Documentation Center
AlienVault® USM Anywhere™

Alarms List View

  Role Availability   Read-Only   Analyst   Manager

AlienVault USM Anywhere provides a centralized view of your alarmsAlarms provide notification of an event or sequence of events that require attention or investigation.. Navigate to ACTIVITY > ALARMS.

The alarms page displays information on alarms. On the left you can find the search and filters options. Use filters to delimit your search. See Searching Alarms for further information. Across the top, you can see any filters you have applied, and you have the option to create and select different views of the alarms. The main part of the page is the actual list of alarms. Each row describes an individual alarm and includes a check box on the left side of each one for selecting it. You can select all alarms on the same page by clicking the check box in the first column of the header row.

Alarm Summary Graph

The section above the page includes a bubble graph that provides a graphical representation of alarms by intent. Blue circles indicate the number of times that an alarm in an intent showed. A bigger circle indicates a higher number of alarms. You can mouse over each of the circles to get the actual number of different types of intent. In addition, if you click any of the blue circles, USM Anywhere displays only the alarms corresponding to that circle. You can change the displayed period of time by clicking the Created during filter.

If you want to analyze the data and see the additional columns without having to scroll left and right, you can maximize the screen and hide the filter panel. Click the Expanded Filter Panel icon () to hide the filter panel. Click the Collapsed Filter Panel icon () to expand the filter panel.

Alarm Summary Graph

Alarms graphed by intent are sorted into five different categories, which are represented by the graphic icons in the display

Alarms List Columns

For each alarm in the alarm columns list, USM Anywhere displays useful information to help you determine the best response.

List of the default columns in Alarms
Column Field Name Description
Alarm Summary It displays several fields, which are the type of attack, the method of attack, and how long the alarm happened in the past.
Priority Impact of the detected attack. Can be Low, Medium, or High. See Priority Field for Alarms for more information.
Alarm Status Status applied to the alarm. By default, it can be Open, In Review, and Closed. See Alarm Status for further information. The alarms having the status as 'Closed' will not be displayed in the list.
Sources HostnameA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network. or IP address of the source, with national flag if country is known, for an event creating the alarm.
Destinations Hostname or IP address of the destination, with national flag if country is known, that received the events generating the alarm.
Sensors SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. name associated with the alarm. The type of sensor is also displayed below the sensor name.
Labels Label(s) applied to the alarm. By default, it can be In Progress, False Positive, Open, and Closed. The user can create and manage labels, see Labeling the Alarms

From the list of alarms, you can click on any individual alarm row to display more information on the selected alarm, including individual events that actually triggered the alarm. See Viewing Alarm Details for further details.

The asset name includes a chevron icon that can be grey () if the asset is not in the system, or blue () if the asset has been added to the system.

Click the grey chevron icon () to access to the following options

  • Add to current filter. Use this option to add the asset name as a search filter. See Searching Events.
  • Find in events. Use this option to execute a search of the asset name in the Events page. See Searching Events.
  • Look up in OTX. This option searches the IP address of the source asset in the Open Threat Exchange page. See Using OTX in USM Anywhere
  • Add asset to system. Use this option to create the asset in the system. See Adding Assets.

Click the blue chevron icon () to access the following options

You can configure the view you want for the list of alarms, see Alarms Views for more information.

Click Generate Report to export alarms. See Exporting Alarms for further details.

You can add a label to an alarm, which allows you to have classified alarms. See Labeling the Alarms for further information. There is also the possibility of adding a status to an alarm. See Alarm Status for further information. To distinguish between label and status, see What are the differences between Statuses and Labels?.

Click this button to change the graph to a Count/Time view, which provides a chart that shows the number of issues over a period of time.

Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star icon () on the secondary menu shows the bookmarked items and a link to them.

Click the filter icon () to filter your search by row fields. See Filtering Alarms by Row Fields for further information.

You can also sort items by selecting 20, 50, or 100 below the result table. Some columns can be classified if you click the icons to the right side of the heading. You will sort the item information in ascending and/or descending order.

Configuring Columns

You can configure the columns/fields that display in the list and save your columns configuration to get back to it whenever you need it.

To configure your columns

  1. From the alarmsAlienVault Generic Plugin list view, click the Manage Columns icon () to open the Columns Configuration popup window.
  2. Search the columns you want to have in the list view. You can type your search in the search box.
  3. Use the icons () and () to pass the items from one column to the other and select the columns you want to see.
  4. Click Apply.

Note: If you export a report when you have set custom columns, your report will keep the columns you have configured.

Important: If you want to keep your configuration, you need to save it by clicking the pull-down menu Save View > Save as. Otherwise, your custom view will not be kept when you move to another feature.

Priority Field for Alarms

In USM Anywhere all alarms have a priority field, which indicates the importance of the alarm. This is a measurement to determine the impact of the alarm in our network.

The priority field can display the text Low, Medium, or High. These texts come from correlationCorrelation identifies potential security threats by identifying relationships between multiple types of events occurring in two or more assets. and orchestration rules. When you create an orchestration rule, you will have to type a priority value between 0 and 100. AlienVault creates the correlation rulesA correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source. and they already include a value. The displayed text on the column of alarms depends on the value that the rule has according to the following table.

Priority Field for Alarms
Displayed text Value in the rule
Low Between 0 and 33
Medium Between 34 and 66
High Between 67 and 100

Open the details of an alarm (see Viewing Alarm Details) to know the exact value of the priority level. After you are in the alarm details page, hover over the priority text and a popup will show you the exact value.

See Correlation Rules and Orchestration Rules for further information.