Documentation Center
AlienVault® USM Anywhere™

Events List View

  Role Availability   Read-Only   Analyst   Manager

AlienVault USM Anywhere provides a centralized view of your events. Navigate to ACTIVITY > EVENTS.

The events page displays information on events. On the left you can find the search and filter options. Across the top, you can see any filters you have applied, and you have the option to create and select different views of the events. The main part of the page is the actual list of events. Each row describes an individual event.

If you want to analyze the data and see the additional columns without having to scroll left and right, you can maximize the screen and hide the filter panel. Click the Expanded Filter Panel icon () to hide the filter panel. Click the Collapsed Filter Panel icon () to expand the filter panel.

List of the default columns in Events
Column / Field Name Description
Event Name Name of the event
Time Created The date and time of the creation of the event. The displayed date depends on your computer's time zone
OTX Indicate if it is an OTXThe world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, seamless integration with USM Anywhere and USM Appliance, and plugin capabilities for other security products. event or not. If the icon displays active, click on it to go the OTX site
Source AssetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.

HostnameA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network. or IP address of the hostReference to a computer on a network., with national flag if country is known, that initiates the event

Destination Asset Hostname or IP address of the host, with national flag if country is known, that receives the event
Sensor

Name of the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. detecting the event The type of sensor is also displayed below the sensor name.

Username Username associated with the event

The asset name includes a chevron icon that can be grey () if the asset is not in the system, or blue () if the asset has been added to the system.

Click the grey chevron icon () to access to the following options

  • Add to current filter. Use this option to add the asset name as a search filter. See Searching Events.
  • Look up in OTX. This option searches the IP address of the source asset in the Open Threat Exchange page. See Using OTX in USM Anywhere
  • Add asset to system. Use this option to create the asset in the system. See Adding Assets.

Click the blue chevron icon () to access the following options

You can configure the view you want for the list of events, see Views for more information.

Click Generate Report to export events. See Exporting Events for further details.

The graph above the events list displays the amount of events in a period of time. You can change this period by clicking Created during filter.

Click this button to access to the following options

Events Count/Time options

Option Meaning
Actions / User Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories
Count / Time Provides a chart that shows the number of issues over a period of time
Auth / User Reports authorization actions
Source Map Provides the number of events associated with each country on a global map

Click the star symbol to the left of an item to mark it as a bookmark for quick access. Clicking the Star icon () on the secondary menu shows the bookmarked items and a link to them.

Click the filter icon () to filter your search by row fields. See Filtering Events by Row Fields for further information.

You can also sort items by selecting 20, 50, or 100 below the result table. Some columns can be classified if you click the icons to the right side of the heading. You will sort the item information in ascending and/or descending order.

Configuring Columns

You can configure the columns/fields that display in the list and save your columns configuration to get back to it whenever you need it.

To configure your columns

  1. From the events list view, click the Manage Columns icon () to open the Columns Configuration popup window.
  2. Search the columns you want to have in the list view. You can type your search in the search box.
  3. Use the icons () and () to pass the items from one column to the other and select the columns you want to see.
  4. Click Apply.

Note: If you export a report when you have set custom columns, your report will keep the columns you have configured.

Important: If you want to keep your configuration, you need to save it by clicking the pull-down menu Save View > Save as. Otherwise, your custom view will not be kept when you move to another feature.

Views

To create a view configuration

  1. From the Events list view, click the Manage Columns icon () .
  2. Use the icons () and () to pass the items from one column to another and select the columns you want to see.
  3. Click Apply.
  4. If you want to delimit the search, select the filters you want to apply.
  5. Click the pull-down menu Save View > Save as.
  6. Type a name for the view and click Save.

To select a configured view

  1. From the Events list view, click the View pull-down menu above the filters.
  2. Click Saved views and select the view you want to see.
  3. Click Apply.

Predefined Views

USM Anywhere includes several predefined views of events based on usual environments and technologies. These views have pre-defined column headers that show the most relevant event fields. You can see a summarized event view without having to spend the time creating a custom view.

These predefined views operate the same way as the views you can create yourself. Some of these views have also predefined filters.

These views are available under the ACTIVITY option of the primary menu.

Predefined Views for Events

View Meaning
Azure CloudThe use of many computers connected over a network to run multiple programs or applications at the same time, instead of running them on a local device or network. Activity Displays the most relevant event fields for AzureMicrosoft Azure is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed data centers. environmental logs
AWS Cloud Activity Displays the most relevant event fields for AWS Suite of cloud computing services from Amazon that make up an on-demand computing platform.CloudTrailAWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you., AWS S3 Access, and ELBElastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances in the cloud. Access
Firewall Events Displays the most relevant fields for firewallVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. events. For instance request URL, source username, destination username, etc. depending on the set of fields that is most common to the list of supported firewall pluginsPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities.
AlienVault Generic Plugin Displays log data when the USM Anywhere Sensor is unable to match them with plugins based on hints and manual associations
Linux Events Displays the most relevant fields for Linux Events generated by the Linux CRON, SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP., and SUDOA program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. plugins
Network IDS Displays the most relevant event fields for NIDSNetwork Intrusion Dectection System (NIDS) monitors network traffic and events for suspicious or malicious activity using the Sensors that provide management and network monitoring interfaces to networks and network devices.
Open Threat Exchange Displays the most relevant feeds that the pulse has matched
Web Server Events Displays the most relevant fields for Web Server Events, which include Apache, NGinx, and Windows IIS
Windows Events

Displays the most relevant fields for Windows Events forwarded by NxLog