name or the sensor description.

4. Click Save.

Assigning a Sensor

Role Availability Read-Only Investigator Analyst Manager

All assets that are detected by a sensor in the scan of your network are assigned
automatically to that sensor. If you have several sensors, the asset will be assigned to the
sensor that has detected the asset. An asset cannot be assigned to more than one sensor.

It is best practice to identify, prioritize, and organize assets. By doing so, you can limit the
scope of network security audits to subsections of your network, making scan results more
manageable. You can also more easily distribute assets to multiple users to facilitate the
delegation of responsibilities. USM Anywhere provides a way of organizing your assets. If you
have more than one sensor configured and you want to organize your assets in your network,
you may want to assign a different sensor from the one that was assigned automatically.

USM Anywhere™ User Guide 783

Assigning a Sensor

For this reason, you may need to edit shared properties of some assets to assign a sensor.
Luckily you do not have to edit these assets one by one. Instead, you can select all the
relevant assets and modify their shared properties in one go. USM Anywhere enables you to
perform the following tasks for your own asset organization, which saves time and resources:

l Set a sensor to an asset if you want to change the one that was assigned automatically.
l Set multiple assets at the same time. You can do this by performing a bulk operation. You
can set a sensor to several assets at the same time if you want to have certain assets
assigned to a particular sensor.
l Set a sensor to an asset group if you want to have a group of assets assigned to a par-
ticular sensor.
l Set all assets to send enrichment information to all sensors or only the primary sensor to
which the asset is assigned.

To assign a sensor to an asset or a set of assets

1. Go to Environment > Assets.

2. Select the assets you want to assign. See Selecting Assets in Asset List View.
3. Select Actions > Set Sensor.

784 USM Anywhere™ User Guide

 Assigning a Sensor

4. Select the sensor you want to assign to the selected assets.

5. Click Save.

To assign a sensor to an asset group

1. Go to Environment > Asset Groups.

2. Click the icon close to the asset group name and select Full Details.
3. Select Actions > Set Sensor.
4. Select the sensor you want to assign the selected asset group.
5. Click Save.

To enable sensor-specific enrichment

1. Go to Settings > System > Enrichment Settings.

2. Toggle on Sensor-Specific Enrichment.
Enabling this option sends asset information exclusively to the asset's primary sensor.

USM Anywhere™ User Guide 785

Redeploying a Sensor

3. Restart the sensor to apply the change.

Redeploying a Sensor

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to redeploy a sensor when needed. If you redeploy a sensor, all
the assets, AlienVault Agents, events, alarms, rules, and scheduler jobs are kept and linked to
the new sensor. However, if you delete the sensor instead, you will lose all the information
related to that sensor.

When a sensor is redeployed, the disk and memory states of the old sensor are discarded.
Customer-specific configurations, stored on the sensor due to compliance constraints, are
lost. Therefore, you must redo the following configurations after redeploying a sensor:

l All the settings you have modified for the old sensor.

You can find these settings by selecting Data Sources > Sensors and then your sensor.
This includes the credentials to access your virtual environment and your Active Directory
(AD) settings. See Sensors Page Overview for more information.

l All the certificates you have uploaded for log forwarding, which can be Graylog, syslog, or
NXLog.

786 USM Anywhere™ User Guide

 Deleting a Sensor

You can find these settings by selecting Data Sources > Sensors on the Sensor Apps tab.
See Data Sources and Log Collection for more information.

l Advanced AlienApps configurations you have entered, API Client connections, and keys.

AlienApps operate through your chosen deployed sensor and use APIs to integrate with
the connected third-party technology. Select the sensor that can access the integration
endpoint. The HTTPS connections to the API originate from this sensor, so the sensor
must have network access to the AlienApp API endpoints. This may require authentication
via a key or certificate depending on the service provider. See Advanced AlienApps for
more information.

To redeploy a sensor

1. Go to Data Sources > Sensors to open the page.

2. Click the icon of the sensor you want to redeploy.

3. Click Delete this sensor and deploy a new one.

A dialog box opens showing the authentication code that you need for activating the new
sensor. Copy the code for later usage.

4. Deploy the sensor following the instructions in the Deployment Guide. Depending on the
type of sensor, you must follow different instructions.

Note: AT&T Cybersecurity recommends that you keep the same IP address as the
old sensor to minimize reconfiguration efforts.

5. Open a web browser, enter the IP address of the sensor, and connect the new sensor
using the authentication code you have copied.

This code instructs USM Anywhere to link the assets, AlienVault Agents, events, alarms,
rules, and scheduler jobs on the old sensor to the new sensor.

6. Configure your USM Anywhere Sensor following the steps in the Setup Wizard. See the
Setup Wizard documentation for more information.
7. Redo the relevant configurations discussed at the beginning of this section.
8. Verify that the redeployed sensor can receive data from your network.

Deleting a Sensor

USM Anywhere™ User Guide 787

Sensor Disconnected from the USM Anywhere Service

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to delete completely a sensor from your environment. Keep in
mind that if you delete a sensor, you will delete all assets and jobs related to that sensor.

To delete a sensor

1. Go to Data Sources > Sensors to open the page.

2. Click the icon of the sensor you want to delete.

3. Click Delete this sensor permanently.

The deleted sensor is not displayed in the list of sensors.

Important: Keep in mind that if you terminate an AWS instance, an Azure virtual
machine, GCP virtual machine, or a VMware virtual machine, any assets that have
vulnerabilities associated with them will not be automatically deleted when the
discovery scan finds them terminated in AWS, Azure, or VMware vCenter/vSphere.

Sensor Disconnected from the USM Anywhere Service

788 USM Anywhere™ User Guide

 Sensor Disconnected from the USM Anywhere Service

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere Sensors sometimes disconnect from the USM Anywhere service (for example,
during an update process). There is a process every hour to verify if the sensor has been
disconnected for 30 minutes or longer. When this happens, USM Anywhere informs users in a
Manager role by email and generates an event. A new event is generated every 30 minutes
until the sensor reconnects.

Warning: Currently, the Sensor Appears Offline and Sensor Reconnected events are
generated at the same time as the regular events and system events. Soon, these
events will be generated only as system events. See Regular Events and System Events,
Orchestration Rule for the "Sensor Appears Offline" System Event, and Orchestration
Rule for the "Sensor Reconnected" System Event for more information.

Note: Logs, including NXLog messages, are cached locally and will be forwarded to USM
Anywhere when the connection resumes.

When a sensor disconnects from the USM Anywhere service, it sends an email notice within
two hours to the email address you used to sign into USM Anywhere (as long as you are in a

USM Anywhere™ User Guide 789

Sensor Disconnected from the USM Anywhere Service

Manager role). This notice informs you that your sensor is not connected. You can
immediately take action to restore your service either by working with AT&T Cybersecurity
Technical Support or by making an environmental, network connectivity change.

The notification will be generated daily until the sensor is reconnected. After seven days, the
notifications will no longer be issued.

USM Anywhere checks every hour to verify whether the sensor has been reconnected. After
your sensor reconnects, you receive an email notification informing you that your service has
been restored. Because of this automated notification, you do not have to log in to the
product to check the sensor connection status. USM Anywhere generates an event when a
sensor reconnects.

Important: If you are not receiving notifications of a disconnection, or your notifications

are being sent outside of the expected window, that could indicate issues in your control
node. See View Network Testing Information for instructions on how to verify your
control node's connection.

790 USM Anywhere™ User Guide

 Sensor Disconnected from the USM Anywhere Service

Creating an Alarm Rule from These Events

Although USM Anywhere informs users in a Manager role by email when a sensor has been
disconnected from the service and when the sensor has been reconnected, you can create an
alarm rule to have more control when these events occur. The following activity is an example
of how to create an alarm rule from the sensor offline event. You can do the same for the
sensor reconnected event by entering reconnected in step 2.

To create an alarm rule from the Sensor Appears Offline event

1. Go to Activity > Events.

2. Enter offline in the Enter search phrase field.

3. Click one of the events.

USM Anywhere™ User Guide 791

Sensor Disconnected from the USM Anywhere Service

4. Select Create Rule > Create Alarm Rule.

The Create Alarm Rule dialog box opens.

5. Select a packet type in the Match drop-down list.

The first match criteria for all rules must be the packet_type detail field:

792 USM Anywhere™ User Guide

 Sensor Disconnected from the USM Anywhere Service

l Logs: Use this packet type for event-based rules.

l Configuration Issues: Use this packet type for configuration issues-based rules1.
l Vulnerabilities: Use this packet type for vulnerabilities-based rules.
l System Events: Use this packet type for system events-based rules.
l Console User Events: Use this packet type for console user events-based rules.

6. Click Add Conditions and select these properties values:

7. Click Next.
8. Enter a name for the rule.
9. (Optional.) Enter a description for identifying this rule.
10. Select an intent.

The intent describes the context of the behavior that is being observed. These intents
roughly map to the stages of the intrusion kill chains but are collapsed to ensure that
each is discrete. See Intent for more information about the available threat categories.

11. Enter a method.

If known, it is the method of attack or infiltration associated with the indicator that
generated the alarm.

1This packet type refers to configuration issues that are used to identify incorrect uses of certain fea-
tures. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the
AWS security features.

USM Anywhere™ User Guide 793

Sensor Disconnected from the USM Anywhere Service

Note: This is a required field; if you do not complete this field, the Save button
remains inactive.

12. Select a strategy.

The strategy describes the broad-based strategy or behavior that is detected. The
intention is to describe the malicious user's strategy to achieve their goal.

13. Enter a priority.

See Priority Field for Alarms for more information.

14. Configure a mute duration set in seconds, minutes, and hours.

You can use the mute value to set the period of time during which, once an alarm is
createdUSM Anywhere will not create a new alarm based on the same conditions.

Note: Take care to set a mute duration that is long enough to cover the span of
time in which matching events will occur to maximize the efficacy of your mute.

Important: If your USM Anywhere™ is restarted when one of your alarm mutes is
active, or if there is an update or hotfix, the alarm mute will be canceled.

15. Modify these two options:

l Occurrences: Specify the number of event occurrences that produce a match on the
conditional expression to trigger the rule. You can enter the number of occurrences or
use the arrow to scroll the value up or down. You need to enter a number between 1
and 100.
l Length: Specify the length of the timespan used to identify a match for multiple
occurrences. Enter the number and choose a value of seconds, minutes, or hours.

This duration identifies the amount of time that transpires from the beginning to the
end of the occurrence. If the number of occurrences is not met within this period, the
rule is not a match.

794 USM Anywhere™ User Guide

 Sensor Disconnected from the USM Anywhere Service

In this example, the rule applies when the configured conditions happen five times
every three hours.

These two options function together to specify the number of occurrences within a time
period that will produce a match for the rule. For example, you can define a rule to trigger
an alarm for an unauthorized access attempt when a failed SSH login occurs three times
within a five-minute window.

16. (Optional.) Select the fields that you want to display in the generated alarm.

You can select or remove the fields you want to include in the details of the alarm. A field
passes from one column to the other by clicking it.

17. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules >
Orchestration Rules. See Orchestration Rules for more information.

USM Anywhere™ User Guide 795

 The AWS Cloud Connector in USM Anywhere

The AWS Cloud Connector in USM

Anywhere
The Amazon Web Services (AWS) Cloud Connector provides operational visibility into the
security of your AWS environment. Based on the collected log information, USM Anywhere
receives the data stored in your Amazon Simple Storage Service (S3) buckets, generates the
related events for that data within USM Anywhere, and provides real-time alerting to identify
malicious activity.

After you install and enable the AWS Cloud Connector, it communicates with USM Anywhere
in the cloud about the data stored in your Amazon S3 buckets. See AWS Cloud Connector for
more information.

This topic discusses these subtopics:

Cloud Connector List View 797

Adding an AWS Cloud Connector 799

Viewing AWS Cloud Connector Details 802

Data Source Rules Management 803

Editing an AWS Cloud Connector 808

Downloading an Existing AWS Cloud Connector Template 809

Cloud Connectors System Events 814

Deleting an AWS Cloud Connector 817

USM Anywhere™ User Guide 796

Cloud Connector List View

Cloud Connector List View

Role Availability Read-Only Investigator Analyst Manager

Through USM Anywhere you can manage your Amazon Web Services (AWS) Cloud Connector
according to your needs. The AWS Cloud Connector page enables you to add new Cloud
Connectors, edit deployed Cloud Connectors, delete and redeploy Cloud Connectors, and edit
a Cloud Connector to modify its name or description. Go to Data Sources > Cloud
Connectors to open the Cloud Connectors main page.

The page displays the list of AWS Cloud Connectors you have deployed in your environment.

The following table lists the default columns that appear in the AWS Cloud Connector list
view, and their descriptions.

List of the Default Columns in the AWS Cloud Connectors Page

Columns Field Name Description

Connector Name of the deployed Cloud Connector.

Account ID Identifier (ID) of the AWS account.

Type The Cloud Connector type. This value is always AWS S3.

797 USM Anywhere™ User Guide

 Cloud Connector List View

List of the Default Columns in the AWS Cloud Connectors Page (Continued)

Columns Field Name Description

Status Status of the Cloud Connectors, which can be the following:

Awaiting configuration: The Cloud Connector has been added to the

USM Anywhere environment, but it hasn't been configured in your
cloud account.

Active: The Cloud Connector is connected and configured.

Disabled: The Cloud Connector isn't enabled.

Idle: The Cloud Connector hasn't received data in the last hour.

Not receiving data: The Cloud Connector hasn't received data in the
latest 24 hours.

Offline: The Cloud Connector is offline.

Error (24 HRS) Errors in the latest 24 hours. You can click the number of a row to open
the errors tab. See Viewing AWS Cloud Connector Details for more
information.

Enabled Icon to indicate and change the Cloud Connector from enabled ( )
to ( ) or vice versa.

Button to view, edit, and delete a Cloud Connector. See Viewing AWS
Cloud Connector Details, Editing an AWS Cloud Connector, and
Deleting an AWS Cloud Connector for more information.

Use the icon to expand the specific information about an AWS Cloud Connector. There is a

graph to see the bucket events by the latest 24 hours or past seven days, and a button to
download the associated AWS CloudFormation template. You can click the number below the
errors columns to open and see the detected errors. See Viewing AWS Cloud Connector
Details for more information.

USM Anywhere™ User Guide 798

Adding an AWS Cloud Connector

Adding an AWS Cloud Connector

Role Availability Read-Only Investigator Analyst Manager

It is necessary to add an Amazon Web Service (AWS) Cloud Connector into USM Anywhere to
enable it to receive the data stored in your Amazon Simple Storage Service (S3) buckets,
generate the related events in USM Anywhere with that data, and provide real-time alerting
to identify malicious activity.

To add an AWS Cloud Connector

1. Go to Data Sources > Cloud Connectors.

2. Click Add Connector.

799 USM Anywhere™ User Guide

 Adding an AWS Cloud Connector

The Add New Connector dialog box opens.

3. The AWS Cloud Connector type is already selected.

4. Enter your AWS account identifier (ID).
5. Select the region where you want to deploy the Amazon Web Services (AWS) CloudForm-
ation template.
6. (Optional.) Enter a name for your AWS Cloud Connector.

7. Click Next.

USM Anywhere™ User Guide 800

Adding an AWS Cloud Connector

801 USM Anywhere™ User Guide

 Viewing AWS Cloud Connector Details

8. (Optional.) Click Download Template.

See Downloading an Existing AWS Cloud Connector Template for more information.

9. Click Done.

Note: USM Anywhere generates a console user event when an AWS Cloud Connector is
created, modified, enabled, disabled, or deleted. See USM Anywhere Console User
Events List View for more information.

Viewing AWS Cloud Connector Details

Role Availability Read-Only Investigator Analyst Manager

The Amazon Web Services (AWS) Cloud Connector details page provides in-depth
information on an AWS Cloud Connector. There is a graph to see the bucket events in the
latest 24 hours, and seven days, and a button to download the AWS CloudFormation
template. You can also find the details of the buckets related to that Cloud Connector and
see any detected errors.

To view the details of an AWS Cloud Connector

1. Go to Data Sources > Cloud Connectors to open the page.

2. Click the icon of the sensor for which you want to view its details, and then select

View Connector.

Use the icon to disable the AWS Cloud Connector.

USM Anywhere™ User Guide 802

Data Source Rules Management

Note: Only users in Manager and Analyst roles can enable and disable AWS Cloud
Connectors.

Click the Errors tab to see the detected errors.

Data Source Rules Management

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to manage rules to files stored in your Amazon Simple Storage
Service (S3) bucket. Using a rule, USM Anywhere can match a file with a specific data source
and generate the related events. If the file doesn't match with a data source, then USM
Anywhere will create an event as an AlienVault Generic Data Source. See AlienVault Generic
Data Source for more information.

