AlienVault® USM Anywhere™

Events List View

Role Availability Read-Only Analyst Manager

AlienVault USM Anywhere provides a centralized view of your events. Go to Activity > Events.

The events page displays information on events. On the left you can find the search and filter options. In the upper side of the page, you can see any filters you have applied, and you have the option to create and select different views of the events. The main part of the page is the actual list of events. Each row describes an individual event.

Your environment can display events when an asset has not received messages within a configured period of time. To see this kind of events, you previously need to configure a period of time that indicates when the asset has to start generating events. See Created Events when an Asset Stops Sending Data for more information.

If you want to analyze the data and see the additional columns without having to scroll left and right, you can maximize the screen and hide the filter panel. Click the icon to hide the filter panel. Click the icon to expand the filter panel.

List of the default columns in Events
Column / Field Name Description
Event Name Name of the event.
Time Created The date and time of the creation of the event. The displayed date depends on your computer's time zone.
OTX Indicate if it is an OTXThe world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, and seamless integration with USM Anywhere and USM Appliance, and plugin capabilities for other security products. event or not. If the icon displays active, click it to go to OTX.
Source AssetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.

HostnameA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network. or IP address of the hostReference to a computer on a network., with national flag if country is known, that initiates the event.

Destination Asset Hostname or IP address of the host, with national flag if country is known, that receives the event.
Sensor

Name of the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. detecting the event The type of sensor is also displayed below the sensor name.

Username Username associated with the event.

The asset name includes the icon if the asset is not in the system, or the icon if the asset has been added to the system.

Click the icon to access these options:

  • Add to current filter: Use this option to add the asset name as a search filter. See Searching Events.
  • Look up in OTX: This option searches the IP address of the source asset in the Open Threat Exchange page. See Using OTX in USM Anywhere
  • Add asset to system: Use this option to create the asset in the system. See Adding Assets.

Click the icon to access these options:

You can configure the view you want for the list of events. See Event Views for more information.

Click Generate Report to export events. See Exporting Events for more details.

The graph above the events list displays the amount of events in a period of time. You can change this period by clicking Created during filter.

Click the icon to access these options:

  • Actions / User: Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories.
  • Count / Time: Provides Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories.
  • Auth / User: Reports authorization actions.
  • Source Map: Provides the number of events associated with each country on a global map.

Click the icon to bookmark an item for quick access. Clicking the icon on the secondary menu shows the bookmarked items and provides links to them.

Click the icon to filter your search by row fields. See Filtering Events by Row Fields for more information.

You can also sort items by selecting 20, 50, or 100 below the result table. Some columns can be classified if you click the icons to the right side of the heading. You will sort the item information in ascending and/or descending order.

Configuring Columns

You can configure the columns and fields that display in the list and save your columns configuration to get back to it whenever you need it.

To configure your columns

  1. From the events list view, click the icon. The Columns Configuration dialog box displays.
  2. Search the columns you want to have in the list view. You can enter your search in the search box.
  3. Use the and icons to pass the items from one column to the other and select the columns you want to see.
  4. Click Apply.

Note: If you export a report when you have set custom columns, your report keeps the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting Save View > Save as. Otherwise, your custom view is not kept when you move to another feature.