Documentation Center
AlienVault® USM Appliance™

Defining Advanced Search Criteria for Security Events (SIEM)

Applies to Product: USM Appliance™ AlienVault OSSIM®

This topic describes how to define advanced search criteria when performing a search on Analysis > Security Events (SIEM).

When you click Advanced Search, the following window opens:

Advanced Search Window

This new window allows for detailed search on Event Time, Priority, IP, Event Name (available since version 5.6), Payload, or Event Taxonomy. Click Query DB to start the search after you have specified the criteria.

Event Time

This option allows for fine grain filtering for events that occurred at a specific date and time.

Use the "time" dropdown to select greater than (>), less than (<), or not equal (!=) operators. You can use a wildcard (*) when specifying the time of the event. Select the "AND" or "OR" operator if you need to limit the search within two time settings.

Example:

In the screenshot below, the selections made will search for events that occurred after (>=) 10:00:00 AND before (<=) 11:00:00 on the 12th of July 2018, reducing the time frame to one particular hour on one specific date.

Event Time Example

Priority

This filter allows you to specify the Asset ValueSpecifies an asset’s importance or criticality relative to other managed assets. , Event ReliabilitySpecifies the likelihood that the event is accurate. It ranges from 0 to 10. and Event PriorityDefines how urgently the event should be investigated. It ranges from 0 to 5. individually.

Example:

In the screenshot below, the options specified will search for events with an Asset value of 2, a Reliability greater than 4, and a Priority of 3 or more.

Priority Selection

IP Filter

Click IP Filter to display the options, which allow you to specify Layer 3 IP addresses and Layer 4 TCP or UDP protocols.

IP Filter

Click Add More to specify additional IP addresses. You can select "AND" or "OR" to combine them:

IP Filter with 2 IP addresses

If you want to add a port number for TCP or UDF, click the corresponding button to display the options. For example

IP Filter, TCP port

Click Add More to specify additional port numbers. You can select "AND" or "OR" to combine them.

Event Name

Click Event Name to display the option, which allows you to specify one or more event names to search for. When you enter more than one event name, USM Appliance finds all events matching the criteria. In the example below, USM Appliance will look for both the "SSHd: Connection closed" events and the "AlienVault HIDS: Login session closed" events.

Note: This filter is only available in USM Appliance version 5.6 and later.

Payload Filter

Click Payload Filter to display the options, which allow you to specify what you want to search in the payload of an event.

Payload filter

Using the encoding and Convert To dropdown, you can convert the search string from ASCII to HEX, for example, should it be required.

Click Add More to specify additional payload criteria. You can select "AND" or "OR" to combine them.

Example:

The example below specifies criteria to search for events that contain the string "testmyids.com" OR "google.com" in the payload:

Payload filter example

Important: Do not include quotes when entering the search strings.

Event Taxonomy Filter

Event Taxonomy Filter allows you to search for events using event taxonomy.

Event taxonomy filter

For details on product type and event category, see Event Taxonomy — Product Types and Categories.

AlienVault OSSIM Limitations: The USM Appliance SIEM engine has more diverse capabilities in handling events due to its built-in correlation abilities and graph-based analytics.