To open the Data Source Rules tab

1. Go to Data Sources > Cloud Connectors to open the Cloud Connectors main page.
2. Click the icon of the cloud connector for which you want to open the data source

803 USM Anywhere™ User Guide

 Data Source Rules Management

rules tab, and then select View Connector.

3. Click the Data Source Rules tab.

This topic discusses these subtopics:

USM Anywhere™ User Guide 804

Data Source Rules Management

Adding a Data Source Rule

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to add and apply rules to files stored in your Amazon Simple
Storage Service (S3) bucket.

To add a rule

1. Go to Data Sources > Cloud Connectors to open the Cloud Connectors main page.
2. Click the icon of the cloud connector for which you want to add a rule, and then select

View Connector.
3. Click the Data Source Rules tab.

4. Click Add Rule.

Important: The AWS Cloud Connector must be enabled.

The Add New Data Source Rule dialog box opens.

5. In the Connector Source field, choose the Amazon S3 bucket.

You can choose one of them or all.

805 USM Anywhere™ User Guide

 Data Source Rules Management

6. (Optional.) In the Filenames Matching With field, use regular expressions (regex) to specify
a pattern that must be followed by the files.

If you don't specify anything, USM Anywhere will match all files in the Amazon S3 bucket
with the specified data source. See Using Regular Expressions in USM Anywhere for more
information.

For example:

/^AWSLogs\/595129146488\/CloudTrail
This expression pattern means that all files inside the CloudTrail folder will match with the
rule.

Important: If the file-name is not matching any rule, USM Anywhere tries to identify
the data source based on the file-name and the event format. The events are parsed
as generic if the data source can't be identified.

7. In the Data Sources field, enter the data source you want to match with the files.

If you enter more than one data source, USM Anywhere will try to match with the first
data source. If USM Anywhere can't generate an event, then it will try to match with the
following data source, and so on. If the file doesn't match with any data source, then USM
Anywhere will create an event as an AlienVault Generic Data Source. See AlienVault
Generic Data Source for more information.

8. Click Save.

Editing a Data Source Rule

Role Availability Read-Only Investigator Analyst Manager

This option enables you to change the data source rule name, the Filenames Matching With
field, and the Data Sources field.

To edit a rule

1. Go to Data Sources > Cloud Connectors to open the Cloud Connectors main page.
2. Click the icon of the cloud connector for which you want to edit the rule, and then

select View Connector.

3. Click the Data Source Rules tab.

USM Anywhere™ User Guide 806

Data Source Rules Management

4. Click the icon of the connector source you want to edit the rule.

The Edit Data Source Rule dialog box opens.

5. Modify the data of the items that need to be modified.

6. Click Save.

Deleting Data Source Rules

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to delete a data source rule.

807 USM Anywhere™ User Guide

 Editing an AWS Cloud Connector

To delete a rule

1. Go to Data Sources > Cloud Connectors to open the Cloud Connectors main page.
2. Click the icon of the sensor for which you want to open the data source rules tab, and

then select View Connector.

3. Click the Data Source Rules tab.

4. Click the icon of the connector source to which you want to delete the rule.

The data source rule delete dialog box opens.

5. Click Delete.

Editing an AWS Cloud Connector

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to edit an Amazon Web Service (AWS) Cloud Connector. This
option enables you to change the region where you want to deploy the AWS CloudFormation
template and the name of your AWS Cloud Connector.

USM Anywhere™ User Guide 808

Downloading an Existing AWS Cloud Connector Template

To edit an AWS Cloud Connector

1. Go to Data Sources > Cloud Connectors to open the page.

2. Click the icon of the sensor for which you want to edit, and then select Edit

Connector.

The Edit Connector dialog box opens.

3. Modify the region or the name of your AWS Cloud Connector.

4. Click Save.

Note: USM Anywhere generates a console user event when an AWS Cloud Connector is
created, modified, enabled, disabled, or deleted. See USM Anywhere Console User
Events List View for more information.

Downloading an Existing AWS Cloud Connector Template

809 USM Anywhere™ User Guide

 Downloading an Existing AWS Cloud Connector Template

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere helps you in generating an Amazon Web Service (AWS) CloudFormation
template that you need for gathering data from your Amazon Simple Storage Service (S3)
buckets.

To download an Amazon Web Services (AWS) Cloud Connector template from the
Cloud Connectors main page

1. Go to Data Sources > Cloud Connectors.

2. Click the icon to expand the specific information about the AWS Cloud Connector

whose template you want to download.

3. Click Download Template.

The s3connector-template.json file downloads. This is the default name of the file, but
you can change it.

4. Open you AWS Management Console page and upload the template.

See Uploading AWS CloudFormation Templates for more information.

To download an AWS Cloud Connector template from the details page of a Cloud
Connector

1. Go to Data Sources > Cloud Connectors.

2. Click the icon of the sensor for which you want to download the template, and then

select View Connector.

USM Anywhere™ User Guide 810

Downloading an Existing AWS Cloud Connector Template

3. Click Download Template.

The s3connector-template.json file downloads. This is the default name of the file, but
you can change it.

4. Open you AWS Management Console page and upload the template.

See Uploading AWS CloudFormation Templates for more information.

To download an AWS Cloud Connector template when you add a Cloud Connector

1. Go to Data Sources > Cloud Connectors.

2. Click Add Connector.

The Add New Connector dialog box opens.

3. Select the AWS Cloud Connector type in case you have more than one.
4. Enter your AWS account identifier (ID).
5. Select the region where you want to deploy the AWS CloudFormation template.

811 USM Anywhere™ User Guide

 Downloading an Existing AWS Cloud Connector Template

6. (Optional.) Enter a name for your AWS Cloud Connector.

7. Click Next.

USM Anywhere™ User Guide 812

Downloading an Existing AWS Cloud Connector Template

813 USM Anywhere™ User Guide

 Cloud Connectors System Events

8. Click Download Template.

The s3connector-template.json file downloads. This is the default name of the file, but
you can change it.

9. Open you AWS Management Console page and upload the template.

See Uploading AWS CloudFormation Templates for more information

Cloud Connectors System Events

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere generates system events when your Amazon Web Services (AWS) Cloud
Connector fails and there is an error in an Amazon simple Storage Service (S3) file. Through
these events, you have the option of retrying to process the Amazon S3 file.

To retry an Amazon S3 collector error

1. Go to Settings > System Events to open the System Events main page.

2. Use the Event Name filter to search the AWS S3 collector errors.

See Searching System Events for more information.

USM Anywhere™ User Guide 814

Cloud Connectors System Events

3. Click the Error processing S3 bucket notification filter.

The result of your search displays with the errors identified.

815 USM Anywhere™ User Guide

 Cloud Connectors System Events

4. Click the error you want to retry.

The specific error dialog box opens.

5. Click Retry.

USM Anywhere™ User Guide 816

Deleting an AWS Cloud Connector

Note: After clicking Retry, USM Anywhere tries to process the file again. If the file
can't be read, a new system event is generated.

Deleting an AWS Cloud Connector

817 USM Anywhere™ User Guide

 Deleting an AWS Cloud Connector

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to completely delete an Amazon Web Services (AWS) Cloud
Connector from your environment.

To delete an AWS Cloud Connector

1. Go to Data Sources > Cloud Connectors to open the page.

2. Click the icon of the sensor for which you want to delete, and then select Delete.

The Delete Cloud Connector dialog box opens.

3. Click Delete.

Note: USM Anywhere generates a console user event when an AWS Cloud Connector is
created, modified, enabled, disabled, or deleted. See USM Anywhere Console User
Events List View for more information.

USM Anywhere™ User Guide 818

 Subscription Management
Role Availability Read-Only Investigator Analyst Manager

With a USM Anywhere license, you can always view your subscription data in one place. Use
the My Subscription page to access your license information, event data, and raw log data
and to connect to a USM Central instance.

Subscription Data
Go to Settings > My Subscription to open the page.

The following table lists the fields you see on the page.

Information on the My Subscription Page

Field Description

License Usage

Consumed The amount of data USM Anywhere has processed every month.
Data

USM Anywhere™ User Guide 819

Subscription Data

Information on the My Subscription Page (Continued)

Field Description

Projected Data The amount of data already stored for the month plus calculated data storage
Consumption needs for the rest of the month. See Projected Data Consumption for more
information.

Sensors The number of licensed sensors and pending deployment sensors. Click Manage
Sensors to open the Sensors page. See Sensors Page Overview for more
information.

EPS Events per second (EPS) in the last 24 hours.

Filtered EPS Percentage of filtered EPS in the last 24 hours.

Filtering Rules Number of filtering rules in your environment. Click Manage Rules to open the
Filtering Rules page. See Filtering Rules from the Orchestration Rules Page for
more information.

Data Consumption Status

Data The health status of your subscription's data consumption, reflecting real data
Consumption consumption rates compared to your subscription tier over time: healthy, caution,
Status warning, violation, or recovery. See Understanding Your Data Consumption Status
for more information.

License Information

License Type Either the trial or subscription license.

Service Tier The monthly storage limit. See the AT&T Cybersecurity pricing page for details or
to request a quote.

Important: Tier options do not have unlimited processing power, memory

allotment, or disk input/output (I/O) speeds. In addition to storage per
month, your deployment size's impact on any of these factors will influence
which tier option is right for your environment. AT&T Cybersecurity
recommends pre-deployment sizing discussions with your sales
representative to help select the right tier for you.

License End Either the trial expiration date (for trial licenses) or support end date (for
Date subscription licenses). The displayed date depends on your computer's time zone.

820 USM Anywhere™ User Guide

 Raw Log Data

Information on the My Subscription Page (Continued)

Field Description

Cold Storage Click Export Raw Logs to download the raw log files in ZIP format. See Raw Log
Data for more information. By default, cold storage is unlimited for USM Anywhere
customers within their service terms but unlimited for AT&T Threat Detection and
Response for Government (AT&T TDR for Gov) customers for three years. Keep in
mind these points:

l You can export raw logs for a 31-day month, but you are limited to a 31-day span
if the range exceeds a single month.
l The start time is 00:00:00 on the start date selected, and the end time is 23:59:59
on the end date selected. So if you select from 1/1/2020 to 2/1/2020, the logs
start at 00:00:00 1/1/2020 and end at 23:59:59 2/1/2020.

Email Email address associated with your license.

MSSP Status Indicates whether the USM Anywhere deployment has been successfully
connected to a USM Central or not. See Connecting a USM Anywhere to a USM
Central for more information.

MSSP Service Name of the connected USM Central deployment.

Historical Data A list of data consumption by month. Click Download CSV to download a file with
Consumption this information.

Top Data Displays a list of the top data sources. Click Download CSV to download a file with
Sources this information.

Top Event List of the top event names related to their data source. Click Download CSV to
Names download a file with this information.

Top Reporting List of top reporting devices. Click Download CSV to download a file with this
Devices information.

Raw Log Data

Raw log data is data that has been forwarded and collected through your sensors, agents, and
Cloud Connectors. USM Anywhere stores this data and enables you to extract raw log data
for audit purposes or further forensic analysis.

USM Anywhere™ User Guide 821

Raw Log Data

Important: AT&T Cybersecurity recommends that you download the raw log data on a
monthly basis.

When requesting raw log files, the date range cannot exceed 31 days. To download more
than 31 days' worth of data, you must make multiple requests. Refrain from making all
requests at the same time, which may tie up your USM Anywhere instance. You can
make two or three requests, wait for the emails to arrive, and then make your next
requests.

To extract raw log data

1. Go to Settings > My Subscription.

2. Inside License Information, click Export Raw Logs.

The Export Raw Log Files dialog box opens.

3. Select a date range to download the raw log files in ZIP format (dates are in UTC).

Note: The date range cannot exceed 31 days.

822 USM Anywhere™ User Guide

 Email Notifications Concerning Your License

4. Click Request Download.

The Log Files Requested dialog box opens to inform you that your request is being
processed. This process can take up to 24 hours.

Important: The beginning date can't be earlier than your first day of storage.

5. Click OK.

You will receive an email with a link to your file.

6. Click the link in the email to download the ZIP file.

Important: This link will expire in 48 hours.

7. Extract the zipped bundle, and you will see the files listed as forensics-YYYY-MM-DD.h-
h.log.gz, where YYYY-MM-DD.hh refers to the date and hour.

Email Notifications Concerning Your License

USM Anywhere sends the following notification emails to the email address associated with
your license. Typically, this is the email address used to register the trial or your subscription:

l A license is changed from trial to subscription.

l A license tier is upgraded.
l A license expiration date is updated.
l The number of sensors allowed is updated.
l An activated license has expired.
l An activated license is deleted.

USM Anywhere™ User Guide 823

Projected Data Consumption

Projected Data Consumption

Role Availability Read-Only Investigator Analyst Manager

On the My Subscription page, USM Anywhere displays the total data you have consumed for
the month, the remaining data to be consumed, and the projected data you will consume
based on your current usage. The service tier specified on your license determines the
amount of data you're allowed to consume each month.

The Projected Data Consumption field is calculated using the following formula:

projectedMonthDataConsumption = currentMonthDataConsumption +
(consumptionInLast24Hours * (hoursLeftInCurrentMonth/24))
Where:

l currentMonthDataConsumption = the total data consumed in the current month.

l consumptionInLast24Hours = the total data consumed over the past 24 hour period.
l hoursLeftInCurrentMonth = the number of hours remaining before the month ends.

For example, in a 30-day month, if at the end of the 15th day the instance has received 10 TB
of data and the consumption in the last 24h is 0.48TB (20GB/h), the projected data
consumption will be 10 TB + (0.48 TB * (360h / 24h)) = 17.2 TB.

824 USM Anywhere™ User Guide

 Projected Data Consumption

The Projected Data Consumption field is crucial because it provides an estimate on how much
data you will consume by the end of the month. This number should never exceed your
allocated monthly usage. Exceeding the monthly limit automatically transitions your USM
Anywhere into one of four Consumption Modes, determined by the degree to which you have
exceeded your tier. More importantly, USM Anywhere's performance deteriorates. System
process time increases, causing the sensor cache to fill up and the sensor to disconnect.

Note: See Understanding Your Data Consumption Status for more information on these
Consumption Modes.

AT&T Cybersecurity recommends that you monitor your projected data consumption early
and constantly so that you can perform countermeasures when you're expected to exceed
your monthly limit. You can reduce consumption by monitoring fewer networks, cutting down
the number of data sources, or creating filtering rules to restrict data collection.

On the same My Subscription page, there is a chart that displays the data collected during the
current period.

On the lower side of the page, there are three tables that show the breakdown of how much
data is being processed by each data source, event names, and reporting device. You can use
the Last 24 Hours filter for identifying data during the last hour, last 24 hours, last 7 days, last
30 days, or last 90 days. You can also configure your own period of time by clicking the
Custom Range option. This option enables you to customize a range. When you click Custom
Range, a calendar opens. You can choose the first and last day to delimit your search by
clicking the days on the calendar or entering the days directly. Then select the hours, minutes,
and seconds by clicking the specific box. Finally, select AM or PM.

USM Anywhere™ User Guide 825

Connecting a USM Anywhere to a USM Central

Click Download CSV to create a comma-separated value (CSV) file detailing the specific
information of each table in a spreadsheet.

Connecting a USM Anywhere to a USM Central

Role Availability Read-Only Investigator Analyst Manager

The My Subscription page displays if your deployment has been connected to a USM Central
or if there are no connections.

Deployment Status
USM Central is a unified console that gives you a single place to monitor and manage multiple
USM deployments. USM Anywhere displays if you have your deployment connected to a USM
Central, the status of that connection, the domain, and when it was connected.

Deployment Status Types

Status Description

Connected The deployment is connected to the USM Central environment.

Not Connected The deployment is not currently connected to USM Central.

Connection A connection request was initiated from the deployment and the request was
Denied denied from the USM Central console.

Connection A connection request was initiated from the deployment and is awaiting an
Request Sent acceptance or denial.

You can accept or decline the request in the USM Central console.

Connecting The USM Central is waiting for a USM Anywhere connection.

826 USM Anywhere™ User Guide

 Connecting a USM Anywhere to a USM Central

To connect a USM Anywhere to USM Central

1. Go to Settings > My Subscription.

2. Go to the License Information section and click Configure MSSP Service.

The Connection to USM Central dialog box opens.

3. Click Connect.
4. Enter the domain for the USM Central instance.
5. Click Connect.

The system sends a request to USM Central.

USM Anywhere™ User Guide 827

Disconnecting a USM Anywhere from a USM Central

The connection is not complete until the user accepts the connection request. See USM
Central Connections for more information.

Once the request has been accepted, the deployment has been connected.

