Documentation Center
AlienVault® USM Appliance™

Create a Ticket

Applies to Product: USM Appliance™ AlienVault OSSIM®

A ticket is a tracking tool that contains information about detected alarms or any other issues that you want to manage in a workflow. When dealing with alarms and events, the best practice is to always keep track of progress and insights into the issue by creating a ticket, either through the USM Appliance ticketing system or through your own company's ticketing system, if applicable. Not only can creating a ticket for an alarm or event help you in a future investigation, it also creates an audit trail to track what you saw, what actions were taken, and track progress on the issue.

Methods to Create a Ticket

You can open a ticket in several ways:

  • Automatically — based on a configured policy.
  • Automatically — as a response to a detected vulnerability.
  • Manually — during an alarm investigation.
  • Manually — unrelated to an alarm or an event.
  • Manually — from the administration menu by going to ConfigurationAdministrationMainTickets.

For information about automating the creation of internal and external tickets based on a policy or a detected vulnerability type, see Create an Action.

Open Tickets Automatically

To have USM Appliance open tickets when a new alarm is generated

  1. Go to Configuration > Administration > Main.
  2. Expand Tickets > Open Tickets for new alarms automatically?
  3. Click Yes.

To customize vulnerability scan automatic ticket settings

  1. Go to Configuration > Administration > Main.
  2. Expand Vulnerability Scanner.
  3. Select the ticket threshold for when new tickets are generated in the Vulnerability Ticket Threshold dropdown.

Create a Ticket Manually While Investigating an Alarm

To open a ticket manually

  1. Go to Analysis > Alarms > List View (or Group View)and click on the desired alarm.

  2. Click View Details.
  3. From the Alarms Detail page, click Actions > Create Ticket.
  4. Assign a priority to the ticket and assign it to an administrative user.
  5. Click Save.

    Note: You can also open a remediation ticket from the Security Events (SIEM) Events list,using the same steps.

Create a Ticket Independent from an Alarm

To open a ticket manually from the Tickets page

  1. From Analysis > Tickets, select the type of ticket you want to open and click Create.

    Create new tickets showing Edit Types icon

    Note: You can create a custom ticket type by clicking on the pencil icon in the Type column.

  2. Fill in the fields of the dialog box with relevant information to this ticket, including to whom to assign the ticket.

    Note: Only tickets created from an alarm contain pre-filled fields.

  3. Click Save.

Ticket Labels

Tickets tags can be used as a quick method of identifying and filtering tickets. USM Appliance comes configured with two default tags that can be assigned to tickets: AlienVault_INTERNAL_PENDING and AlienVault_INTERNAL_FALSE_POSITIVE. Tickets generated by the vulnerability scans are automatically assigned the Alienvault_INTERNAL_PENDING tag to indicate that the vulnerability hasn't been investigated yet.

To create new label types:

  1. Go to AnalysisTickets.
  2. Click the label () icon and click Manage Labels.
  3. Give the new label a name and description and choose a color for the label.
  4. Click Save.