Hey my name is Scott and I work with the technical team here at AlienVault. In this series, I will be sharing some of my favorite USM tips and tricks. These posts are intended to help you be more successful with USM, to highlight valuable resources and to answer other questions you may have. Feel free to leave requests for future topics, along with any other feedback in the comments below. I look forward to hearing from you.
Our first topic, highlights one of THE most powerful features of the AlienVault SIEM view - the ability to create custom views and save those as re-usable views and as report modules.
First, you need to navigate to the SIEM view, “Analysis-->SIEM” and select your search criteria, be it a data source, asset or asset group, date range, etc. and get it looking the way you want it.
Then, click the “Change View” button, and select “Edit Current View” (or “Create New View” if you want to start from scratch) Set the “View Name: field to a meaningful name, like “Cisco VPN Logins.” (Do this first to avoid accidentally overwriting current view) Make sure the “Include custom search criteria…” check box is ticked. That will ensure your selected search terms are preserved. After that, select which fields you wish to be displayed, and remove those that aren’t that useful.
Verify you have set a unique view name, and hit the “Save As” button. Change your view to the new one, it will be in the list but at the bottom. Verify everything looks as you like it. Notice the search criteria is preserved.
One last step, let’s create a report module from this view. Click the “Change View” button and select “Edit Current View” again. Remember seeing the “Save as report module” button? Click that, and it will save a report module under “Reports”-->”All Reports”-->”Report Modules”-->”Custom Security Events.” You can now use this report module as is, or incorporate it into a custom report by combining with other modules. Just hit the little blue button next to the module to create a custom report from the module. Please note this functionality is not available in OSSIM.
Custom view/report module name – “Windows FIM Report”
Create a view: Date range – Today
Event Name – contains “FIM”
Data Source – AlienVault HIDS
Columns – Event name, Date, Source, Sensor, Category, Subcategory, Username, Userdata1, Filename
Schedule to run this module daily for daily file change reports. You can also restrict the report to specific assets when you set the schedule.
and 7 others.