|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
An alarm in AlienVault USM Appliance consists of one or more events, based on one of the following
One or more out-of-the-box directives, or rules, performed by the correlation engine of the USM Appliance Server. These look at and connect multiple events to assess their relative priority and reliability .The events then get re-injected into the USM Appliance Server process as though they were coming from the USM Appliance Sensor. For more information about correlation rules, see Correlation Rules .
Elevated parameters that USM Appliance evaluates, based on existing policy configurations and event risk. An alarm is generated when the risk of an event is >= 1. Because risk is calculated as Risk = asset value * (reliability * priority / 25 ), the likelihood of an alarm will be influenced by the asset or network value. It is important to consider correlation settings in regard to risk values, as you may want multiple directive rules depending on reliability and asset values. For more information about directives, see Event Correlation.
Depending on how your policies are configured, this can account for alarms coming from various sources. For example, policies set up in the Default policy group can process alarms from events, while Policies for events generated in the server will only target server events. For more information about policy groups, see The Policy View.
Alarms are generated and processed differently for events related to OTX pulses. For more information, see Viewing OTX Alarms.
AlienVault OSSIM Limitations: Alarms in AlienVault OSSIM lack the built-in context provided in USM Appliance. The work compiled by the AlienVault Labs Security Research Team to analyze and validate OTX threat data is available in bothUSM Appliance and AlienVault OSSIM.