When you sign up for and connect your Open Threat Exchange® (OTX)The world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data. This repository provides a continuous view of real time malicious activity. account to your USM Anywhere deploymentEntire process involved in installation, configuration, startup, and testing of hardware and software in a specific environment., it configures USM Anywhere to receive raw pulse data and other IP reputationThreat ranking of IP addresses that have been submitted by the OTX community as being malicious or at least suspicious. information. (Reputation data is updated separately from OTX pulseOTX pulses provide information on the reliability of threat data, who reported a threat, and other details of threat investigations. information.)
USM Anywhere then correlates that data with incoming eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall., alerting you to OTX pulse and IP Reputation-related security eventsInformation collected and displayed that describes a single system or user level activity that took place. and alarmsAlarms provide notification of an event or sequence of events that require attention or investigation. when it detects IOCsIndicator of Compromise interacting with assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in your environment. Such interactions might consist of maliciousActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems. IPs communicating with systems, malwareGeneric term for a number of different types of malicious code including viruses, worms, and Trojans. detected in your network, or outbound communication with command-and-control (C&C) servers.
Connecting OTX to USM Anywhere helps manage risks and threats in these ways:
- USM Anywhere receives threat updates every 15 minutes in the form of raw data for all pulses to which you subscribe, either directly or through subscriptions to other OTX users.
- You receive updates on your subscribed pulses by email, either individually as they occur or in digest mode.
- You can review an OTX pulse activity feed containing detailed analytics about related threat vectors reported by OTX.
- As soon as you log intoLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. USM Anywhere, you can see which pulses are most active in your environment by looking at Open Threat Exchange Dashboard.
- USM Anywhere evaluates IOCs against all events as long as they are generated and generates an alarm when a malicious IP address communicates with any of your assets, or when any other IOCs become active in your network.
OTX Account and OTX Key
USM Anywhere enables you to display OTX information if you have a valid OTX key. Go to Settings > Threat Intelligence to see the AlienVault OTX page.
See Entering your OTX Key for more information about how to enter your OTX key.
OTX IP Reputation Data Correlated with Events
USM Anywhere maintains an IP reputation list that stores data it receives from OTX about public IP addresses involved in malicious or other suspect activities. Whenever an event has its source or destination IPTarget IP address for an event. addresses listed in the IP Reputation list, reputation data will be added to the data stored for the event. This enables USM Anywhere to support some additional features like re-prioritization of events and alarms depending on the IP of the hostsReference to a computer on a network. involved.
The IP reputation list maintained by USM Anywhere is stored on the USM Anywhere CloudThe use of many computers connected over a network to run multiple programs or applications at the same time, instead of running them on a local device or network.. Activity, Reliability, and Priority values provided by OTX are saved with event information for those events having reputation data for either source or destination IP addresses.
The main purpose of the IP reputation list is to provide a list of known or potentially dangerous IP addresses. If any alarm or event is generated by the action of a listed dangerous IP address, then this event will have a smaller probability of being a false positiveA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology.. This also enables for the recalculation of event/alarm risk depending on its "IP Reliability" and "IP Priority" values.
Note: Reputation events are anonymized and submitted to the AlienVault OTX service for those customers who enable that capability in USM Anywhere. With the feedback received from customer systems and all the other sources AlienVault uses, the IP Reputation values are updated before being redistributed to customers.
Displaying Alarms and Events Based on OTX Pulse and IP Reputation
The USM Anywhere Alarm and Events web UI provides methods of searching for and filtering alarm and security events based on OTX pulse and IP Reputation information. For each event, the database stores associated information on the source and destination IP address provided by OTX, in addition to the activity reported in the event, for example, spamming, phishingUse of emails that appear to originate from a trusted source to trick a user. Emails usually contain links to external websites designed to trick users into entering valid credentials or contain malware in an attachment designed to allow the attacker remote access., scanning, malware distribution, and so on.
Different from the way other alarms are processed, USM Anywhere generates an alarm whenever it detects even one event associated with an OTX pulse. Alarm correlationCorrelation identifies potential security threats by identifying relationships between multiple types of events occurring in two or more assets. begins at that point and proceeds for a period of 24 hours. During this time, USM Anywhere adds any new events related to that pulse to the same alarm.
If any new events related to the pulse occur after that 24-hour period, USM Anywhere generates a second alarm and a new correlation period begins. As an exception to this rule, should an event contain data on record with OTX IP Reputation information, USM Anywhere correlates the alarm, using its standard directive taxonomyTaxonomy is a classification system for security events. AlienVault open source security event taxonomy is a classification system based on 20 main categories and 240 subcategories..
Note: If an OTX pulse is creating too much noise and generating too many false positive alarms, you can always just unsubscribe from the pulse.
USM Anywhere does not offer a filter for IP Reputation-based alarms. However, you can view these within the Alarms list, where they occur. See Alarms List View for more information.
You can configure the columns/fields related to OTX information to be displayed in the list and save your columns configuration to get back to it whenever you need it. See Configuring Columns on Alarms for more information.
Important: The "Suspicious Behavior - OTX Indicators of Compromise" correlation rule generates alarms if the pulse comes from the AlienVault OTX account.
USM Anywhere does not offer a filter for IP Reputation-based alarms. However, you can view these within the Alarms list, where they occur. See Alarms List View for further information.
You can configure the columns/fields related to OTX information to be displayed in the list and save your columns configuration to get back to it whenever you need it. See Configuring Columns on Alarms for further information.
Searching, Filtering, and Viewing Events
From the USM Anywhere Events main page, you can search for and filter events based on whether OTX pulses exist for source or destination IP addresses, as well as the severity of different IP Reputation scores. See Events List View for more information.
This screenshot displays the search/filter OTX options:
You can configure the columns/fields related to OTX information to be displayed in the list and save your columns configuration to get back to it whenever you need it. See Configuring Columns for more information.
Once you have made your selection, the Event list display will be updated to show only those events matching the IP Reputation criteria you specified, plus OTX pulse information, if you selected that option.
In the Events main page, you can click the OTX icon to display the OTX IP Reputation information available for an event. This icon opens the AlienVault OTX page.