|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
|Date||Date and time USM Appliance completed alarm correlation.|
|Status||Whether or not the alarm is open and still correlating, or closed.|
|Intent & Strategy||
Describes the attack pattern of indicators intruding on your system.
Intent and strategy are based on the taxonomy, or classification, of adirective. For example, a directive of AV Malware might have an “intent” of system compromise, with a "strategy" of suspicious behavior. When alarms come from OTX pulses, the Intent is always Environmental Awareness and the Strategy is OTX Indicators of Compromise.
Note: Due to the size of the field label, only the strategy is visible from the Alarms list. However, when you click the row, thereby expanding the Alarms tray, the strategy becomes visible.
The taxonomy for alarms with IP reputation data is based on the directive that generated the alarm.
|Method||If known, the method of attack or infiltration associated with the indicator that generated the alarm. For OTX pulses, the method is the pulse name.|
Risk level of an alarm, which can be Low (1), Medium (2), or High (>=3) .
Risk calculation is based on the formula: Asset ValueSpecifies an asset’s importance or criticality relative to other managed assets. * Event ReliabilitySpecifies the likelihood that the event is accurate. It ranges from 0 to 10. * Event PriorityDefines how urgently the event should be investigated. It ranges from 0 to 5. / 25 = Risk
So if Asset Value = 3, Reliability = 4 and Priority = 5, the risk would be 3 * 4 * 5 / 25 = 2.4 (rounded down to 2), therefore the Risk value is Medium.
OTX icon present when events causing the alarm contained IP Reputation-related data or were from IoCs related to an OTX pulse.
|Source||Hostname or IP address of the source, with national flag if country is known, for an event creating the alarm.|
|Destination||Hostname or IP address of the destination, with national flag if country is known, that received the events generating the alarm.|