• Support
  • Forums
  • Blogs

Best Recent Content

  • What We’re Working On – USM Anywhere

    Product teams should be like restaurants with open kitchens.

    Rather than bring your next meal or software update from behind a mysterious curtain, we’d like to give you a sneak peek into what we’re up to. So here are a few things you can expect in an upcoming release:

    Sensor Deployment Behind a Web Proxy: Support organizational requirements that traffic be directed through a proxy and not directly to a device on your internal environment by allowing the USM Anywhere Sensor to be deployed behind a web proxy.

    Customer REST API: Provide a documented Customer REST API so that customers can access USM Anywhere data directly through URL paths, enabling automation, integration and reporting outside of the USM Anywhere UI.

    User Permission Restrictions: Allow you to create USM Anywhere users with limited ability to make configuration changes, in order to provide auditors, contractors and other non-administrative personnel with restricted access to the UI.

    ISO 27002 Reports: Enable organizations that need to comply with International Organization for Standardization (ISO) requirements by providing predefined views
    that map to specific ISO27002 requirements.

    Unauthenticated Vulnerability Scans: We plan to provide an alternative method of vulnerability scanning that does not require entering asset credentials.

    Improved Docker Container Support: USM Anywhere can currently collect logs from applications running within a Docker container in AWS deployed using the Amazon EC2 Container Service (ECS) using AWS CloudWatch to aggregate the logs from each container. But we are looking to improve our Docker support through a direct integration with the Docker API which will provide additional information about the containers themselves. 

    HIPAA Reports: Enable organizations that need to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements by providing predefined views that map to specific requirements. (Delivered in the 2017-08-14 Update)

    NIST Cybersecurity Framework (CSF) Reports: Provide a set of out-of-box reports based on the NIST Cybersecurity Framework (NIST CSF). NIST CSF provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. (Delivered in the 2017-08-14 Update)

    Improved AlienVault Open Threat Exchange™ (OTX) Integration: Enable USM Anywhere to evaluate incoming Events against the latest Indicators of Compromise (IOCs) synchronized from your OTX account. (Delivered in the 2017-07-25 Update)

    Azure Web Apps Support: Enable you to monitor Azure Web Apps, a service which allows developers to quickly build websites and web apps in Azure. (Delivered in the 2017-07-25 Update)

    Multi-factor Authentication: Support the option to enable multi-factor authentication (MFA) for login to the USM Anywhere UI by scanning a QR code. (Delivered in the 2017-07-18 Update)

    Predefined Views for PCI DSS: Assist organizations that need to comply with Payment Card Industry Data Security Standards (PCI DSS) by providing predefined views that map to specific requirements.(Delivered in the 2017-06-20 Update)

    Improved Vulnerability Management: Enable you to better track vulnerabilities by being able to apply labels to show status, for instance, to indicate if a vulnerability is open or has been remediated. (Delivered in the 2017-06-13 Update)

    G Suite (formerly Google Apps) Integration: Allow you to monitor user activity in Google Apps including logins and file updates. (Delivered in the 2017-04-25 Update)

    Office 365 Integration: Allow you to monitor user activity in the Microsoft Office 365 suite of cloud applications, including Exchange, SharePoint, OneDrive, and Azure Active Directory. (Delivered in the 2017-04-04 Update)

    Alarm Notification Link to More Details: Support a link in alarm notification to a product page that you can login to for more details. (Delivered in the 2017-03-27 Update)

    Alarm Labels: Support better alarm management by allowing you to create and apply labels to indicate status or assignment. (Delivered in the 2017-03-27 Update)

    Improved Group Credentials: VMs and instances come and go in cloud environments, so we plan to make it easier to manage credentials for dynamic Asset Groups used for authenticated asset scans. This will enable automatic assignment of Asset Group credentials to Assets that join the Group after the credentials were assigned. (Delivered in the 2017-03-27 Update)


    AlienVault considers various features and functionality prior to any final generally available release. As such, comments given in this forum are not (nor should they be interpreted to be) a commitment from AlienVault that it will deliver any specific feature or, if it delivers such feature, any time frame when that feature will be delivered. AlienVault is always trying to improve and enhance its products. All discussions herein are based upon product team current interests, and product team plans and priorities can change at any time.
  • Plugins Feed Update - September 5, 2017

    Plugins Feed Update - 2017-09-05
    For configuration samples and instructions on how to send MS Windows logs to USM Appliance using NXLog see:

    How to configure NXLog based plugins
    New plugins available
    • Added new plugin for NBS System Naxsi (naxsi).
    • Added new plugin for VMware Single Sign on Server (vmware-sso).
    • Added new IDM plugin for Carbon Black Enterprise Response (carbonblack-idm).

    HIDS rules and decoders

    How to enable new HIDS rules
    • Updated AlienVault-HIDS rules to extract the full username in "SU" events even if they contain a punctuation mark.

    Issues fixed
    • Updated Fortinet FortiGate (fortigate) plugin to parse severity, attack, attack ID and Client Risk Score.
    • Updated Check Point Firewall (fw1-alt) plugin to match logs forwarded with the CPLogToSyslog utility and capture new attributes from VPN, FireWall, and URL Filtering products.
    • Updated HP Switch (hp-switch) plugin to match new port security violation events.
    • Updated Microsoft Exchange Server (exchange-nxlog) plugin to parse the username correctly.
    • Updated VMware ESXi (vmware-esxi) plugin to extract more useful data.
    • Updated Cisco Firesight (cisco-firesight) plugin to match new SFIMs events.
    • Updated Carbon Black Enterprise Protection (bit9_v7) plugin to match events from devices with version
    • Updated DELL SonicWALL Scrutinizer (sonicwall) plugin to add "ICMPv6 packet from LAN dropped" event and to identify source and destination addresses.
    • Updated Microsoft Office 365 Advanced Security Management (o365-asm) plugin to match some missing policy alert events.
    • Updated Carbon Black Enterprise Response (carbonblack) plugin to fix some issues with data extraction regarding device and source IP addresses.
    • Updated Cisco Meraki (cisco-meraki) plugin to extract more info from event logs.
    • Updated AlienVault-HIDS (ossec-single-line) plugin to extract more info from SQL Injection events (RID 31103).
    • Updated AlienVault-HIDS plugin to solve a defect preventing Windows AppLocker events being parsed correctly. Now those events will always extract the user involved (RIDs 110020 - 110025).
    • Updated RSA Authentication Manager (rsa-authentication-manager) plugin to make it selectable while creating new directives.
    • Updated FireEye Control Manager (fireeye-cm) plugin to parse some new events.
    • Updated Cylance Protect (cylance) plugin to change the taxonomy in some events to a more appropriate category/subcategory.
    • Updated Cisco Nexus NX OS (cisco-nexus-nx-os) plugin taxonomy to match events correctly.
  • Office 365/Azure logs to USM Appliance

    I am currently working on this solution now, we are pulling down our Azure Active Directory audit logs and a few others.  Working out the next steps of building the plugin and getting the data into to feed into the USM.

    More to come soon.