Documentation Center
AlienVault® USM Anywhere™

Searching Events

  Role Availability   Read-Only   Analyst   Manager

USM Anywhere includes several filters displayed by default. These filters allow you to search for your items of interest. You can either filter your search, or type what you are looking for in the search box, in the upper left-hand corner of the page.

You can configure more filters and change which filters are displayed clicking the Configure filters link, which is located at the end of the filters list.

Note: The management of filters is similar to that for assets. See Managing Filters for more information.

Filters displayed by default in the main Events page
Filter Name Meaning
Created during Filter eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. triggered in the last hour, last 24 hours, last 7 days, last 30 days, or last 90 days. You can also configure your own period of time by clicking the Custom Range icon (). This option allows you to customize a range and narrow it to delimit your search per minutes and seconds
Suppressed

Filter suppressed events. See Suppressing/Unsuppressing Events and Creating Suppression Rules from the Events page for more information

Not Suppressed Filter hiding suppressed events. The suppressed events are hidden by default.
Account Name Filter events by the account that has generated the event.
Data Source Plugin Filter events by the plugin used to normalize the event.
Event Name Filter events by the short, user-readable description of the event.
Source Name Filter events by the name of the external applicationA software program that performs some collection of tasks on a computer or some other programmable device. or device that produced the event.
Sensor Filter events by name of the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. that received the event.
Asset Groups When the hostReference to a computer on a network. for the event source/destination is an assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. belonging to one or more of your asset groupsAsset groups are administratively created objects that group similar assets for specific purposes., this field filters the asset group name or names.
Username Filter events by username associated with the asset that generated the event.

Note: See About the 'Was Fuzzied' Filter for further information about this filter.

The number between brackets displayed by each filter indicates the number of items that matches the filter. You can also use the filter controls to provide a method of organizing your search and filtered results. The icons next to each filter title are

Icons next to the filter title
Sort the filters alphabetically
Sort the filters by number of items that matches them

Across the top, you can see any filters you have applied. Remove filters by clicking the Close icon () next to the filter. Or clear all filters by clicking the Reset All Filters link.

Note: When applying filters, the search uses the logical AND operator if the used filters are different. However, when the filter is of the same type, the search uses the logical OR.

Those filters that have more than 10 options include a Filter Value search box for writing text and make the search easier.

USM Anywhere allows you to toggle the mode of search. The available modes are Standard and Advanced. You can change from one mode to the other by clicking the OFF icon () or clicking the ON icon () located in the upper left hand on the page.

Standard Mode

This mode allows you to select one value per filter at the same time and the search is automatically performed. This mode is ON by default.

To active the Standard Mode when the Advanced Mode is ON

  1. Navigate to ACTIVITY > EVENTS.
  2. Click the ON icon () located in the upper left hand on the page.
  3. Note: If you exit the advanced mode and the selected filters are not compatible with the Standard Mode, a warning popup window displays to inform you the current filters will be removed.

Advanced Mode

This mode allows you to select more than one value per filter at the same time. This mode is OFF by default.

To active the Advanced Mode

  1. Navigate to ACTIVITY > EVENTS.
  2. Click the OFF icon () located in the upper left hand on the page.
  3. The icon displays ON ().

To perform a search in the advanced mode

  1. Navigate to ACTIVITY > EVENTS.
  2. Active the advanced mode by clicking the OFF icon () located in the upper hand on the page.
  3. Click on the filters you want to select.
  4. Click Search.

Click Search Button in the alarm main page

Note: There is also a Search button which is positioned at the lower-left area of the filters.

To search using the operator NOT

  1. Navigate to ACTIVITY > EVENTS.
  2. Active the advanced mode by clicking the OFF icon () located in the upper left hand on the page.
  3. Click on the filter you want to exclude.
  4. Click Not in the filter group.
  5. Important: This operator is not available when you have clicked the checkbox of the title.

    Note: The selected filter displays this icon () and the filter chiclet is labeled in red.

To search all values of a filter

  1. Navigate to ACTIVITY > EVENTS.
  2. Active the advanced mode by clicking the OFF icon () located in the upper left hand on the page.
  3. Click the checkbox of a filter title.
  4. All filters are selected.

    Note: This option searches all filter values that are not empty. If the filter includes the [No Value], this value will not be checked not displayed. See Searching Events for further information.

About the [No Value]

The [No Value] is a special value available for some filters. Use this value when you want to filter items that do not have the filter property defined and do not match the others defined property values in the filter. You can use this [No Value] filter with other filter criteria and apply this value to an individual filter.

You can use this filter, for instance, for filtering events without an associated account name.

Click No Value in the events main page

Note: In the Data Source filter the value is [AlienVault Generic Plugin]. If you select this value, it means you are searching for events that do not have a specific pluginPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities.. See About the 'Was Fuzzied' Filter.

Searching Events by Using the Search Box

To search Events using the search box

  1. Navigate to ACTIVITY > EVENTS.
  2. Type your search in the Enter search phrase box.
  3. Note: If you want to search for an exact phrase having two or more words, you will need to put quotation marks around the words in the phrase.

  4. Click the Magnifying Glass icon ().
  5. The result of your search displays with the items identified.

About the 'Was Fuzzied' Filter

When USM Anywhere receives raw log data on the USM Anywhere Sensor, it tries to match them with plugins based on hints and manual associations. Sometimes that process fails and events are processed by the AlienVault Generic Plugin, which attempts to find some common information using "fuzzy" matching.  These events can be found by filtering by the data source plugin or the "Was Fuzzied" fields.

Important: An event having the "Was Fuzzied" field with the value 'true' has its data source property as "[empty]".

For more information about how this plugin attempts to normalize an unmatched log message, see The AlienVault Generic Plugin.

To search events that are not matched with a specific plugin

  1. Navigate to ACTIVITY > EVENTS.
  2. Click the Configure Filters link, which is positioned at the lower-right area of the filters.
  3. Search the filter Was Fuzzied.
  4. Click the Right Arrow icon () to select the filter.
  5. Click Apply.
  6. Search the Was Fuzzied plugin on the left panel.
  7. Click true. The number between parentheses indicates the number of events that were created with the built-in generic plugin.

Note: The false value displays the events that have an assigned plugin. The number between parentheses indicates the number of events.

Note: See Plugin Management for further information about plugins.

Filtering Events by Row Fields

USM Anywhere includes in the Events List View page a column with the Filter icon (). Use this icon to add filters to your search. When you click this icon, a popup window displays with the specific fields of that row.

To filter events by row fields

  1. Select ACTIVITY > EVENTS to open the Events List View page.
  2. Click the Filter icon () of the row you want to add the filters to.
  3. The Add Filters popup window appears.

    Add filters to your search of events by row fields

  4. Click on the fields you want to filter your search. Use the buttons Equals and Not to limit your search.
  5. Click Apply.
  6. The result of your search displays with the filters applied.