USM Anywhere includes a Forensics and Response App pluginPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities., which translates the data retrieved by the AlienApp for Forensics and Response into normalizedNormalization describes the translation of log file entries received from disparate types of monitored assets into the standardized framework of Event types and sub-types. events for analysis. This plugin is automatically enabled and the eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. are displayed in the Events page, where you can view information about the collected forensic information. These events can trigger alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. to alert your team about a system compromise.
To view AlienApp for Forensics and Response events
- Select ACTIVITY > EVENTS to open the Events page.
If the Search & Filters panel is not displayed, click the Filter icon () to expand it.
USM Anywhere includes several filters displayed by default.
Scroll down to the Data Source Plugin filter and select Forensics and Response App to display only those events on the page.
If this filter is not displayed, click the Configure Filters link at the bottom of the Search & Filters panel to configure filters for the page. (For more information about configuring filters for pages, see Managing Filters.)
Select an event in the list to view detailed information.
USM Anywhere includes built-in correlation rules that generate an alarm from one or more of these events. These rules analyze the events for patterns that indicate a code injection or Sticky Keys compromise for an asset. You can view the specifics of these rules on the Correlation Rules page by entering forensics in the Search field.
If you want to generate an alarm for other types of Forensics and Response events, you can create your own custom alarm rules and define the matching conditions to fit your criteria.