Disconnecting a USM Anywhere from a USM Central

828 USM Anywhere™ User Guide

 Disconnecting a USM Anywhere from a USM Central

Role Availability Read-Only Investigator Analyst Manager

To disconnect a USM Anywhere from a USM Central

1. Go to Settings > My Subscription.

2. Go to the License Information section and click Configure MSSP Service.

The Connection to USM Central dialog box opens.

3. Click Disconnect.

The Disconnect Deployment dialog box opens.

4. Click Yes, Disconnect.

USM Anywhere™ User Guide 829

Understanding Your Data Consumption Status

Understanding Your Data Consumption Status

Role Availability Read-Only Investigator Analyst Manager

Your environment has a limited data consumption allotment that depends on your
subscription tier. Exceeding your allotted data consumption tier may result in temporary
limitations to your product performance or available features while you make necessary
changes to your USM Anywhere configuration to reduce your data consumption to a pace
that is appropriate to your tier.

AT&T Cybersecurity strives to guarantee that no data is lost, even when you're facing
inadequate storage space or processing power. Because of this, USM Anywhere always makes
data storage a top priority. When you exceed your data tier, or are projected to far exceed
your tier, your system tries to store as much data as possible, even if functionality must be
reduced to preserve the data. For instance, if you find that you are over your data tier, you
may find that your USM Anywhere has transitioned into one of four possible data
consumption tiers. In these tiers, your USM Anywhere may experience some small limitations
to its functionality, such as paused correlation, asset counters, and more. All functionality is
restored once your USM Anywhere is no longer experiencing resource limitations.

Important: Tier options do not have unlimited processing power, memory allotment, or
disk input/output (I/O) speeds. In addition to storage per month, your deployment size's
impact on any of these factors will influence which tier option is right for your
environment. AT&T Cybersecurity recommends pre-deployment sizing discussions with
your sales representative to help select the right tier for you.

Note: If the events per second (EPS) threatens to impact your sensor's capacity, USM
Anywhere may engage EPS Adaptive Response. EPS Adaptive Response enables your
system to take more time to process events coming in by throttling your EPS, which
keeps your system running without risking event loss. See Protecting Your Sensor's
Performance with EPS Adaptive Response to read more about EPS Adaptive Response.

USM Anywhere sends an email to warn you that it has reached your data consumption tier.
The account receiving this email is the one associated with your license.

In addition to the email, there are two types of in-product alerts designed to ensure that you
are aware of your environment's data consumption status. All users will see these product
alerts in your environment.

830 USM Anywhere™ User Guide

 Understanding Your Data Consumption Status

When you log in to your environment, if your data consumption status is anything other than
healthy you will be greeted with a dialog box informing you that your consumption allotment
has been exceeded and informing you of the reductions in performance (if any) that are tied
to your current data consumption status. This dialog box also contains some recommended
next steps to help you improve your system's data consumption.

Once you have logged into USM Anywhere, if your consumption status is anything other than
healthy you will continue to see a small banner across the top of your user interface (UI).

To refrain from reaching your monthly limit, AT&T Cybersecurity recommends that you
create filtering rules to restrict data collection.

Healthy Consumption Status

When your environment is operating normally and consuming data at a rate that is within the
parameters of your subscription tier, your data consumption is considered healthy.

USM Anywhere™ User Guide 831

Understanding Your Data Consumption Status

Projected to Exceed Data Consumption Tier

If your environment is going to exceed your data consumption tier, a yellow announcement
displays in your USM Anywhere to warn you about it. All users can see this yellow
announcement in your environment, and you can close it by clicking the icon in the upper-

right side of the page.

USM Anywhere sends three emails four days apart to warn you that you are going to reach
your data consumption tier. USM Anywhere sends these emails to the address assigned to
the license.

Important: By closing the announcement, you acknowledge that a manager user is

aware that the license is reaching its threshold for the current month.

Besides the yellow announcement, a dialog box opens if your environment is going to exceed
your data consumption tier each time you log in to USM Anywhere.

832 USM Anywhere™ User Guide

 Understanding Your Data Consumption Status

Caution Mode
As soon as your environment has consumed more data than is allotted by your subscription
tier, your subscription enters Caution Mode. An environment whose subscription is in Caution
Mode operates normally. While there is no direct change to your USM Anywhere features or
performance, you will be notified that your consumption status has changed.

If your environment remains in Caution Mode for three consecutive months, you will be
automatically transitioned into Warning Mode.

Warning Mode
Once your data consumption has exceeded 125% of your tier's data allowance, or if your
subscription has been in Caution Mode for more than three consecutive months, your
subscription enters Warning Mode. An environment in Warning Mode will operate normally,
except that no new sensors or integrations can be set up or configured while in this mode.

If your environment remains in Warning Mode for two consecutive months, you will be
automatically transitioned into Violation Mode.

USM Anywhere™ User Guide 833

Understanding Your Data Consumption Status

Violation Mode
If your data consumption exceeds 150% of your tier's data allowance, or if your subscription
has been in Warning Mode for two consecutive months, your subscription enters Violation
Mode. In Violation Mode, no new sensors or integrations can be configured, and the product
enters a "transient mode", where searches are limited to the most recent 24 hours for events,
alarms, and vulnerabilities.

When running in transient mode, USM Anywhere no longer stores events in the hot storage or
searchable data store, but will still generate alarms, run authenticated asset scans, and store
raw logs associated with events in cold storage. This transient mode ends when you start a
new month (based on your anniversary start date) or if you upgrade your subscription tier. If
your environment has exceeded your data consumption tier, a red announcement displays in
your USM Anywhere to warn you about it.

Recovery Mode
While your environment is in Caution, Warning, or Violation Mode, you can request to enter
Recovery Mode. In Recovery Mode, your environment will operate with no restrictions, and
USM Anywhere will re-evaluate your environment's projected monthly data consumption
over a period of 24 hours. If your projected monthly data consumption reassessment is under
the threshold for your subscription tier, your environment will remain in Recovery Mode.

Note: You can request your consumption be re-evaluated in Recovery Mode up to

*three times a month.

If your projected data consumption is still above the tier threshold after the 24-hour
reassessment, your environment will transition out of Recovery Mode and into the mode
appropriate to your new projected data consumption.

834 USM Anywhere™ User Guide

 Understanding Your Data Consumption Status

Note: Please contact the AT&T Cybersecurity Sales department if you need to upgrade
your subscription tier or modify your license.

USM Anywhere™ User Guide 835

 USM Anywhere Reports
USM Anywhere has a robust reporting function that enables you to create detailed reports on
a broad range of specifics in your environment.

Note: The report feature in AT&T TDR for Gov works differently compared to USM
Anywhere. See Reports in AT&T TDR for Gov for more information.

The Reports section of USM Anywhere contains three main sections:

l Saved Reports — This page contains all of the reports that have been saved in USM Any-
where. You can filter the reports by category and whether they are scheduled to run at set
intervals (see Scheduled Reports for more information). You can edit, copy, or delete the
reports from this page, or review previously run reports. See Saved Reports on USM Any-
where for more information.
l Compliance Templates. Report templates related to Payment Card Industry (PCI),
National Institute of Standards Technology Cybersecurity Framework (NIST CSF), Health
Insurance Portability and Accountability Act (HIPAA), and ISO 27001 compliance protocols
are accessible from this page. See USM Anywhere Compliance Templates for more inform-
ation.
l Event Type Templates. Report templates based event data sources or types of event
data sources are contained on this page. See USM Anywhere Event Type Templates for
more information.

You can also create custom reports from the Create an Alarms Report, Create an Assets
Report, and Create an Events Report pages.

USM Anywhere™ User Guide 836

Saved Reports on USM Anywhere

Saved Reports on USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

The Saved Reports page contains a list of all the reports that have been saved in USM
Anywhere. From this page you can edit, copy, delete, or run any of the reports you have saved.
The reports listed on the page can be filtered by category or scheduled status. You can also
click the icon next to any of the saved reports to view their export history or download a

previously run report.

Note: Read Only users can view saved reports, but they cannot edit, copy, delete, or run
reports.

Note: The report feature in AT&T TDR for Gov works differently compared to USM
Anywhere. See Reports in AT&T TDR for Gov for more information.

837 USM Anywhere™ User Guide

 Saved Reports on USM Anywhere

To edit a saved report

1. Click the icon to edit the report.

2. Click Edit Filters to add any additional filters you want to include in the report.

3. Select the date range for the information included in the report.
You can select a predefined range of Last Hour, Last 24 Hours, Last 7 Days, or Last 30
Days, or you can set your own date range by clicking the icon.

Note: This option is not available when generating reports for assets or asset
groups.

4. Under Format, select either CSV or PDF.

5. Under Repeat, click the drop-down list to select how often you want the scheduled report
to be generated.

If you don't want the report to be recurring, leave the selection as Never.

If you have selected a time interval for recurring reports to be generated, the First Run
Date, Repeat On, and Time sections show up below the Repeat section:

l First Run Date: Select the day you want the first report to be generated.
l Schedule: Define the frequency at which the report is generated. Options are Daily,
Weekly, Bi-Weekly, Monthly, or Yearly. Select Never if you only want to run the report
once.
l Time: Select the UTC time you want the reports to run on the days they're generated.

6. In the Email Addresses section, enter the email addresses of the people to whom you
want the report to be sent when it is generated. Select Enable Link Expiration if you
want the link to the report to expire after 14 days.

Note: The subject of these emails assumes the following format:

$SUBDOMAIN USM Report Notification: $REPORT_NAME

Where $SUBDOMAIN is the subdomain of your instance and $REPORT_NAME is the

name you specify for the report.

7. Click Next to go to the Format Output section.

USM Anywhere™ User Guide 838

USM Anywhere Compliance Templates

8. In the Name field, enter a name for the report.

This name displays in the Saved Reports page. You can also add a description that will be
included in the generated emails.
9. For Number of Records, choose the maximum number of records to be included in the
report.
10. If you have chosen the PDF format, use the Graphs section to include additional views.
You can add or remove graphs included in the report by clicking the and icons.

11. Select Save & Run to save your report and run it, or select Run if you don't wish to keep
the report in your Saved Reports page.

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

AlienVault USM Anywhere provides out-of-the-box, pre-built compliance reporting templates

based on alarms, vulnerabilities, and events collected in the system. These reports make it
fast and simple to navigate the requirements and demonstrate compliance during an audit.
You can easily customize, save, and export any report as needed.

You can find these templates on Reports > Compliance Templates.

USM Anywhere supports several compliance templates including the following:

l PCI: Payment Card Industry Data Security Standards (PCI DSS) is a set of security stand-
ards designed to ensure that all companies that accept, process, store, or transmit credit
card information maintain a secure environment. These reports are identified and based
on specific PCI DSS requirements to provide the auditor with the specific information
requested. For example, PCI DSS requirement 10.7.a: Retain audit trail history for at least
one year, with a minimum of three months immediately available for analysis. See PCI DSS
Compliance Templates for more information.
l NIST CSF. The National Institute of Standards Technology (NIST) Cybersecurity Frame-
work provides a policy framework of computer security guidance for how private sector
organizations can assess and improve their ability to prevent, detect, and respond to cyber
attacks. See NIST CSF Compliance Templates for more information.
l HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) sets the standard
for protecting sensitive patient data. Any company that deals with protected health
information (PHI) must ensure that all the required physical, network, and process security
measures are in place and followed. This includes covered entities, anyone who provides

839 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

treatment, payment and operations in healthcare, and business associates, anyone with
access to patient information and provides support in treatment, payment, or operations.
Subcontractors, or business associates of business associates, must also be in compliance.
See HIPAA Compliance Templates for more information.
l ISO 27001. ISO/IEC 27001 provides guidance for implementing information security con-
trols to achieve a consistent and reliable security program. The ISO and the International
Electrotechnical Commission (IEC) developed 27001 to provide requirements for an inform-
ation security management system (ISMS). See ISO 27001 Compliance Templates for more
information.

PCI DSS Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The Payment Card Industry Data Security Standards (PCI DSS) are a set of technical and
operational requirements designed to ensure that all companies that process, store, or
transmit credit card information maintain a secure environment. Administered by the PCI
Security Standards Council, the PCI standard requires validation of compliance on an annual
basis.

This section includes the descriptions for PCI DSS compliance templates on USM Anywhere:

l PCI DSS 10.2.4 - Linux

l PCI DSS 10.2.4 - Windows
l PCI DSS 10.2.5.b - Linux
l PCI DSS 10.2.5.b - Windows
l PCI DSS 10.2.5.c - Linux
l PCI DSS 10.2.5.c - Windows
l PCI DSS 10.7.a
l PCI DSS 10.7.c
l PCI DSS 11.5.a - Linux
l PCI DSS 11.5.a - Windows
l PCI DSS 5.1.2

USM Anywhere™ User Guide 840

USM Anywhere Compliance Templates

l PCI DSS 6.1

l PCI DSS 8.1.6.a - Windows
l PCI DSS 8.2.1.c

841 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

PCI DSS 10.2.4 - Linux

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a list of all Login Failure events that USM
Anywhere records. The following table shows the event filters used by this template:

Filters Used by PCI DSS 10.2.4 - Linux

Field Values

Asset Groups "PCI DSS"

Event Name "PAM authentication failure", "Failed password", "SSH connection: Failed
password", "PAM X more authentication failures", "Authentication failure",
"FAILED su"

Suppressed False

To generate the PCI DSS 10.2.4 - Linux report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 842

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 10.2.4 - Windows

Role Availability Read-Only Investigator Analyst Manager

This report provides a list of all Login Failure events that USM Anywhere records. The
following table shows the event filters used by this template:

Filters Used by PCI DSS 10.2.4 - Windows

Field Values

Asset Groups "PCI DSS"

Category "Security"

843 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Filters Used by PCI DSS 10.2.4 - Windows (Continued)

Field Values

Data Source "Windows NxLog", "AlienVault Agent - Windows EventLog"

Reporting Device Rule "4625", "529", "530", "531", "532", "533", "534", "53", "536", "537", "539"
ID

Suppressed False

To generate the PCI DSS 10.2.4 - Windows report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.

USM Anywhere™ User Guide 844

USM Anywhere Compliance Templates

8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 10.2.5.b - Linux

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a list of all privilege escalations and the
performed action. The following table shows the event filters used by this template:

Filters Used by PCI DSS 10.2.5.b - Linux

Field Values

Asset Groups "PCI DSS"

Data Source "Linux SUDO"

Event Name "Successful su"

Suppressed False

845 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

To generate the PCI DSS 10.2.5.b - Linux report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.

USM Anywhere™ User Guide 846

USM Anywhere Compliance Templates

13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 10.2.5.b - Windows

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a list of any changes, additions, or
deletions to any account that a root or administrator user has made. The following table
shows the event filters used by this template:

Filters Used by PCI DSS 10.2.5.b - Windows

Field Values

Asset Groups "PCI DSS"

Category "Security"

Data Source "Windows NxLog", "AlienVault Agent - Windows EventLog"

Reporting Device Rule "576", "4672", "577", "4673", "578", "4674"

ID

Suppressed False

To generate the PCI DSS 10.2.5.b - Windows report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

847 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 10.2.5.c - Linux

USM Anywhere™ User Guide 848

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a list of any changes, additions, or
deletions to any account that a root or administrator user has made. The following table
shows the event filters used by this template:

Filters Used by PCI DSS 10.2.5.c - Linux

Field Values

Asset Groups "PCI DSS"

Event Name "User added", "User removed", "User Account", "New user added", "User
added to group", "User deleted"

Suppressed False

To generate the PCI DSS 10.2.5.c - Linux report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.

849 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 10.2.5.c - Windows

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a list of any changes, additions, or
deletions to any account that a root or administrator user has made. The following table
shows the event filters used by this template:

Filters Used by PCI DSS 10.2.5.c - Windows

Field Values

Asset Groups "PCI DSS"

Category "Security"

Data Source "Windows NxLog", "AlienVault Agent - Windows EventLog"

USM Anywhere™ User Guide 850

USM Anywhere Compliance Templates

Filters Used by PCI DSS 10.2.5.c - Windows (Continued)

Field Values

Reporting Device Rule "624", "4720", "4722", "4725", "4726", "4738"

ID

Suppressed False

To generate the PCI DSS 10.2.5.c - Windows report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.

851 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 10.7.a

Role Availability Read-Only Investigator Analyst Manager

This view provides a summary of USM Anywhere hot and cold storage, satisfying the
requirements for PCI DSS 10.7.a.

The View link goes to the My Subscription page (Settings > My Subscription). See
Subscription Management for more information.

PCI DSS 10.7.c

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a view of the last 90 days of events that is
available for analysis, and satisfies the requirements for PCI DSS 10.7.c. The following table
shows the event filters used by this template:

Filters Used by PCI DSS 10.7.c

Field Values

Asset Groups "PCI DSS"

Suppressed False

USM Anywhere™ User Guide 852

USM Anywhere Compliance Templates

To generate the PCI DSS 10.7.c report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.

