An alarm Alarms provide notification of an event or sequence of events that require attention or investigation. in USM Anywhere consists of one or more events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall., based on one of the following:

• One or more rules performed by the correlation engine Used in systems management tools to aggregate, normalize, and analyze event log data, using predictive analytics and fuzzy logic to alert the systems administrator when there is a problem. of USM Anywhere, which analyzes these events for behavioral patterns. These rules look at and connect events to assess their priority and reliability. When the engine identifies a pattern, it generates an alarm, which requires attention and investigation. See Correlation Rules for more information.

Important: The "Suspicious Behavior - OTX Indicators of Compromise" correlation rule generates alarms if the pulse comes from the AlienVault OTX account.

• One orchestration rule, which is designed to raise an alarm when a particular type of event is found. See Orchestration Rules for more information.

USM Anywhere enables you to drive actions In USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. in response to incoming alarms. Perhaps the most common action is sending an email to administrators to provide real-time notification Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. of a critical security incident. Each user can decide if they want to receive alarm notifications. See Managing Your Profile Settings for more information.

This topic discusses these subtopics: