Documentation Center
AlienVault® USM Anywhere™

The AlienVault Generic Plugin

  Role Availability   Read-Only   Analyst   Manager

The AlienVault Generic Plugin is a predefined view of events which displays log data when the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. is unable to match them with pluginsPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities. based on hints and manual associations.

This view works the same as the events list view. On the left you can find the search and filter options. Across the top, you can see any filters you have applied, and you have the option to create and select different views of the events. The main part of the page is the actual list of events. Each row describes an individual event.

If you want to analyze the data and see the additional columns without having to scroll left and right, you can maximize the screen and hide the filter panel. Click the Expanded Filter Panel icon () to hide the filter panel. Click the Collapsed Filter Panel icon () to expand the filter panel.

List of the default columns in the AlienVault Generic Plugin
Column / Field Name Description
Event Name Name of the event
Time Created The date and time of the creation of the event. The displayed date depends on your computer's time zone
OTX Indicate if it is an OTXThe world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, seamless integration with USM Anywhere and USM Appliance, and plugin capabilities for other security products. event or not. If the icon displays active, click on it to go the OTX site
Reporting Device The asset that sent the syslogAn industry standard message logging system that is used on many devices and platforms.
Source Asset

Hostname or IP address of the hostReference to a computer on a network., with national flag if country is known, that initiates the event

Destination Asset Hostname or IP address of the host, with national flag if country is known, that receives the event
Sensor

Name of the USM Anywhere Sensor detecting the event. The type of sensor is also displayed below the sensor name.

Username Username associated with the event

The Reporting Device column includes the assets that sent the syslog. Click the blue chevron icon () located next to the asset name of this column to access to the following options

Click the grey chevron icon () located next to the source and destination asset name to access to the following options

  • Add to current filter. Use this option to add the asset name as a search filter. See Searching Events.
  • Look up in OTX. This option searches the IP address of the source asset in the Open Threat Exchange page. See Using OTX in USM Anywhere
  • Add asset to system. Use this option to create the asset in the system. See Adding Assets.

You can configure the view you want for the list of events; see Views for more information.

Click Generate Report to export events. See Exporting Events for further details.

The graph above the events list displays the amount of events in a period of time. You can change this period by clicking Created during filter.

Click this button to access to the following options

Events Count/Time options

Option Meaning
Actions / User Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories
Count / Time Provides a chart that shows the number of issues over a period of time
Auth / User Reports authorization actions
Source Map Provides the number of events associated with each country on a global map

Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star icon () on the secondary menu shows the bookmarked items and a link to them.

Click the filter icon () to filter your search by row fields. See Filtering Events by Row Fields for further information.

You can also sort items by selecting 20, 50, or 100 below the result table. Some columns can be classified if you click the icons to the right side of the heading. You will sort the item information in ascending and/or descending order.

Configuring Columns

To configure the agent columns

  1. From the AlienVault Generic Plugin list view, click the Manage Columns icon () to open the Columns Configuration popup window.
  2. Search agent in the available columns.
  3. Use the icon () to pass the items from one column to the other.
  4. Click Apply.

Note: If you export a report when you have set custom columns, your report will keep the columns you have configured.

Important: If you want to keep your configuration, you need to save it by clicking the pull-down menu Save View > Save as. Otherwise, your custom view will not be kept when you move to another feature.

Views

To create a view configuration

  1. From the AlienVault Generic Plugin list view, click the Manage Columns icon () .
  2. Use the icons () and () to pass the items from one column to another and select the columns you want to see.
  3. Click Apply.
  4. If you want to delimit the search, select the filters you want to apply.
  5. Click the pull-down menu Save View > Save as.
  6. Type a name for the view and click Save.

To select a configured view

  1. From the AlienVault Generic Plugin list view, click the View pull-down menu above the filters.
  2. Click Saved views and select the view you want to see.
  3. Click Apply.