853 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 11.5.a - Linux

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a view of the file integrity monitoring (FIM)
events that the use of change-detection mechanism satisfies in PCI DSS 11.5.a - Linux. The
following table shows the event filters used by this template:

Filters Used by PCI DSS 11.5.a - Linux

Field Values

Asset Groups "PCI DSS"

Data Source Device "Osquery", "AlienVault Agent"

Event type "file_events"

Suppressed False

To generate the PCI DSS 11.5.a - Linux report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 854

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 11.5.a - Windows

855 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a view of the FIM events that the use of
change-detection mechanism satisfies in PCI DSS 11.5.a - Windows. The following table shows
the event filters used by this template:

Filters Used by PCI DSS 11.5.a - Windows

Field Values

Asset Groups "PCI DSS"

Event Name "File attributes modified", "File Updated", "File Accessed", "File Created", "File
Deleted", "File Moved From", "File Moved To", "File Opened", "Folder Event",
"Unmount"

Suppressed False

To generate the PCI DSS 11.5.a - Windows report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

USM Anywhere™ User Guide 856

USM Anywhere Compliance Templates

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 5.1.2

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides proof that threat assessments are being
performed on all systems set up for a vulnerability scan. This report may not be run if
vulnerability scans are not set up on all systems mentioned in PCI DSS 5.1.2. The following
table shows the event filters used by this template:

Filters Used by PCI DSS 5.1.2

Field Values

Asset Groups "PCI DSS"

Active Vulnerability Yes

857 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

To generate the PCI DSS 5.1.2 report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.

USM Anywhere™ User Guide 858

USM Anywhere Compliance Templates

13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 6.1

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides a proof that vulnerabilities are being
assigned with a risk ranking in the severity field. The following table shows the event filters
used by this template:

Filters Used by PCI DSS 6.1

Field Values

Asset Groups "PCI DSS"

Active Vulnerability Yes

To generate the PCI DSS 6.1 report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

859 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 8.1.6.a - Windows

USM Anywhere™ User Guide 860

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template proves that account lockouts are taking place on
monitored devices. Note that this report is predefined for Microsoft Windows but can be
modified to include other devices as well. The following table shows the event filters used by
this template:

Filters Used by PCI DSS 8.1.6.a - Windows

Field Values

Asset Groups "PCI DSS"

Category "Security"

Data Source "Windows NxLog", "AlienVault Agent - Windows EventLog"

Reporting Device Rule 4740

ID

Suppressed False

To generate the PCI DSS 8.1.6.a - Windows report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

861 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

PCI DSS 8.2.1.c

Role Availability Read-Only Investigator Analyst Manager

The report generated from this template provides instances of plain text passwords on the
network. The absence of these events satisfies the requirements. The following table shows
the event filters used by this template:

USM Anywhere™ User Guide 862

USM Anywhere Compliance Templates

Filters Used by PCI DSS 8.2.1.c

Field Values

Asset Groups "PCI DSS"

Category "Suspicious Activity"

Event Activity "Password leak"

Subcategory "Suspicious Traffic"

Suppressed False

To generate the PCI DSS 8.2.1.c report

1. Go to Reports > Compliance Templates.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.

863 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

NIST CSF Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The National Institute of Standards Technology (NIST) Cybersecurity Framework provides a

policy framework of computer security guidance for how private sector organizations can
assess and improve their ability to prevent, detect, and respond to cyber attacks.

This section includes the descriptions for NIST CSF compliance templates on USM Anywhere:

l NIST CSC Control PR.IP-12: A Vulnerability Management Plan is Developed and Imple-
mented
l NIST CSC Control PR.PT-1: Audit/Log Records Are Determined, Documented, Implemented,
and Reviewed in Accordance with Policy
l NIST CSF Control DE.AE-2: Detected Events Are Analyzed to Understand Attack Targets
and Methods
l NIST CSF Control DE.AE-3: Event Data Are Aggregated and Correlated from Multiple
Sources and Sensors

USM Anywhere™ User Guide 864

USM Anywhere Compliance Templates

l NIST CSF Control DE.AE-5: Incident Alert Thresholds Are Established

l NIST CSF Control DE.CM-3: Personnel Activity Is Monitored to Detect Potential Cyber-
security Events
l NIST CSF Control DE.CM-4: Malicious Code Is Detected
l NIST CSF Control DE.CM-7: Monitoring for Unauthorized Personnel, Connections, Devices,
and Software Is Performed
l NIST CSF Control DE.CM-8: Vulnerability Scans Are Performed
l NIST CSF Control DE.DP-4: Event Detection Information Is Communicated to Appropriate
Parties
l NIST CSF Control ID.AM-1: Physical Devices and Systems within the Organization Are Invent-
oried
l NIST CSF Control ID.AM-5: Resources (E.G., Hardware, Devices, Data, and Software) Are Pri-
oritized Based on their Classification, Criticality, and Business Value
l NIST CSF Control ID.RA-1: Asset Vulnerabilities Are Identified and Documented
l NIST CSF Control ID.RA-2: Threat and Vulnerability Information is Received from Inform-
ation Sharing Forums and Sources
l NIST CSF Control PR.AC-1: Identities and Credentials Are Managed for Authorized Devices
and Users
l NIST CSF Control RS.AN-3: Forensics Are Performed

865 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

NIST CSC Control PR.IP-12: A Vulnerability Management Plan is Developed and

Implemented

Role Availability Read-Only Investigator Analyst Manager

Information Protection Processes and Procedures (PR.IP): Security policies (that address
purpose, scope, roles, responsibilities, management commitment, and coordination among
organizational entities), processes, and procedures are maintained and used to manage
protection of information systems and assets. Note on Control: This report shows that
vulnerabilities are being identified, partially satisfying the control. An update policy would
need to be in place for this to be fully satisfied. Associated Frameworks: ISO/IEC 27001:2013
A.12.6.1, A.18.2.2, NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2.

The following table shows the event filters used by this template:

Filters Used by NIST CSC Control PR.IP-12: A Vulnerability Management Plan is Developed and
Implemented

Field Values

Active Vulnerability Yes

To generate the NIST CSC Control PR.IP-12 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 866

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSC Control PR.PT-1: Audit/Log Records Are Determined, Documented,

Implemented, and Reviewed in Accordance with Policy

867 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

Protective Technology (PR.PT): Technical security solutions are managed to ensure the
security and resilience of systems and assets, consistent with related policies, procedures,
and agreements. Note on Control: This Control can be partially satisfied by having logs
available in USM Anywhere for log review. The user is responsible for their own log review
process for the rest of the control. Associated Frameworks: CCS CSC 14, COBIT 5 APO11.04,
ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, ISA 62443-3-3:2013 SR 2.8,
SR 2.9, SR 2.10, SR 2.11, SR 2.12, ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, NIST
SP 800-53 Rev. 4 AU Family.

The following table shows the event filters used by this template:

Filters Used by NIST CSC Control PR.PT-1: Audit/Log Records Are Determined, Documented,
Implemented, and Reviewed in Accordance with Policy

Field Values

Suppressed False

To generate the NIST CSC Control PR.PT-1 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 868

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control DE.AE-2: Detected Events Are Analyzed to Understand Attack
Targets and Methods

869 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the
potential impact of events is understood. Note on Control: This control is partially satisfied by
alarms being available for investigation and response, but requires the user to have an
investigation and response policy utilizing the available logs. Associated Frameworks: ISA
62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12, SR 3.9, SR 6.1, SR 6.2, ISO/IEC 27001:2013 A.16.1.1, A.16.1.4, NIST SP 800-53 Rev. 4 AU-6, CA-7,
IR-4, SI-4.

The following table shows the event filters used by this template:

Filters Used by NIST CSF Control DE.AE-2: Detected Events Are Analyzed to Understand Attack
Targets and Methods

Field Values

Suppressed False

To generate the NIST CSF Control DE.AE-2 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 870

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control DE.AE-3: Event Data Are Aggregated and Correlated from Mul-
tiple Sources and Sensors

Role Availability Read-Only Investigator Analyst Manager

Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the
potential impact of events is understood. The Default Fields satisfy this control by showing
different sensors and hosts send events to USM Anywhere. Associated Frameworks: ISA
62443-3-3:2013 SR 6.1, NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4.

The following table shows the event filters used by this template:

871 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Filters Used by NIST CSF Control DE.AE-3: Event Data Are Aggregated and Correlated from Mul-
tiple Sources and Sensors

Field Values

Suppressed False

To generate the NIST CSF Control DE.AE-3 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.

USM Anywhere™ User Guide 872

USM Anywhere Compliance Templates

11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control DE.AE-5: Incident Alert Thresholds Are Established

Role Availability Read-Only Investigator Analyst Manager

Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the
potential impact of events is understood. Associated Frameworks: COBIT 5 APO12.06, ISA
62443-2-1:2009 4.2.3.10, NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8.

The View link goes to the orchestration rules page (Settings > Rules). See Rules
Management for more information.

NIST CSF Control DE.CM-3: Personnel Activity Is Monitored to Detect Potential

Cybersecurity Events

Role Availability Read-Only Investigator Analyst Manager

Security Continuous Monitoring (DE.CM): The information system and assets are monitored
at discrete intervals to identify cybersecurity events and verify the effectiveness of
protective measures. Since all events could be attributed to user events, and all events are
run through the correlation engine, this control is satisfied by the default view. Associated
Frameworks: ISA 62443-3-3:2013 SR 6.2, ISO/IEC 27001:2013 A.12.4.1, NIST SP 800-53 Rev. 4 AC-
2, AU-12, AU-13, CA-7, CM-10, CM-11.

The following table shows the event filters used by this template:

873 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Filters Used by NIST CSF Control DE.CM-3: Personnel Activity Is Monitored to Detect Potential
Cybersecurity Events

Field Values

Suppressed False

To generate the NIST CSF Control DE.CM-3 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.

USM Anywhere™ User Guide 874

USM Anywhere Compliance Templates

11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control DE.CM-4: Malicious Code Is Detected

Role Availability Read-Only Investigator Analyst Manager

Security Continuous Monitoring (DE.CM): The information system and assets are monitored
at discrete intervals to identify cybersecurity events and verify the effectiveness of
protective measures. Since all events could be attributed to user events, and all events are
run through the correlation engine, this control is satisfied by the default view. Associated
Frameworks: ISA 62443-3-3:2013 SR 6.2, ISO/IEC 27001:2013 A.12.4.1, NIST SP 800-53 Rev. 4 AC-
2, AU-12, AU-13, CA-7, CM-10, CM-11.

The following table shows the event filters used by this template:

Filters Used by NIST CSF Control DE.CM-4: Malicious Code Is Detected

Field Values

Malware Family All

Suppressed False

875 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

To generate NIST CSF Control DE.CM-4 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.

USM Anywhere™ User Guide 876

USM Anywhere Compliance Templates

14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control DE.CM-7: Monitoring for Unauthorized Personnel, Connections,

Devices, and Software Is Performed

Role Availability Read-Only Investigator Analyst Manager

Security Continuous Monitoring (DE.CM): The information system and assets are monitored
at discrete intervals to identify cybersecurity events and verify the effectiveness of
protective measures. Unauthorized access to accounts will partially satisfy the control.
Associated Frameworks: NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-
4.

The following table shows the event filters used by this template:

Filters Used by NIST CSF Control DE.CM-7: Monitoring for Unauthorized Personnel, Connections,
Devices, and Software Is Performed

Field Values

Event Name "Admin login failed", "An account failed to log on", "An account failed to log
on.", "Login - Login Failure", "Login failed", "Multiple Windows Logon Failures",
"Multiple failed logins", "Secure Shell: LOGINFAIL", "Session 'Circular Kernel
Context Logger' failed to start with the following error", "Syslog connection
failed", "USER_Login: Failed", "User login failed", "UserLoginFailed", "Windows
DC Logon Failure", "event: LoginFailed", "load balancer: SSH Login failed",
"Account locked out", "Account locked-out"

Suppressed False

877 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

To generate the NIST CSF Control DE.CM-7 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.

USM Anywhere™ User Guide 878

USM Anywhere Compliance Templates

14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control DE.CM-8: Vulnerability Scans Are Performed

Role Availability Read-Only Investigator Analyst Manager

Security Continuous Monitoring (DE.CM): The information system and assets are monitored
at discrete intervals to identify cybersecurity events and verify the effectiveness of
protective measures. The Authenticated vulnerability scan log in the linked view shows that
vulnerability scans are ran, and will satisfy this control. Associated Frameworks: COBIT 5
BAI03.10, ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7, ISO/IEC 27001:2013 A.12.6.1, NIST SP 800-53 Rev. 4
RA-5.

The View link goes to the job scheduler of asset scans page (Settings > Scheduler > Asset
Scans). See Scheduling Asset Scans from the Job Scheduler Page for more information.

NIST CSF Control DE.DP-4: Event Detection Information Is Communicated to

Appropriate Parties

Role Availability Read-Only Investigator Analyst Manager

Detection Processes (DE.DP): Detection processes and procedures are maintained and tested
to ensure timely and adequate awareness of anomalous events. Within the user settings view,
the receive alarms notification checkbox satisfies this control. Associated Frameworks: COBIT
5 APO12.06, ISA 62443-2-1:2009 4.3.4.5.9, ISA 62443-3-3:2013 SR 6.1, ISO/IEC 27001:2013 A.16.1.2,
NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4.

The View link goes to the users list page (Settings > Users). See USM Anywhere User
Management for more information.

NIST CSF Control ID.AM-1: Physical Devices and Systems within the Organ-
ization Are Inventoried

879 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable
the organization to achieve business purposes are identified and managed consistent with
their relative importance to business objectives and the organization’s risk strategy. This can
partially satisfy the control by providing a list of network assets, or fully satisfy the control in
some cases. Associated Frameworks: CCS CSC 1, COBIT 5 BAI09.01, BAI09.02, ISA 62443-2-
1:2009 4.2.3.4, ISA 62443-3-3:2013 SR 7.8, ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, NIST SP 800-53 Rev.
4 CM-8.

This report shows the assets list by using the "NIST CSF Control ID.AM-1: Physical Devices and
Systems within the Organization are Inventoried" view.

To generate the NIST CSF Control ID.AM-1 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

USM Anywhere™ User Guide 880

USM Anywhere Compliance Templates

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control ID.AM-5: Resources (E.G., Hardware, Devices, Data, and Soft-
ware) Are Prioritized Based on their Classification, Criticality, and Business
Value

Role Availability Read-Only Investigator Analyst Manager

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable
the organization to achieve business purposes are identified and managed consistent with
their relative importance to business objectives and the organization’s risk strategy.
Hardware and devices can be prioritized into asset groups, satisfying part of the control.
Associated Frameworks: COBIT 5 APO03.03, APO03.04, BAI09.02, ISA 62443-2-1:2009 4.2.3.6,
ISO/IEC 27001:2013 A.8.2.1, NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14.

This report shows the asset groups list by using the "NIST CSF Control ID.AM-5: Resources
(e.g., Hardware, Devices, Data, and Software) are Prioritized Based on their Classification,
Criticality, and Business Value" view.

881 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

To generate the NIST CSF Control ID.AM-5 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

5. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
6. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

7. Under the Format section, select either CSV or PDF for the format of the report.
8. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
9. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
10. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
11. Click Next.
12. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
13. (Optional.) Add a description that will be included.

USM Anywhere™ User Guide 882

USM Anywhere Compliance Templates

14. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
15. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

16. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
17. Click Run to run the report.

NIST CSF Control ID.RA-1: Asset Vulnerabilities Are Identified and Documented

Role Availability Read-Only Investigator Analyst Manager

Risk Assessment (ID.RA): The organization understands the cybersecurity risk to

organizational operations (including mission, functions, image, or reputation), organizational
assets, and individuals. This report satisfies both identification and documentation since
vulnerabilities are tracked and described in the vulnerabilities tab. Associated Frameworks:
CCS CSC 4, COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, ISA 62443-2-1:2009 4.2.3, 4.2.3.7,
4.2.3.9, 4.2.3.12, ISO/IEC 27001:2013 A.12.6.1, A.18.2.3, NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-
3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5.

The following table shows the event filters used by this template:

Filters Used by NIST CSF Control ID.RA-1: Asset Vulnerabilities Are Identified and Documented

Field Values

Active Vulnerability Yes

To generate the NIST CSF Control ID.RA-1 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

883 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control ID.RA-2: Threat and Vulnerability Information is Received from
Information Sharing Forums and Sources

USM Anywhere™ User Guide 884

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

Control Description Access Control (ID.RA): Access to assets and associated facilities is limited
to authorized users, processes, or devices, and to authorized activities and transactions.
Associated Frameworks: ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12, ISO/IEC 27001:2013 A.6.1.4,
NIST SP 800-53 Rev. 4 PM- 15, PM- 16, SI-5.

The View link goes to the OTX dashboard page (Dashboard > Open Threat Exchange). See
Open Threat Exchange Dashboard for more information.

NIST CSF Control PR.AC-1: Identities and Credentials Are Managed for Author-
ized Devices and Users

Role Availability Read-Only Investigator Analyst Manager

Access Control (PR.AC): Access to assets and associated facilities is limited to authorized
users, processes, or devices, and to authorized activities and transactions. Note on Control:
Showing user login events will satisfy this control. Associated Frameworks: CCS CSC 16, COBIT
5 DSS05.04, DSS06.03, ISA 62443-2-1:2009 4.3.3.5.1, ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR
1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3,
NIST SP 800-53 Rev. 4 AC-2, IA Family.

The following table shows the event filters used by this template:

885 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Filters Used by NIST CSF Control PR.AC-1: Identities and Credentials Are Managed for Author-
ized Devices and Users

Field Values

Event Name "A logon was attempted using explicit credentials", "AUTHN_LOGIN_EVENT",
"Admin - Change Password On Next Login", "Admin login", "Admin login failed",
"Admin login successful", "Agent login succeeded", "Attempt to login using a
non-existent user", "Audit Event Dispatcher: login message", "Console Login",
"Console user login", "FTP login", "LOGIN", "LOGON", "Login", "Login - Login
Challenge", "Login - Login Failure", "Login - Successful Login", "Login OK",
"Login Success", "Login attempt", "Login failed", "Login succeeded", "Login
success", "Login successful. Accepted password", "Logon", "Multiple Windows
Logon Failures", "Multiple failed logins", "Network Security Manager Login
succeeded", "PasswordLogonInitialAuthUsingPassword", "Secure Shell:
LOGINFAIL", "Special Logon", "Special privileges assigned to new logon",
"UNSUCCESSFUL_LOGIN", "USER_LOGIN", "USER_LOGINx", "USER_Login: Failed",
"User Logon", "User Logon Notification for Customer Experience Improvement
Program", "User login", "User login failed", "User login successful", "User logon
detected Account", "UserLoginFailed", "VPN zone remote user login allowed",
"Windows DC Logon Failure", "Windows Logon Success", "event: LoginFailed",
"load balancer: SSH Login failed", "load balancer: SSH login accepted", "login",
"login query"

Suppressed False

To generate the NIST CSF Control PR.AC-1 report

1. Go to Reports > Compliance Templates.

2. On the left navigation pane, click NIST CSF.
3. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

4. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
5. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 886

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

6. Under the Format section, select either CSV or PDF for the format of the report.
7. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
8. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
9. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
10. Click Next.
11. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
12. (Optional.) Add a description that will be included.
13. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
14. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

15. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
16. Click Run to run the report.

NIST CSF Control RS.AN-3: Forensics Are Performed

887 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery
activities. Note on Control: Orchestration rules are available to automatically run forensics on
alarms and events. Having the output of these forensic scans available for reporting would
satisfy this control. Associated Frameworks: ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11,
SR 2.12, SR 3.9, SR 6.1, ISO/IEC 27001:2013 A.16.1.7, NIST SP 800-53 Rev. 4 AU-7, IR-4.

The View link goes to the orchestration rules page (Settings > Rules). See Rules
Management for more information.

HIPAA Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for
protecting sensitive patient data. Any company that deals with protected health information
(PHI) must ensure that all the required physical, network, and process security measures are
in place and followed. This includes covered entities, anyone who provides treatment,
payment and operations in healthcare, and business associates, anyone with access to
patient information and provides support in treatment, payment, or operations.
Subcontractors, or business associates of business associates, must also be in compliance.

This section includes the descriptions for HIPAA compliance templates on USM Anywhere:

l HIPAA A03 §164.308(a)(1)(ii)(A)

l HIPAA Control T03 §164.312 (a)(1)
l HIPAA Control T30 §164.312(b)
l HIPAA Control T33 §164.312(c)(1) - Linux
l HIPAA Control T33 §164.312(c)(1) - Windows

USM Anywhere™ User Guide 888

USM Anywhere Compliance Templates

HIPAA A03 §164.308(a)(1)(ii)(A)

Role Availability Read-Only Investigator Analyst Manager

The "HIPAA A03 §164.308(a)(1)(ii)(A) - Does your practice categorize its information systems
based on the potential impact to your practice should they become unavailable?" report
generated from this template provides a risk analysis that is the process of identifying the
risks to system security and determining the likelihood of occurrence, the resulting impact,
and the additional safeguards that mitigate this impact. Part of risk management and
synonymous with risk assessment. Consider whether your practice categorizes its
information systems as high, moderate or low impact systems. Consider that information
system categorization helps your practice to scope audits and prioritize investments for
security mitigation. Consider whether your practice’s risk analysis is designed to protect its
information systems and ePHI that it processes, stores, and transmits from unauthorized
access, use, disclosure, disruption, change, or damage. Consider whether your practice’s risk
analysis: Identifies threats. Identifies vulnerabilities inherent in its technology, processes,
workforce, and vendors. Contemplates the likelihood of occurrence. Estimates the potential
magnitude of harm.

This report shows the asset groups list by using the "HIPAA A03 §164.308(a)(1)(ii)(A) - Does
your practice categorize its information systems based on the potential impact to your
practice should they become unavailable?" view.

To generate the HIPAA A03 §164.308(a)(1)(ii)(A) report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click HIPAA.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

889 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

HIPAA Control T03 §164.312 (a)(1)

USM Anywhere™ User Guide 890

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "HIPAA Control T03 §164.312 (a)(1) Does your practice analyze the activities performed by
all of its workforce and service providers to identify the extent to which each needs access to
ePHI?" report generated from this template considers that a “user” can be any entity that
accesses your practice’s ePHI, whether it is a person or a device. Consider whether your
practice: Defines roles and responsibilities in sufficient detail to demonstrate whether access
to ePHI is necessary. Determines whether remote access is necessary from physical
environments that are not under your practice’s control. If so, determine by whom, how (e.g.,
electronic device), and when.

The following table shows the event filters used by this template:

Filters Used by HIPAA Control T03 §164.312 (a)(1)

Field Values

Asset Groups "HIPAA"

Suppressed Flase

To generate the HIPAA Control T03 §164.312 (a)(1) report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click HIPAA.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

891 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

HIPAA Control T30 §164.312(b)

USM Anywhere™ User Guide 892

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "HIPAA Control T30 §164.312(b) Does your practice have policies and procedures
establishing retention requirements for audit purposes?" report generated from this
template considers that written policies and procedures can drive the development of
processes and adoption of standards and controls, which reduce risk to ePHI. Can provide
essential information for privacy and security awareness and role-based training.

The View link goes to the My Subscription page (Settings > My Subscription). See
Subscription Management for more information.

To generate the HIPAA Control T30 §164.312(b) report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click HIPAA.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.

893 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

HIPAA Control T33 §164.312(c)(1) - Linux

Role Availability Read-Only Investigator Analyst Manager

The "HIPAA Control T33 §164.312(c)(1) Does your practice have mechanisms to corroborate
that ePHI has not been altered, modified or destroyed in an unauthorized manner? - Linux"
report generated from this template considers whether your practice has data
authentication mechanisms and tools, such as checksum. Checksum is a computation that is
introduced when ePHI is transmitted or stored. The computation is checked at a later time
(such as when ePHI recalled or when it is received at the intended destination) to ascertain
whether the computations match. If the checksum matches, then it is less likely that the ePHI
was altered or modified. Also consider whether your practice relies on encryption validation
to authenticate ePHI.

The following table shows the event filters used by this template:

USM Anywhere™ User Guide 894

USM Anywhere Compliance Templates

Filters Used by HIPAA Control T33 §164.312(c)(1) - Linux

Field Values

Asset Groups "HIPAA"

Data Source Device Osquery

Event Type file_events

Suppressed Flase

To generate the HIPAA Control T33 §164.312(c)(1) - Linux report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click HIPAA.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.

895 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

HIPAA Control T33 §164.312(c)(1) - Windows

Role Availability Read-Only Investigator Analyst Manager

The "HIPAA Control T33 §164.312(c)(1) Does your practice have mechanisms to corroborate
that ePHI has not been altered, modified or destroyed in an unauthorized manner? -
Windows" report generated from this template considers whether your practice has data
authentication mechanisms and tools, such as checksum. Checksum is a computation that is
introduced when ePHI is transmitted or stored. The computation is checked at a later time
(such as when ePHI recalled or when it is received at the intended destination) to ascertain
whether the computations match. If the checksum matches, then it is less likely that the ePHI
was altered or modified. Also consider whether your practice relies on encryption validation
to authenticate ePHI.

The following table shows the event filters used by this template:

USM Anywhere™ User Guide 896

USM Anywhere Compliance Templates

Filters Used by HIPAA Control T33 §164.312(c)(1) - Windows

Field Values

Asset Groups "HIPAA"

Data Source Device Windows NxLog

Event Type File System

Suppressed Flase

To generate the HIPAA Control T33 §164.312(c)(1) - Windows report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click HIPAA.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.

897 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

ISO/IEC 27001 provides guidance for implementing information security controls to achieve a
consistent and reliable security program. The International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) developed 27001 to provide
requirements for an information security management system (ISMS).

This section includes the descriptions for ISO 27001 compliance templates on USM Anywhere:

l ISO 27001 A.6.1.4: Contact with Special Interest Groups

l ISO 27001 A.8.1.1: Inventory of Assets
l ISO 27001 A.8.1.2: Ownership of Assets
l ISO 27001 A.8.2.1: Classification of Information
l ISO 27001 A.8.2.2: Labeling of Information
l ISO 27001 A.11.2.6: Security of Equipment and Assets Off-Premises

USM Anywhere™ User Guide 898

USM Anywhere Compliance Templates

l ISO 27001 A.12.2.1: Controls Against Malware

l ISO 27001 A.12.4.1: Event Logging
l ISO 27001 A.12.4.2 - Linux: Protection of Log Information
l ISO 27001 A.12.4.2 - Windows: Protection of Log Information
l ISO 27001 A.12.7.1: Information Systems Audit Controls
l ISO 27001 A.16.1.2: Reporting Information Security Events
l ISO 27001 A.16.1.4: Assessment of and decision on information security events
l ISO 27001 A.18.2.2: Compliance with Security Policies and Standards
l ISO 27001 A.18.2.3: Technical Compliance Review

899 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

ISO 27001 A.6.1.4: Contact with Special Interest Groups

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.6.1.4: Contact with Special Interest Groups" standard provides appropriate
contacts with special interest groups or other specialist security forums and professional
associations shall be maintained.

The View link goes to the OTX dashboard page (Dashboard > Open Threat Exchange). See
Open Threat Exchange Dashboard for more information.

ISO 27001 A.8.1.1: Inventory of Assets

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.8.1.1: Inventory of Assets" report is related to the assets associated with
information and information processing facilities that shall be identified and an inventory of
these assets shall be drawn up and maintained.

This report shows the assets list by using the "ISO 27001 A.8.1.1: Inventory of Assets" view.

To generate the ISO 27001 A.8.1.1: Inventory of Assets report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 900

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.8.1.2: Ownership of Assets

901 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.8.1.2: Ownership of Assets" report is related to the assets maintained in the
inventory that shall be owned.

This report shows the assets list by using the "ISO 27001 A.8.1.2: Ownership of Assets" view.

To generate the ISO 27001 A.8.1.2: Ownership of Assets report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.

USM Anywhere™ User Guide 902

USM Anywhere Compliance Templates

8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.8.2.1: Classification of Information

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.8.2.1: Classification of Information" report is related to the information that
shall be classified in terms of legal requirements, value, criticality and sensitivity to
unauthorized disclosure or modification.

This report shows the assets list by using the "ISO 27001 A.8.2.1: Classification of Information"
view.

To generate the ISO 27001 A.8.2.1: Classification of Information report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

903 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

USM Anywhere™ User Guide 904

USM Anywhere Compliance Templates

ISO 27001 A.8.2.2: Labeling of Information

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.8.2.2: Labeling of Information" report is related to an appropriate set of
procedures for information labeling that shall be developed and implemented in accordance
with the information classification scheme adopted by the organization.

This report shows the assets list by using the "ISO 27001 A.8.2.2: Labeling of Information" view.

To generate the ISO 27001 A.8.2.2: Labeling of Information report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.

905 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.11.2.6: Security of Equipment and Assets Off-Premises

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.11.2.6: Security of Equipment and Assets Off-Premises" report is related to
security that shall be applied to off-site assets taking into account the different risks of
working outside the organization’s premises.

This report shows the assets list by using the "ISO 27001 A.11.2.6: Security of Equipment and
Assets Off-Premises" view.

USM Anywhere™ User Guide 906

USM Anywhere Compliance Templates

To generate the ISO 27001 A.11.2.6: Security of Equipment and Assets Off-Premises
report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.

907 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

11. (Optional.) Add a description that will be included.

12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.12.2.1: Controls Against Malware

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.12.2.1: Controls Against Malware" report is related to detection, prevention
and recovery controls to protect against malware that shall be implemented, combined with
appropriate user awareness. This report shows the assets list by using the "ISO 27001 A.12.2.1:
Controls Against Malware" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.12.2.1: Controls Against Malware

Field Values

Malware Family All

Suppressed False

To generate the ISO 27001 A.12.2.1: Controls Against Malware report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

USM Anywhere™ User Guide 908

USM Anywhere Compliance Templates

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

909 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

ISO 27001 A.12.4.1: Event Logging

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.12.4.1: Event Logging" report is related to event logs recording user activities,
exceptions, faults and information security events that shall be produced, kept and regularly
reviewed. This report shows the assets list by using the "ISO 27001 A.12.4.1: Event Logging"
view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.12.4.1: Event Logging

Field Values

Suppressed False

To generate the ISO 27001 A.12.4.1: Event Logging report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 910

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.12.4.2 - Linux: Protection of Log Information

911 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.12.4.2 - Linux: Protection of Log Information" report is related to logging
facilities and log information that shall be protected against tampering and unauthorized
access. This report shows the assets list by using the "ISO 27001 A.12.4.2 - Linux: Protection of
Log Information" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.12.4.2 - Linux: Protection of Log Information

Field Values

Event Type file_events

Data Source Device Osquery

Suppressed False

To generate the ISO 27001 A.12.4.2 - Linux: Protection of Log Information report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 912

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.12.4.2 - Windows: Protection of Log Information

913 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.12.4.2 - Windows: Protection of Log Information" report is related to logging
facilities and log information that shall be protected against tampering and unauthorized
access. This report shows the assets list by using the "ISO 27001 A.12.4.2 - Windows: Protection
of Log Information" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.12.4.2 - Windows: Protection of Log Information

Field Values

Event Type File System

Data Source Device Windows NxLog

Suppressed False

To generate the ISO 27001 A.12.4.2 - Windows: Protection of Log Information report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

USM Anywhere™ User Guide 914

USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.12.7.1: Information Systems Audit Controls

915 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.12.7.1: Information Systems Audit Controls" report is related to the audit
requirements and activities involving verification of operational systems that shall be
carefully planned and agreed to minimize disruptions to business processes.

This report shows the assets list by using the "ISO 27001 A.12.7.1: Information Systems Audit
Controls" view.

To generate the ISO 27001 A.12.7.1: Information Systems Audit Controls report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.

USM Anywhere™ User Guide 916

USM Anywhere Compliance Templates

7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.16.1.2: Reporting Information Security Events

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.16.1.2: Reporting Information Security Events" report is related to the
information security events that shall be reported through appropriate management
channels as quickly as possible. This report shows the assets list by using the "ISO 27001
A.16.1.2: Reporting Information Security Events" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.16.1.2: Reporting Information Security Events

Field Values

Suppressed False

917 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

To generate the ISO 27001 A.16.1.2: Reporting Information Security Events report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.

USM Anywhere™ User Guide 918

USM Anywhere Compliance Templates

12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.16.1.4: Assessment of and decision on information security events

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.16.1.4: Assessment of and decision on information security events" report is
related to the information security events shall be assessed and it that shall be decided if they
are to be classified as information security incidents. This report shows the assets list by using
the ISO 27001 A.16.1.4: Assessment of and decision on information security events" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.16.1.4: Assessment of and decision on information security events

Field Values

Suppressed False

To generate the ISO 27001 A.16.1.4: Assessment of and decision on information security
events report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

919 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

USM Anywhere™ User Guide 920

USM Anywhere Compliance Templates

ISO 27001 A.18.2.2: Compliance with Security Policies and Standards

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.18.2.2: Compliance with Security Policies and Standards" report is related to
the managers that shall regularly review the compliance of information processing and
procedures within their area of responsibility with the appropriate security policies, standards
and any other security requirements. This report shows the assets list by using the "ISO 27001
A.18.2.2: Compliance with Security Policies and Standards" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.18.2.2: Compliance with Security Policies and Standards

Field Values

Active Vulnerability Yes

To generate the ISO 27001 A.18.2.2: Compliance with Security Policies and Standards
report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

921 USM Anywhere™ User Guide

 USM Anywhere Compliance Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

ISO 27001 A.18.2.3: Technical Compliance Review

USM Anywhere™ User Guide 922

USM Anywhere Compliance Templates

Role Availability Read-Only Investigator Analyst Manager

The "ISO 27001 A.18.2.3: Technical Compliance Review" report is related to the information
systems that shall be regularly reviewed for compliance with the organization’s information
security policies and standards. This report shows the assets list by using the "ISO 27001
A.18.2.3: Technical Compliance Review" view.

