• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

AlienVault v5.3 Functional Release


AlienVault Employee
As of Tuesday, August 2, 2016, AlienVault USM and OSSIM v5.3 are now generally available for all existing and new customers. Users can update their system(s) through the console or web UI (see upgrade instructions for more information).

Please take a few minutes to carefully read these release notes before upgrading.

Feature releases will change the behavior of the system with new functionality. AlienVault encourages users to first apply the upgrade to a test system to understand and learn the new functionality before upgrading production systems. Carefully read the enhancement summary and change log below before upgrading your system.


We recently updated our PCI reports and compliance guide to match the PCI DSS 3.2 requirements. This guide is available in PDF and HTML formats. Check it out!

Training Webcasts
Join us to learn what's new in v5.3! Check out the training schedule below and sign-up:

New for USM only

  • Updated PCI DSS 3.2 reports - We've updated our PCI DSS reports to be compatible for the new PCI DSS 3.2 standards which will be enforced on October 31, 2016.
  • Forwarding retries - Customers using a USM Federation Server can now configure the number of times the system will retry to send data from parent to child.

New for USM and OSSIM

  • USB device detection - USB devices are the most common type of unapproved hardware used to steal data during a breach. USM and OSSIM alert you when a USB device connects to an asset.
  • User logon activity - USM and OSSIM alert you when users log on and log off of machines in your environment so that you can keep track of what users are doing on your network.
  • Alarm identification - Every alarm in USM has an alarm ID. These IDs can be used to search for alarms in the Web UI or to link directly to the alarm in the URL.
  • Vulnerability scans for large networks - Run vulnerability scans on any size network. Large scans will be split up into multiple scans of 3500 assets each and will run consecutively.
  • Alarm and event risk - Filter by risk in SIEM events and alarms. Users can quickly see the risk level with new color-coded risk visualizations.
  • Improved policy creation - Quickly create policies based on risk by setting alerts for any events with reliability/priority "greater than" or "less than" a certain level.
  • Bulk delete messages - Users can now delete multiple messages at once in the Message Center.

Documentation Updates

Defects Fixed

  • ENG-98061 - Enabling a custom monitoring plugin works again
  • ENG-100429 - Users can add custom ossec local rules for additional HIDS visbility
  • ENG-102150 - Users will only see relevant alarms on the asset views (not all alarms)
  • ENG-102396 - Grouping alarms by date works properly
  • ENG-102559 - Traffic capture can be launched as many times as needed
  • ENG-102654 - HIDS agent now chooses the correct interface
  • ENG-102655 - Filtering by "Sensor" in SIEM events work properly regardless of the number of assets in the database
  • ENG-102688 - Alarm reports run on context only show alarms from within that context
  • ENG-103840 - Column name changed from Signature to Event Name in SIEM events
  • ENG-103841 - Column name changed from Generator to Data Source in SIEM events
  • ENG-102847 - PCI DSS 3.2: Account Lockouts report sources the correct module
  • ENG-102883 - Large asset reports are properly loaded as PDFs and sent to users
  • ENG-102960 - Proper exit code is sent when updating the feed via alienvault-update
  • ENG-103002 - Status control added to OSSIM agent for better troubleshooting
  • ENG-103098 - Properly capture events from Siteprotector
  • ENG-103133 - Cleaned up the HIDS agent configuration to prevent confusion
  • ENG-103218 - Fixed the alarm grouping options
  • ENG-103222 - Users can see more grouped alarms on the page
  • ENG-103225 - Database purge process works properly
  • ENG-103249 - PCI File Integrity report sources correct module
  • ENG-103252 - Updated permissions for api.log to be more secure
  • ENG-103273 - Cisco-Router.log added to logrotate by default
  • ENG-103274 - Logs older than "Active Logger Window" are properly removed from the system
  • ENG-103347 - import_nbe.pl working properly
  • ENG-103354 - Old events in large environments are purged properly from the acid_event table
  • ENG-103385 - Raw log search criteria is handled the same with indexed and raw query options
  • ENG-103386 - Current vulnerabilities view restricted by context only shows vulnerabilities that belong to that context
  • ENG-103462 - Date regex works properly in dateparser.py
  • ENG-103477 - Message in Message Center for changes to plugin configuration files now shows path to modified files
  • ENG-103478 - alienvault-rhythm properly matches events from OTX pulses
  • ENG-103556 - Database repair updates database properly
  • ENG-103623 - Celery beat monitor "forward_check" no longer fails
  • ENG-103656 - Fixed regression from 5.2.4 that caused some plugins to skip logs because of escaped characters
  • ENG-103729 - Vulnerability scans can be launched for any assets regardless of asset being assigned to a sensor
  • ENG-103756 - Provided workaround for customers using Bluecoat devices so that logs are captured properly

Security Advisories

  • ENG-101779, Vulnerable Configuration (Clickjacking) - AlienVault 5.3 is not vulnerable.
  • ENG-103605, Vulnerable Package - php5 (multiple CVE's) - Added new version of package to repository - AlienVault 5.3 is not vulnerable.
  • ENG-103641, Vulnerable Package - expat (multiple CVE's) - Added new version of package to repository - AlienVault 5.3 is not vulnerable.
  • ENG-103642, Vulnerable Configuration (XSS in Ticketing) - AlienVault 5.3 is not vulnerable.
  • ENG-103709, Vulnerable Configuration (XSS in Installation Script) - AlienVault 5.3 is not vulnerable.
  • ENG-103711, Vulnerable Package - php5 (multiple CVE's) - Added new version of package to repository - AlienVault 5.3 is not vulnerable.
  • ENG-103761, Vulnerable Package - Linux Kernel (multiple CVE's) - Added new version of package to repository - AlienVault 5.3 is not vulnerable.
  • ENG-103865, Vulnerable Package - openssh (CVE-2016-6210) - Added new version of package to repository - AlienVault 5.3 is not vulnerable.

See the Security Advisory for USM and OSSIM v5.3 for more information.

Additional Upgrade Info for All Users on v5.1.1 and Earlier


Share post:


  • Hi, is risk calculated in the same way it used to be before ? 

    Risk = (Priority * Reliability * Asset Value) / 25 ]

    I'm wondering that because I saw there are only 3 levels now:

    This is a major change for MSP as we have SLAs associated to risk levels.

  • Hi same issue here.
    Also i don't realy understand why all events with a Risk < 1 are labelled low and everything starting with 1 ist already medium.

    We also used the risk level and the search for alarms by risk level starting with level 3. Now this is no longer possible.

    The mapping to the 3 labels (low, medium, high) should be configurable.
    Also the direct search for risk values should still be available and also risk be displayed.

    The current mapping does not make any sense to me as the lowest alarm displayed has the label medium.

  • Hi @SimonH

    We have the same issue as a MSP. I've opened a ticket with AlienVault, and they opened an internal defect. 
  • Same here ;-) Defect  
  • "ENG-103959"
  • edited September 2016
    @damianz @simonh - thanks for the feedback. This was our first iteration on improving the risk display in USM and OSSIM. In the next release, 5.3.1, the numerical value for risk score will be visible again in the alarm and events pages. Sorry for any inconveniences it has caused in the meantime.
  • Thanks @LBarraco for the quick fix
  • Howdy,

    I've a few appliances at 5.1.x and I need to upgrade them. Is it possible to go to 5.2.5 rather than 5.3.0? I know it can be done by burning an ISO, but that's not handy for us because we have a few customers and some of the are at remote locations.

  • It is possible to upgrade to a specific version using the offline ISO without burning the CD. You can loop-mount the iso to and upgrade from there. Did that once successfully for a customer.
  • Damianz,

    The only method for updating to a previous version is via the offline update. We do not maintain relase specific structure in the repository.
Sign In or Register to comment.