Documentation Center
AlienVault® USM Anywhere™

The USM Anywhere Event Processing Workflow

After USM Anywhere is installed in your environment, eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. start flowing through the system, so you can start gaining visibility into the type of events that are occurring, what natural or non-threatening activity is taking place, and what activity can be a possible attack. USM Anywhere also begins collecting other information about your network and various network devices such as firewallsVirtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them., routers and switches, servers, and applicationsA software program that performs some collection of tasks on a computer or some other programmable device.. In addition, it is discovering and determining possible vulnerabilities and threats to your environment.

The following illustration details a high level view of events and other information from your network environment as it is collected or generated by the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. and delivered to the USM Anywhere for processing.

The USM Anywhere Sensor combines assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. discovery, vulnerability assessmentVulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities., threat detection, and behavioral monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. to provide full situational awareness. The USM Anywhere Sensor is the front-line security module of the USM Anywhere platform and provides detailed visibility into your environment, vulnerabilities, attack targets and vectors, and services.

The USM Anywhere Sensor receives data and other activity or status information from devices and normalizes the information into a standardized event format. After the event is normalized, the USM Anywhere Sensor sends the normalized event to USM Anywhere, which tries to match every event with a pluginPlugins specify how to collect and normalize raw information from devices to create events that can then be analyzed to determine threats and vulnerabilities. and saves it.

USM Anywhere provides a unified management interface through the web UI that combines security automation, and OTXThe world’s first truly open threat intelligence community. Enables collaborative defense with open access, collaborative research, seamless integration with USM Anywhere and USM Appliance, and plugin capabilities for other security products. and threat intelligenceEvidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging hazard to assets that can be used to inform decisions regarding the subject's response to that hazard. from the AlienVault Labs Security Research Team to correlate data, spot anomalies, reduce risk, and improve operational efficiency.

CorrelationCorrelation identifies potential security threats by identifying relationships between multiple types of events occurring in two or more assets. can be done logically, where events can be compared to patterns and multiple conditions can be connected by using logical operators such as OR and AND. Correlation can also be calculated using cross-correlation, where events are correlated with vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. data. After events are processed and correlated, USM Anywhere performs risk analyses and triggers an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. if the risk of the event is high enough.