The following table shows the event filters used by this template:

Filters Used by ISO 27001 A.18.2.3: Technical Compliance Review

Field Values

Active Vulnerability Yes

To generate the ISO 27001 A.18.2.3: Technical Compliance Review report

1. Go to Reports > Compliance Templates.

On the left navigation pane, click ISO 27001.

2. Click Generate Report on the specific line for this report.

The Configure Report dialog box displays.

Note: This report doesn't have selected filters because it goes directly to an asset
inventory.

3. Click Edit Filters if you want to modify the selected filters, and then Continue to Filters.
Do the modifications you need, and then click Edit Report.
4. Click the date field if you want to choose a different date range.

923 USM Anywhere™ User Guide

 USM Anywhere Event Type Templates

Choose Last Hour, Last 24 Hours, Last 7 Days, Last 30 Days, Last 90 Days, or Custom
Range to set a particular date range.

5. Under the Format section, select either CSV or PDF for the format of the report.
6. Select if you want to generate the report again, and choose Never, Daily, Weekly, Bi-
weekly, and Monthly.
7. Enter an email address to send the report. Select the Send to my Email Address option
to add your email automatically.
8. Select the Enable link expiration option. This link is delivered by email and expires in 14
days.
9. Click Next.
10. In the Report Name field, enter a name for the report. This name will be displayed in the
Saved Reports page.
11. (Optional.) Add a description that will be included.
12. Under the Number of records section, choose the maximum number of records to include
on the report: 20, 50, 100, 500, 1000, or 2500.
13. If you have chosen the PDF format, you will see the Graphs section, which you can use to
include additional views. You can add or remove graphs included in the report by clicking
the and the icons.

14. Select Save & Run if you wish to keep the report in your Saved Reports on USM Any-
where page and receive the report in the indicated email.
15. Click Run to run the report.

USM Anywhere Event Type Templates

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere includes a set of predefined templates based on the classification of event
data source types and based on data sources.

You can find these templates on Reports > Event Type Templates.

There are these types of templates:

USM Anywhere™ User Guide 924

Machine Learning

l Type of Data Source. Event Type Templates enable you to easily run a general firewall,
authentication, and other types of normalized queries that do not require you to build com-
plex filters based on specific data source or event types. USM Anywhere supports these
reports: Anomaly Detection, Antivirus, Application, Application Firewall, Authentication,
Authentication and DHCP, Cloud Application, Cloud Infrastructure, DNS Server, Data Pro-
tection, Database, Endpoint Protection, Endpoint Security, Firewall, IDS, Infrastructure Mon-
itoring, Intrusion Detection, Intrusion Prevention, Load Balancer, Mail Security, Mail Server,
Management Platform, Network Access Control, Operating System, Other Devices, Proxy,
Router, Router/Switch, Server, Switch, Unified Threat Management, VPN, Web Server, Wire-
less Security/Management.
l Data Sources. You can find templates based on the most commonly used data sources
including NIDS, AWS, Amazon DynamoDB, Amazon S3, AWS VPC Flow Logs, AWS Load Bal-
ancers, Azure, Cisco Umbrella, Cylance, FireEye, Fortigate, G Suite, McAfee ePO, Office 365,
Okta, Palo Alto, SonicWall, Sophos UTM, Watchguard, VMware, Windows, AlienVault Agent.
There is also a template for the AlienVault Generic Data Source.

Machine Learning
Machine learning extends the capabilities of your USM Anywhere and reduces false positives
by allowing it to learn patterns of normal behavior within your environment to better detect
anomalies. With machine learning, USM Anywhere can help you better identify abnormal and
potentially dangerous activity and enable you to better prioritize alarms generated from
events and user behavior. Machine learning enhances your USM Anywhere's ability to detect
and respond to compromised credentials, lateral movements, suspicious execution, data
exfiltration, and more.

This topic discusses these subtopics:

Machine Learning Models 926

Machine Learning Dashboard 928

Viewing Machine Learning Alarms and Events 929

925 USM Anywhere™ User Guide

 Machine Learning Models

Machine Learning Models

Machine learning enhances your USM Anywhere, allowing it to identify anomalies in your
environment through data science and machine learning. Powered by specialized models, the
machine learning capabilities of USM Anywhere learn patterns of normal behavior within your
environment to better identify anomalous activity, enabling you to better prioritize alarms
generated from events and user behavior.

What Is Machine Learning?

Machine learning leverages data science and learning models to better identify anomalous
behavior through a deeper understanding of the behavior that is normal for your
environment. The events received and processed by USM Anywhere carry important
information illuminating what your users are doing, what data is being accessed, how your
system and network are performing, and if there are any security threats or attacks taking
place.

The machine learning process provides deeper detection capabilities, putting events specific
to your assets and users into the full context of your environment's behavioral patterns.

For example, USM Anywhere instances enhanced with machine learning enable security
analysts and incident responders to make informed decisions on how to respond to security
threats, validate the effectiveness of existing security controls, and detect policy violations.

Machine learning enhances the ability of your USM Anywhere to detect and respond to
compromised credentials, lateral movements, suspicious execution, and data exfiltration:

l Compromised Credentials: Machine learning algorithms for stolen or compromised

credentials leverage multiple parameters around login activity (geographical location,
internet service provider (ISP) data, IP address, device, and time stamps) to identify
outliers and anomalous behavior.

l Lateral Movement: Machine learning algorithms feed authentication logs from services
observed in lateral movement scenarios (such as Windows Remote Desktop Protocol
[RDP] or Kerberos), leverage context data, such as source and destination hostname or
active directory (AD) domain name, and are key to spotting these anomalies.

l Suspicious Execution: Machine learning algorithms for suspicious execution leverage

process creation data to identify anomalous executions. These algorithms consider
hostname, file name, and file path, as well as command line data structures (such as

USM Anywhere™ User Guide 926

Machine Learning Models

execution flags and arguments). User data is also compared across the organization to
examine binary prevalence.

l Data Exfiltration: Machine learning algorithms for data exfiltration are processed by USM
Anywhere using computed historic user data (such as the average number of files
processed per day) to apply a risk score to any given scenario. Integration with file storage
services enables early detection of anomalous file access. These models can evaluate a
wide range of frequencies to find anomalies, from minutes to weeks.

Machine Learning Models

The data science algorithms powering USM Anywhere machine learning are called models,
which are highly specialized algorithms trained to recognize certain types of patterns. These
algorithms are developed by the AT&T Cybersecurity data science team and are built via
proven methods to realize features that lend themselves to reliably identifying malicious
actors and actions. Further, through constant evaluation they are proven to reduce false
positives and save analysts time. This allows faster detections and, as a result, faster
notification and thus resolution of malicious activity in your ecosystem.

The models currently informing machine learning in USM Anywhere operate based on two
different types of activity: user login and file modification.

User Login
This suite of models all operate by identifying key features from distinct sources via specially
trained algorithms. The models in this suite are all able to identify potentially malicious login
activity.

Sources for this activity include the following:

l Microsoft Office 365

l Google G Suite

l Cisco Duo

l Okta

l RDP

l Kerberos

927 USM Anywhere™ User Guide

 Machine Learning Dashboard

File Modification
This suite of models all operate by analyzing file modification patterns across distinct sources
and are specially trained to identify potentially malicious file modifications.

Sources for this activity include the following:

l G Suite

Machine Learning Dashboard

Role Availability Read-Only Investigator Analyst Manager

This page of widgets displays information related to the machine learning activity in your
environment. Each widget displays event or alarm trends in your USM Anywhere related to
your environment's machine learning, as well as events and alarms by user, source, priority,
status, and more. By default, each widget displays the last 30 days' trends, but you can filter
any widget or the entire dashboard to display trends from a specific timeframe. See Machine
Learning for more information.

USM Anywhere™ User Guide 928

Viewing Machine Learning Alarms and Events

Widgets in the Machine Learning Dashboard

Widgets Description

ML Event Displays a count of events detected by machine learning per hour or per day
Trend

ML Alarm Displays a count of alarms detected by machine learning per hour or per day
Trend

ML Alarms By Displays the percentage of machine learning alarms by priority

Priority

ML Events By Displays users associated with the most events detected by machine learning
User

ML Alarms By Displays users associated with the most alarms detected by machine learning
User

ML Alarms By Displays the number of machine learning alarms by status

Status

ML Events By Displays sources associated with the most events detected by machine learning
Source

ML Alarms By Displays sources associated with the most alarms detected by machine learning
Source

Viewing Machine Learning Alarms and Events

Role Availability Read-Only Investigator Analyst Manager

From the machine learning dashboard, you can access a centralized view of the alarm and
event activity detected by the machine learning models in your environment.

See Machine Learning Models to read more about the models that power machine learning in
your environment.

To view machine learning events or alarms in your environment

1. Go to Dashboards > Machine Learning.

929 USM Anywhere™ User Guide

 Viewing Machine Learning Alarms and Events

2. Click on a widget in the machine learning dashboard to navigate to a list view of the activ-
ity shown in that widget.
See Machine Learning Dashboard for more information about the machine learning filters
available to you.
3. The Alarms and Events pages display information about your alarms and events:
l On the left side of the page are the search and filters options. By default, these options
are preconfigured to show you precisely the activity you selected on the machine
learning dashboard. However, you can use these filters to further delimit your search.

l The main part of the page lists the machine learning activities you have selected,
where each row describes an individual event or alarm. Click an event to open a
summary view.

If you want to analyze the data and see the additional columns without having to scroll
left and right, you can maximize the screen and hide the filter pane. Click the icon to

hide the filter pane. Click the icon to expand the filter pane.

See the Events List View, Alarms List View, or User List View for details about the options
and columns available to you in each of these views.

USM Anywhere™ User Guide 930

 USM Anywhere User Management
Because USM Anywhere manages important security functions for your organization, the
system requires that all users log in with a username and a password. See Role-Based Access
Control (RBAC) in USM Anywhere for more information about the roles in USM Anywhere.

When the first user links to a newly-provisioned USM Anywhere environment, they configure
the password for the initial user account. This is the default user as defined in your
subscription, and this manager user account can only be deleted by another manager user.
The Settings > Users page provides tools to add, edit, and remove user accounts in the
system.

After 45 days of inactivity, a user account will become locked. Manager users can unlock
inactive accounts. Alternately, users can contact AT&T Cybersecurity support to have their
account unlocked.

If you want to protect your account, enable multifactor authentication (MFA) for your user
account. When this feature is activated, USM Anywhere displays the multifactor
authentication page for you to complete your MFA configuration. The displayed page
provides a unique QR code for your Authenticator app to retrieve a verification code. See
Using Multifactor Authentication for more information about this security configuration.

Note: AT&T Cybersecurity recommends that users enable MFA for their account. MFA
adds extra security by requiring multiple factors to authenticate a user, making it more
difficult for an unauthorized person to gain access to the account.

Users can access settings for their own account and log out of the system by clicking the

icon in the USM Anywhere web UI secondary menu.

USM Anywhere collects information about when a user logs into the system and what the
user does. This information is available in USM Anywhere when you go to Settings > System
Events. USM Anywhere offers remote technical support for troubleshooting and diagnosis,
where the AT&T Cybersecurity Technical Support Engineers access your instance from their
computers.

This topic discusses these subtopics:

Creating Users 933

Role-Based Access Control (RBAC) in USM Anywhere 935

USM Anywhere™ User Guide 931

USM Anywhere User Management

Editing Users 954

Managing Your Profile Settings 957

Deleting Users 964

Configuring Web UI Session Timeout 965

932 USM Anywhere™ User Guide

 Creating Users

Creating Users

Role Availability Read-Only Investigator Analyst Manager

Add a user account in your USM Anywhere environment for each member of your team that
needs access. USM Anywhere implements role-based access control (RBAC). See Role-Based
Access Control (RBAC) in USM Anywhere for more information.

To create a user

1. Go to Settings > Users to open the page.

2. Click New User.

The Create User dialog box opens.

USM Anywhere™ User Guide 933

Creating Users

3. Enter the user's Email address and Full Name.

This is the email address used to verify the account and set the initial password.

4. Select the role you want to assign to the user. See Role-Based Access Control (RBAC) in
USM Anywhere for more information.

5. Select the Status you want for the user.

Typically, you should keep the default Enabled status for a new user account.

6. Click Save.

USM Anywhere sends an email to the email address that includes a link to set a password
and login.

The password reset link will be valid for the next 24 hours. If you do not click the reset link
within that period of time, USM Anywhere will display a message:

934 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

You need to click Send Link to receive a new email with a new password reset link.

Role-Based Access Control (RBAC) in USM Anywhere

USM Anywhere implements the role-based access control (RBAC), which provides users with
the following:

l The ability to restrict certain users from accessing administrative capabilities like adding
new users and sensors
l Predefined roles that range from read-only access to full administrative capabilities so
users can easily select the appropriate role for a new user

There are four roles in USM Anywhere:

l Read-Only: You can access views and search the system, but you cannot make system
changes that impact other users.
l Investigator: You can access views, search the system, and generate reports, but you can-
not make system changes that impact other users.
l Analyst: You can view and search the system, schedule jobs, launch actions, configure
rules, and configure asset credentials. But you cannot add or modify sensor configurations;
configure credentials for AlienApp, notification apps, and threat intelligence integrations;
or add users.
l Manager: This role enables analyst permissions and enables you to add or modify sensor
configurations; configure credentials for AlienApps, notification apps, and threat intel-
ligence integrations; and add users.

You can view a user's role under the Users List by going to Settings > Users.

Note: Only users in the Manager role can view the Users page.

USM Anywhere™ User Guide 935

Role-Based Access Control (RBAC) in USM Anywhere

When the status of a user changes to Disabled, the role column of that user in the User List
will include Suspended.

All AT&T Cybersecurity documentation will tell you which roles can perform a specific set of
steps, using a table like the one below.

Role Availability Read-Only Investigator Analyst Manager

You can see the predefined roles in USM Anywhere in the following table:

Predefined Roles in USM Anywhere

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Dashboards Dashboard and

dashboard views

Create custom
dashboard

Upper Access:
Navigation documentation,
support, and forum
links

Profile settings

936 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Activity > View: alarms page and

Alarms alarm details

USM Anywhere™ User Guide 937

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Configure filters

Asset drop-down
menu items: add to
current filter, find in
events, look up in
AT&T Alien Labs Open
Threat Exchange
OTX™

Asset drop-down list:

full details,
configuration issues,
vulnerabilities, alarms,
events

Manage columns

Generate report

Save views

Alarm details:
suppress alarm, apply
label, set a status, add
to investigation

Alarm details: alarm

action, create rule

Alarm labels: create,

manage

Alarm labels: apply

Alarm status: update

938 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Activity > View: events page and

Events event details

Configure filters

Asset drop-down list:

add to current filter,
look up in OTX

Asset drop-down list:

add to current filter,
full details,
configuration issues,
vulnerabilities, alarms,
events

Generate report

Save views

Events details:
suppress event, add
to investigation

Events details: event

action, create rule

USM Anywhere™ User Guide 939

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Environment > View: assets page and

Assets assets details

940 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Configure filters

USM Anywhere™ User Guide 941

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Asset drop-down list:

find in events, look up
in OTX, full details,
configuration issues,
vulnerabilities, alarms,
events

942 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Asset drop-down list:

configure asset,
delete asset, asset
scan, authenticated
scan

USM Anywhere™ User Guide 943

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Manage columns

Generate report

Save views

Actions menu: create

asset (quick,
advanced), import
assets, delete
selected, edit fields,
assign credentials, set
sensor, set
compliance scope,
add to asset group

Asset details: deploy

an agent, assign
credentials, schedule
a job

Asset details, actions

menu: configure
asset, delete asset,
add to asset group

Asset details, actions

menu: agent query,
asset scan,
authenticated scan,
assign credentials,
schedule scan job

Create event if asset

stops sending data

944 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Environment > View: asset groups

Asset Groups page and asset
groups details

USM Anywhere™ User Guide 945

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Configure filters

Asset group drop-

down list: full details,
configuration issues,
vulnerabilities, alarms,
events

Asset group drop-

down list: configure
asset group, delete
asset group, asset
group scan, assign
credentials,
authenticated scan

Generate report

Save views

Actions menu: create

asset group (static
and dynamic)

Asset group details,

actions menu:
configure asset group,
delete asset group,
edit fields, assign
credentials to group
members, assign
agent profile, set
sensor, set
compliance scope,
asset group scan,
assign credentials,
authenticated scan,
schedule scan job

946 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Environment > View: vulnerabilities

Vulnerabilities page and
vulnerabilities details

Generate report

Save views

Vulnerability labels:
apply, create, manage

Asset drop-down list:

add to current filter,
find in events, look up
in OTX, full details

Asset drop-down list:

configure asset,
delete asset

Asset drop-down list:

asset scan, assign
credentials,
authenticated scan

New scan

Vulnerabilities details:
select action, apply
label

USM Anywhere™ User Guide 947

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Environment > View: configuration

Configuration issues page and
Issues configuration issues
details

948 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Configure filters

Generate report

Save view

Asset drop-down list:

add to current filter,
look up in OTX, full
details, configuration
issues, vulnerabilities,
alarms, events

Asset drop-down list:

configure asset,
delete asset

Asset drop-down list:

asset scan, assign
credentials,
authenticated scan

Configuration issues
details, actions menu:
configure asset,
delete asset, add to
asset group, agent
query, asset scan,
authenticated scan,
assign credentials,
schedule scan job

Configuration issues
details: deploy an
agent, assign
credentials, schedule
a scan job

USM Anywhere™ User Guide 949

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Environment > View users page and

Users user details

User drop-down list:

find in events, full
details, configuration
issues, alarms, events,
configure user, delete
user

User drop-down list:

configure user, delete
user

User drop-down list:

user scan

Manage columns

Generate report

User menu: import

users, delete selected,
edit fields, configure
user, user scan

Schedule user scan

job

Reports > Saved View the saved

Reports reports page

Edit, copy, and delete

reports

Reports > View the compliance

Compliance templates reports
Templates page

Generate reports

950 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Reports > Event View the event type

Type Templates templates reports
page

Generate reports

Data Sources > View the sensor page

Sensors
Add a new sensor

Configure a sensor

Edit a sensor

Assign a sensor

Delete, redeploy a
sensor

Data Sources > Available apps

AlienApps

Data Sources > Run an agent query

Agents
Delete an agent

Assign an agent
configuration profile

USM Anywhere™ User Guide 951

Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Data Sources > View connector

Cloud
Connector Edit connector

Add a connector

Delete connector

Add new data source

rule

Enable and disable a

cloud connector

Investigations View investigations

page

Edit an investigation

Create a new
investigation

View investigations
details

Delete an
investigation

Notification rule for

investigations

Add a note

Run app action

952 USM Anywhere™ User Guide

 Role-Based Access Control (RBAC) in USM Anywhere

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Settings > View the job

Scheduler scheduler page

Create, edit, enable,

disable a job

Settings > Rules View the rules page

Create an
orchestration rule

Create a correlation
list

Settings > Modify credentials

Notifications

Settings > View the system

System monitor page

View the network

settings page

Create asset field

Enable required
multifactor
authentication

Modify the session

timeout

Settings > View the system

System Events events page

Settings > View the console user

Console User events page
Events

Settings > OTX Validate an OTX

subscription key

USM Anywhere™ User Guide 953

Editing Users

Predefined Roles in USM Anywhere (Continued)

Read-
Investigator Analyst Manager
Section Action Only
User User User
User

Settings > View the credentials

Credentials page

Create a new
credential

Edit, delete, and

manage credentials

Settings > Users View the user page

Create a user

Edit a user

Delete a user

Settings > My View the my

Subscription subscription page

Purge data

Connect to USM
Central™

Editing Users

954 USM Anywhere™ User Guide

 Editing Users

Role Availability Read-Only Investigator Analyst Manager

Assuming the Manager role, you can modify several items for the account of another user.
For example, if users are unable to log in because they forgot their password or no longer
have an authentication mobile device, you can perform a reset for their account.

To edit a user account

1. Go to Settings > Users to open the page that displays the list of user accounts in your
USM Anywhere environment.

Note: Sometimes a displays in the Status column. This icon means that the user

account is locked for 30 minutes after 3 failed login attempts within 15 minutes. You
can unlock the account by sending the user a password reset email (see Send
Password Reset below).

If your own user account is locked, you can wait 30 minutes and try again or contact
AT&T Cybersecurity Technical Support for assistance.

2. In the row for the user account, click the icon.

USM Anywhere™ User Guide 955

Editing Users

3. Make changes to the account parameters, as needed.

Note: If you click the of your own user, the Profile page displays. See Managing

Your Profile Settings for more information.

l Change the email address for the account.

l Change the full name for the account.
l Change the role for the account. See Role-Based Access Control (RBAC) in USM Any-
where for more information
l Change the status for the account. If you need to temporarily disable a user account,
you can set the status to Disabled. This is a best practice for revoking access and usu-
ally a better alternative to deleting a user account.

956 USM Anywhere™ User Guide

 Managing Your Profile Settings

l Click Send Password Reset to reset the password for the user. When you do a pass-
word reset, the user receives an email with a link to set a new password for the
account.
l Click Reset Multi-Factor Authentication to reset the code used to pair a mobile
device with the account. See Using Multifactor Authentication for more information.
l Select Enable Multi-Factor Authentication to enable MFA. See Using Multifactor
Authentication for more information.
4. Click Save.

Managing Your Profile Settings

Role Availability Read-Only Investigator Analyst Manager

You can manage your own user account, which enables you to do the following:

l Change your email address, name, and password

l Enable multifactor authentication (MFA) for the account
l Select your default landing page after you have logged in
l Configure an interval for auto-refreshing the dashboards and alarms pages
l Activate notifications for alarms

USM Anywhere™ User Guide 957

Managing Your Profile Settings

To manage your profile settings

1. At the bottom of the expanded pane of the USM Anywhere web user interface (UI), hover
over the profile settings options, and select Profile Settings.

2. Modify the data of the items that can be modified.

958 USM Anywhere™ User Guide

 Managing Your Profile Settings

Change Your Email Address, Name, and Password

USM Anywhere helps you meet the Payment Card Industry (PCI) standard by enforcing
password complexity, password expiration, and forbidding password reuse. See the USM
Anywhere Password Policy for details.

To set a new password

1. Open the Profile Settings page.

2. You have two options to choose from based on your role:
l General user: At the bottom of the expanded pane of the USM Anywhere web
user interface (UI), hover over the profile settings options, and select Profile Set-
tings.

l
Manager: Go to Settings > Users and click the icon of your user.

Both actions open the profile page.

3. Click Update Password to display the password fields.

Note: The date of the last update displays in front of the Update Password
button.

4. Enter your current password and the new password.

5. Click Save.

Enable MFA

If you want to protect your account, enable MFA for your user account. When this feature
is activated, USM Anywhere displays the multifactor authentication page for you to
complete your MFA configuration. The displayed page provides a unique QR code that is
used by the Authenticator app to retrieve a verification code. See Using Multifactor
Authentication for more information about this security configuration.

Note: AT&T Cybersecurity recommends that users enable MFA for their account.
MFA adds extra security because it requires multiple factors to authenticate a user,
making it more difficult for an unauthorized person to gain access to the account.

USM Anywhere™ User Guide 959

Managing Your Profile Settings

To enable MFA

1. Open the Profile Settings page.

2. You have two options to choose from based on whether your role is as the general
user or as the manager:
l General user: At the bottom of the expanded pane of the USM Anywhere web
user interface (UI), hover over the profile settings options, and select Profile Set-
tings.

l
Manager: Go to Settings > Users and click the icon of your user.

Both actions open the Profile Settings page.

3. Select Enable Multi-Factor Authentication.

4. Click Save.

Select Your Default Landing Page After You Have Logged In

USM Anywhere gives you the option of selecting your default landing page after you have
logged in.

Important: You can also load the configured default landing page by clicking the
logo of USM Anywhere located in the upper-left corner of the page.

To select your default landing page after you have logged in

1. Open the Profile Settings page.

2. You have two options to choose from based on whether your role is as the general
user or as the manager:
l General user: At the bottom of the expanded pane of the USM Anywhere web
user interface (UI), hover over the profile settings options, and select Profile Set-
tings.

l
Manager: Go to Settings > Users and click the icon of your user.

Both actions open the Profile Settings page.

3. Select the default home page you want to display after you have logged in. You have
these options:

960 USM Anywhere™ User Guide

 Managing Your Profile Settings

l Dashboards: You can select a specific dashboard to use it as a landing page. The
list of dashboards is alphabetically ordered and also includes the custom dash-
boards you can create.

Note: Keep in mind that dashboard names that begin with a lowercase letter
are located at the end of the list.

l Activity: Select alarms or events.

l Environment: Select assets, asset groups, vulnerabilities, or configuration issues.
l Investigations: You can select the investigations page to use it as a landing page.

Important: You have the option of selecting the views you have created. If
there is a selected view and you delete that view, when you log in, USM
Anywhere displays the main page related to that view. For example, if you
select a custom dashboard page to be your landing page and then you delete
that custom dashboard, USM Anywhere displays the dashboards page when
you log in.

4. Click Save.

Select the Time for Auto-Refreshing the Alarms and Dashboard Pages

If you want to configure the time that the alarms and dashboard pages refresh their
information, you can set an interval. These are the options:

l None: The page works as usual and displays the icon for manually updating the

page.
l Every 5 min: The page is reloaded every 5 minutes.
l Every 10 min: The page is reloaded every 10 minutes.
l Every 15 min: The page is reloaded every 15 minutes.

Activate Alarm Notifications

If you want notification on alarms generated by USM Anywhere, activate the notification
option for your user account. When this feature is activated, USM Anywhere sends an
email to provide real-time notification of critical security incidents.

Note: These notifications send emails using Simple Mail Transfer Protocol (SMTP).
There is a quota of 200 emails per day.

USM Anywhere™ User Guide 961

Managing Your Profile Settings

To activate alarm notifications

1. Open the Profile page.

2. You have two options to choose from based on whether your role is as the general
user or as the manager:
l General user: At the bottom of the expanded pane of the USM Anywhere web
user interface (UI), hover over the profile settings options, and select Profile Set-
tings.

l
Manager: Go to Settings > Users and click the icon of your user.

Both actions open the Profile Settings page.

3. Select Receive Alarm Notifications.

Note: It can take up to one hour for the notifications to take effect.

Important: This option is not available for AT&T Cybersecurity Managed

Security Service Provider (MSSP) users who logged in through USM Central.

Important: You will not receive email notifications for suppressed alarms.

4. Click Save.

To log out of the system

1. At the bottom of the expanded pane of the USM Anywhere web user interface (UI), hover
over the profile settings options.
2. Select Logout.

API Clients

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere offers a REST API framework that enables you to customize elements of data
in your environment. The APIs return JSON responses and any errors in those returns use
HTTP response codes. To access the API, you will need to create a client ID and secret code in
the USM Anywhere interface, and use that information to create a token. USM Anywhere uses
OAuth 2.0 to authenticate against the REST APIs.

962 USM Anywhere™ User Guide

 Managing Your Profile Settings

Edition: The API is available in the Standard and Premium editions of USM Anywhere.

See the Affordable pricing to fit every budget page for more information about the
features and support provided by each of the USM Anywhere editions.

To open the API Clients page

1. In the USM Anywhere web UI secondary menu, click the icon and select Profile Set-

tings.

2. Select API Clients tab.

3. Click New Client to create a new client. See the AlienVault APIs for more information.

To enable an API Client

1. In the USM Anywhere web UI secondary menu, click the icon and select Profile Set-

tings.
2. Select API Clients.
3. Locate the API client that you want to enable and click the icon. This turns the
icon green. To disable an already enabled API Client, toggle the icon to its original status.

USM Anywhere™ User Guide 963

Deleting Users

To edit an API Client

1. In the USM Anywhere web UI secondary menu, click the icon and select Profile Set-

tings.
2. Select API Clients.
3. Locate the API client that you want to modify and click the icon to open a new win-

dow.

4. Make changes to the client ID, as needed.

5. Click Update Client.

Deleting Users

Role Availability Read-Only Investigator Analyst Manager

You can delete a user account in your USM Anywhere whenever you need to.

When deleting a user, keep in mind these points:

l All dashboards created by the user are deleted (including any shared dashboards). See
Sharing your Custom Dashboard for more information.
l All views created by the user are deleted (including shared views). See Alarms Views,
Assets Views, Configuration Issues List View, Event Views, USM Anywhere System Events
List View, Viewing Vulnerabilities Details for more information.

964 USM Anywhere™ User Guide

 Configuring Web UI Session Timeout

l API clients created by the user are deleted. See API Clients for more information.
l All profile information are deleted (homepage, auto refresh, receiving notifications). See
Managing Your Profile Settings for more information.

Note: Despite deleting a user, all their saved generated reports, created or modified
rules, and created or modified investigations stays in your environment.

To delete a user account

1. Go to Settings > Users to open the page that displays the list of user accounts in your
USM Anywhere environment.

2. In the row for the user account, click the icon.

3. Click Accept to confirm the process or click Cancel to exit.

Configuring Web UI Session Timeout

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere supports up to 20 concurrent sessions per user, including both USM Central
and USM Anywhere sessions. You can configure the length of time a session is inactive before
the system automatically logs you out of USM Anywhere. Concurrent API sessions are not
limited.

Important: GovCloud users are limited to two concurrent sessions for each user,
including USM Central, USM Anywhere, and API sessions.

USM Anywhere™ User Guide 965

Configuring Web UI Session Timeout

To configure your web user interface (UI) session timeout

1. Go to Settings > System.

2. In the left navigation panel, click Session Settings.

3. Use the drop-down list to set the session timeout. It can be 15 minutes, 30 minutes, 1 hour,
or 2 hours.

A notification bar displays to confirm the change.

Note: The new configuration applies after you log in.

966 USM Anywhere™ User Guide

 Using USM Anywhere for PCI
Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive
requirements for enhancing payment account data security. These requirements are a set of
security standards designed to ensure that all companies that accept, process, store or
transmit credit card information maintain a secure environment.

About PCI DSS

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. This
data can include credit cards, debit cards, ATM cards, and point of sale (POS) cards. The goal
of the standard is to protect cardholder data and decrease the possibility of cardholder data
theft and/or loss. If you are a merchant who accepts or processes payment cards, you must
comply with the PCI DSS.

The PCI DSS is made up of 12 requirements that businesses are expected to comply with.
These requirements consist of security policies, procedures, and guidelines for storage,
processing, and transmission of cardholder data.

About USM Anywhere for PCI DSS

USM Anywhere helps organizations meet PCI DSS requirements and provides out-of-the-box
searches, reports, assets and asset group management to give you visibility into your system,
application, and device activity relevant to PCI compliance.

USM Anywhere can play a crucial role for you by delivering the technologies necessary to
achieve PCI compliance. Many businesses do not have the tools, knowledge, or resources to
fulfill the requirements for PCI Compliance.

Working with Assets and PCI DSS

USM Anywhere™ User Guide 967

Working with Assets and PCI DSS

Role Availability Read-Only Investigator Analyst Manager

The Payment Card Industry Data Security Standards (PCI DSS) views in USM Anywhere have
pre-defined filters based on the PCI DSS Asset Group. This section provides instructions on
assigning assets to the asset group to populate the views with data.

Note: USM Anywhere generates PCI reports from the assets assigned to the PCI DSS
Asset Group. See USM Anywhere Compliance Templates for more information.

To assign Assets to the PCI DSS Asset Group

1. Go to Environment > Assets.

2. Select the assets you want to include into the PCI DSS Asset Group. See Selecting Assets
in Asset List View for assistance.
3. Select Actions > Set Compliance Scope.
4. Select PCI.

5. Click Save and the selected assets will join the PCI DSS Asset Group.

968 USM Anywhere™ User Guide

 Working with Assets and PCI DSS

To identify PCI Assets

1. Go to Environment > Assets.

2. In the upper-left side of the page, click the Configure Filters link.

3. Search for PCI Asset in the available filters.

4. Click the icon to select the filter.

5. Click Apply.
6. In the left panel, scroll to the bottom to find the section for the PCI Asset filter.
7. Click Yes (n). The number in parentheses indicates the number of PCI Assets.

USM Anywhere™ User Guide 969

 USM Anywhere Investigations
Role Availability Read-Only Investigator Analyst Manager

Using USM Anywhere, you can create investigations and organize the information from your
environment. This feature enables you to manage and coordinate incident response activities.
Use Investigations for linking alarms, events, notes, and other files to their responses, and you
will have a complete view of actions you have taken to address a particular threat.

This topic discusses these subtopics:

Investigations List View 971

Creating a New Investigation 973

Editing Investigations 974

Viewing Investigations Details 976

Deleting Investigations 989

Notification Rule for Investigations 990

USM Anywhere™ User Guide 970

Investigations List View

Investigations List View

Role Availability Read-Only Investigator Analyst Manager

The Investigations page provides a list of all of the investigations created in your
environment. Go to Investigations to open a centralized view of your investigations. Each
row describes an investigation.

The Investigations page includes navigation and filtering elements to help you locate the
investigations you want to review. When you go to Investigations, the page displays all of the
open and in-review items by default.

The following table lists the default columns in the investigations page.

List of the Default Columns in the Investigations Page

Column / Field Name Description

Title Name identifying the investigation.

ID This is a sequential and automatic number assigned by the system that

identifies the investigation.

Severity Severity of the investigation. Values are Low, Medium, High, and Critical.

Status The status applied to the investigation. It can be Open, In Review, and
Closed. See Viewing Investigations Details if you want to change the
status.

Intent Classify your investigation as Delivery & Attack, Environmental

Awareness, Exploitation & Installation, Reconnaissance & Probing, or
System Compromise. See Intent for more information.

Created The date and time the investigation was created. The date displayed
depends on your computer's time zone.

971 USM Anywhere™ User Guide

 Investigations List View

List of the Default Columns in the Investigations Page(Continued)

Column / Field Name Description

Assignee Email of the person to whom the investigation has been assigned.

Last Updated The date and time that the Investigation page was last updated. The
date displayed depends on your computer's time zone.

Last Updated by Email of the last person who has updated the investigation.

Use the icon if you want to modify some information. See Editing Investigations for more

information.

Use the icon if you want to delete an investigation. See Deleting Investigations for more

information.

Sort and Filter the Displayed Investigations

To change the sort order of the displayed list, click the column label for the field that you
want to use to sort the list. Use the filters in the upper side of the list to change the displayed
list so that it includes only the jobs you want to see. These are the filters:

l Filter by Title or ID: Enter a search string for the name of the investigation or the invest-
igation ID to display only matching jobs.
l Severity: Select a value between Low, Medium, High, or Critical. You also have the option
All to display all of the severities that you have in your environment.
l Intents: Select a value of Delivery & Attack, Environmental Awareness, Exploitation &
Installation, Reconnaissance & Probing, or System Compromise.
l Assignee: Select the email of the person of whom you want to display its assigned invest-
igations.
l Open: Select this checkbox if you only want to display the investigations that are open.
l In Review: Select this checkbox if you only want to display the investigations that are in
review.
l Closed: Select this checkbox if you only want to display the investigations that are closed.

USM Anywhere™ User Guide 972

Creating a New Investigation

Creating a New Investigation

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to create and manage your own investigations.

To create a new investigation

1. Go to Investigations.
2. In the upper right area of the page, click New Investigation to open a new window.

3. Enter the information in each field.

973 USM Anywhere™ User Guide

 Editing Investigations

Fields in the New Investigation Dialog box

Field Meaning

Title Name identifying the investigation.

Intent Classify your investigation as Delivery & Attack, Environmental

Awareness, Exploitation & Installation, Reconnaissance & Probing,
or System Compromise. See Intent for more information.

Severity Severity of the investigation. Values are Low, Medium, High, and
Critical.

Status The status applied to the investigation. By default, it is Open and

can not be changed. You can change it later to In Review or Closed.
See Viewing Investigations Details to learn more about changing
the default Status setting.

Description (Optional.) Enter an investigation description.

4. Click Save.

Note: USM Anywhere automatically assigns every new investigation to the user who
creates the investigation. See Editing Investigations to learn how to modify the
assigned user.

Editing Investigations

Role Availability Read-Only Investigator Analyst Manager

You can make changes to the investigations that you have created, such as changing the title,
intent, or status. If an investigation is no longer needed, you can delete it.

USM Anywhere™ User Guide 974

Editing Investigations

To edit an investigation

1. Go to Investigations.
2. Locate the investigation in the Investigations list.
3. In the row for the investigation, click the icon or the title of the investigation.

975 USM Anywhere™ User Guide

 Viewing Investigations Details

4. In the Edit Investigation dialog box, change the parameters as needed.

See Creating a New Investigation for more information about these options.

Note: USM Anywhere automatically assigns every new investigation to the user who
creates the investigation.

5. Click Save.

Viewing Investigations Details

USM Anywhere™ User Guide 976

Viewing Investigations Details

Role Availability Read-Only Investigator Analyst Manager

The investigations details view provides in-depth information on an investigation and

provides easy access to the investigation. When you use this feature to access the
investigation at the deployment level, you can modify some of the fields related to the
investigation, as well as create associated alarms, files and events and add notes.

To view the details of an investigation

1. Go to Investigations.

2. Click the title of an investigation to display its details.

On the upper left side of the page is the name of the investigation. Click the icon next

to the name if you want to make changes to the item. See Investigations List View for
more information about the fields.

Below the investigation name displays the ID of the investigation. There is also
information regarding the created and the last updated dates.

You can change the values displayed in the Assignee, Severity, Intent, and Status drop-
down lists. The modification is automatic, so once you change a value, it is updated.

This topic discusses these subtopics:

977 USM Anywhere™ User Guide

 Viewing Investigations Details

l Activity on Investigations
l Notes on Investigations
l Evidence on Investigations

Activity on Investigations

Role Availability Read-Only Investigator Analyst Manager

This is an informative section, which enables you to see in chronological order every
modification of the investigation.

This section displays this information:

USM Anywhere™ User Guide 978

Viewing Investigations Details

l Type of action that has been done. These actions can be:

Activity: Type of Action

Type of Action Description

Attachment created A new file is added to the investigation.

Attachment deleted A file is removed from the investigation.

Attachment updated A file from the investigation has been updated.

Evidence linked An alarm or event has been linked to the investigation.

Evidence unlinked An alarm or event has been unlinked from the investigation.

Investigation created The user has created the investigation.

Investigation deleted The user has removed the investigation.

Investigation updated The user has updated the investigation.

Note Created A note is created.

Note Deleted A note is deleted.

Note Updated A note is updated.

l Email of the person who has made a change.

l Date on which the action was made. The displayed date depends on your computer's time
zone.

Notes on Investigations

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to add notes to your investigations.

Important: You can link up to 100 notes to each investigation.

To add a note

1. Go to Investigations.
2. Locate the investigation in the Investigations list.
3. Click the title of an investigation to display its details.

979 USM Anywhere™ User Guide

 Viewing Investigations Details

4. Click Add Note.

5. Enter the text you want to include.

Note: There is a maximum length of 4000 characters, which is about 600 words.

6. Click Save.

The new note displays in the details of the investigation.

To edit a note

1. Go to Investigations.
2. Locate the investigation in the Investigations list.
3. Click the title of an investigation to display its details.

USM Anywhere™ User Guide 980

Viewing Investigations Details

4. Locate the note you want to edit and click the icon.

5. In the Edit Note dialog box, change the text for the note as needed.
6. Click Save.

To delete a note

1. Go to Investigations.
2. Locate the investigation in the Investigations list.
3. Click the title of an investigation to display its details.

981 USM Anywhere™ User Guide

 Viewing Investigations Details

4. Locate the note you want to delete and click the icon.

5. Click Delete in the confirmation dialog box.

Evidence on Investigations

Role Availability Read-Only Investigator Analyst Manager

This section displays the alarms, events, and files associated with the investigation.

Important: You can link up to 100 alarms and 100 events to each investigation.

USM Anywhere™ User Guide 982

Viewing Investigations Details

You can click an alarm or an event to go to the alarm or event.

The asset name includes the icon if the asset is not in the system, or the icon if the

asset has been added to the system.

Click the icon to access these options:

l Add to current filter: Use this option to add the asset name as a search filter. See Search-
ing Events for more information.
l Find in events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.

983 USM Anywhere™ User Guide

 Viewing Investigations Details

l Look up in OTX: This option searches the IP address of the source asset in the AT&T
Cybersecurity Alien Labs Open Threat Exchange® (OTX™) page. See Using OTX in USM Any-
where for more information.
l Add asset to system: Use this option to create the asset in the system. See Adding Assets
for more information.

Click the icon to access these options:

l Add to Current Filter: Use this option to add the asset name as a search filter. See Search-
ing Events for more information.
l Find in Events: Use this option to execute a search of the asset name in the Events page.
See Searching Events for more information.
l Look up in OTX: This option searches the IP address of the asset in the OTX page. See
Using OTX in USM Anywhere for more information.
l Full Details: See Viewing Assets Details for more information.
l Assign Credentials: See Managing Credentials in USM Anywhere for more information.
l Authenticated Scan: This option displays depending on the USM Anywhere Sensor asso-
ciated with the asset. See Running Authenticated Asset Scans for more information.
l Scan with AlienApp: This option enables you to run an asset scan through an AlienApp.
See Running Asset Scans Using an AlienApp for more information.
l Configuration Issues: This option opens the Asset Details page. The Configuration Issues
tab is selected in the page. See Viewing Assets Details for more information.
l Vulnerabilities: This option opens the Asset Details page. The Vulnerabilities tab is selec-
ted in the page. See Viewing Assets Details for more information.
l Alarms: This option opens the Asset Details page. The Alarms tab is selected in the page.
See Viewing Assets Details for more information.
l Events: This option opens the Asset Details page. The Events tab is selected in the page.
See Viewing Assets Details for more information.

Link an alarm to an investigation

1. Go to Activity > Alarms.

2. Search for the alarm you want to add to the investigation and select it. See Searching
Alarms for more information.

USM Anywhere™ User Guide 984

Viewing Investigations Details

3. Click the icon and select an investigation. You can also create a new one. See Creating

a New Investigation for more information.

4. Click Save.

Link several alarms to an investigation

1. Go to Activity > Alarms.

2. Search for the alarms you want to add to the investigation and select them. See Search-
ing Alarms for more information.

3. Click Add to Investigation and select an investigation. You can also create a new one.
See Creating a New Investigation for more information.

985 USM Anywhere™ User Guide

 Viewing Investigations Details

4. Click Save.

Link an event to an investigation

1. Go to Activity > Events.

2. Search for the event that you want to add to the investigation and select it. See Search-
ing Events for assistance.

3. Click the icon and select an investigation. You can also create a new one. See Creating

a New Investigation for more information.

4. Click Save.

USM Anywhere™ User Guide 986

Viewing Investigations Details

Remove a link from an investigation

1. Go to Investigations.
2. Click the title of an investigation to display its details.

3. In the Evidence section, locate the alarm or the event that you want to remove from the
investigation and click the icon.

4. In the confirmation dialog box, click Remove.

987 USM Anywhere™ User Guide

 Viewing Investigations Details

Remove a link from alarms or events

1. Go to Activity > Alarms or Activity > Events depending on if you want to remove an
alarm or an event.
2. Locate the alarm or event that you want to remove from the investigation and select it.
See Searching Events for assistance.
3. Click the icon located in the Investigation field.

4. Select the investigation from which you want to remove the link.

5. Click Unlink From Investigation.

6. In the confirmation dialog box, click Unlink.

Add a file to an investigation

When adding a file to an investigation, keep in mind these points:

l There is a maximum file size of 24 MB.

l There is a maximum number of five attachments per investigation.

USM Anywhere™ User Guide 988

Deleting Investigations

To add a file to an investigation

1. Go to Investigations.
2. Click the title of an investigation to display its details.

3. In the Evidence section, click Select the file from your desktop or drop your file in the
section.

4. Select the file and click Open.

The file displays in the list.

Deleting Investigations

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you the option of deleting an investigation if is no longer needed.

989 USM Anywhere™ User Guide

 Notification Rule for Investigations

To delete an investigation

1. Go to Investigations.
2. Click the title of an investigation to display its details.

3. In the row for the investigation, click the icon.

4. In the confirmation dialog box, click Delete.

Notification Rule for Investigations

USM Anywhere™ User Guide 990

Notification Rule for Investigations

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere creates a default notification rule that sends an email notification when there
is a change to an investigation.

This is a system rule, and the allowed actions are Enable, Disable, and Edit. If you try to delete
it, the rule is restored during the next system update. Go to Settings > Rules to view this
notification rule.

Note: By default, this rule is disabled.

Note: These rules use the event_severity field with the values low, medium, high, and
critical, and the event_action field with the values created, deleted, and updated.

To enable the notification rule for investigations

1. Go to Settings > Rules.

2. Locate the USM Anywhere Investigations Notification rule and click the icon. This
turns the icon green. To disable the rule, toggle the icon to its original status.

3. Click an investigation to display its details.

991 USM Anywhere™ User Guide

 Notification Rule for Investigations

To edit the notification rule for investigations

1. Go to Settings > Rules.

2. Locate the USM Anywhere Investigations Notification rule and click the icon.

3. Make the changes as needed and click Save Rule.

Note: The destination email field includes the emails of the users created in the
environment as the role of Managers. See Role-Based Access Control (RBAC) in USM
Anywhere for more information.

USM Anywhere™ User Guide 992

 System Status within USM Anywhere

System Status within USM Anywhere

Role Availability Read-Only Investigator Analyst Manager

The USM Anywhere web user interface (UI) enables you to view and modify some data related
to the configuration of your environment. These pages give you an overall view about the
configuration of your system, which is a useful way to have all the essential information.
These are the options:

l Check the status of your environment (see USM Anywhere System Monitor for more
information)
l Display the summary of your current network configuration. See USM Anywhere Network
System and Network Setup and Configuration for more information
l Display and modify your syslog configuration (see Enabling syslog Connections in an AWS
VPC for more information)
l Manage asset fields (see Managing Asset Fields for more information)
l Configure a session timeout (see Configuring Web UI Session Timeout for more inform-
ation)

USM Anywhere Network System

Role Availability Read-Only Investigator Analyst Manager

The USM Anywhere Network System page enables the user whose role is Manager to display
a summary of the configured network.

To open the USM Anywhere Network System page

1. Go to Settings > System.

2. In the left navigation panel, click Network Settings.
3. In case of having more than one sensor in your environment, select a sensor.

The Network Status Test starts running.

USM Anywhere™ User Guide 993

USM Anywhere System Monitor

Note: See Network Setup and Configuration for more information.

USM Anywhere System Monitor

Role Availability Read-Only Investigator Analyst Manager

The USM Anywhere System Monitor page enables the user whose role is manager to display
statistics of the data coming from sensors inside a time-frame. See Role-Based Access
Control (RBAC) in USM Anywhere for more information.

You can choose between the last 24 or 7 hours. If you have more than one sensor configured
in your environment, you need to select a sensor.

Go to Settings > System, and then click System Monitor in the left navigation panel. These
are the displayed data:

994 USM Anywhere™ User Guide

 USM Anywhere System Monitor

System Monitor Fields

Field Description

Total Events Per Second Graph displaying the total events received per second. (You can see
the current and the filtered events.)

Fuzzied Events Graph displaying the total fuzzied events received per second. See
About the Was Fuzzied Filter for more information.

CPU Graph displaying in percentages the total CPU used.

CPU Load Average Graph displaying the load average of the CPU.

Disk (Software) Graph displaying in percentages the total disk (software) used.

USM Anywhere™ User Guide 995

USM Anywhere Log Collection

System Monitor Fields (Continued)

Field Description

Disk (Data) Graph displaying in percentages the total disk (data) used.

Memory Graph displaying in percentages the total memory used.

Swap Graph displaying in percentages the total swap used.

USM Anywhere Log Collection

Role Availability Read-Only Investigator Analyst Manager

Syslog is a message-logging standard supported by most devices and operating systems

(OSes). USM Anywhere can collect syslog data from devices in your environment and produce
corresponding security events and alarms. You can forward syslog data from specific device
types to the USM Anywhere Sensor IP address and port.

Note: See The Syslog Server Sensor App, Data Sources and Log Processing, and Enable
Connections in an AWS VPC for more information.

To open the Log Collection page

1. Go to Settings > System.

2. In the left navigation panel, click Log Collection > Syslog Configuration.

3. If you have more than one USM Anywhere Sensor deployed, use the drop-down menu to
select the sensor that you want to configure log collection.

996 USM Anywhere™ User Guide

 USM Anywhere Log Collection

Note: If the sensor is receiving syslog messages from your network, you will see
IP addresses listed under Device Sending Data. For performance reasons, this list
only includes devices sending logs in the last 15 minutes. The list refreshes every 30
seconds. After the sensor is updated or the syslog-ng server used by the sensor
restarts, the list is reset.

4. Click How do I configure my device? to see the instructions for your operating system:
l Windows: This is a link to the Collecting Windows System Logs page.
l Linux: This is a link to the Collecting Linux System Logs page.

USM Anywhere™ User Guide 997