Skip to main content
An in USM Anywhere consists of one or more , based on one of the following:
  • One or more rules performed by the of USM Anywhere, which analyzes these events for behavioral patterns. These rules look at and connect events to assess their priority and reliability. When the engine identifies a pattern, it generates an alarm, which requires attention and investigation. See Correlation Rules for more information.
    The “Suspicious Behavior - OTX Indicators of Compromise” correlation rule generates alarms if the pulse comes from the LevelBlue OTX account.
  • One orchestration rule, which is designed to raise an alarm when a particular type of event is found. See Orchestration Rules for more information.
USM Anywhere stores 10 of the events which have generated the alarm, for 365 days. If the alarm was generated by more than 10 events, USM Anywhere stores the first and the last 9 events. Alarms themselves are stored for 365 days.
USM Anywhere enables you to drive in response to incoming alarms. Perhaps the most common action is sending an email to administrators to provide real-time of a critical security incident. Each user can decide if they want to receive alarm notifications. See Managing Your Profile Settings for more information.
You can watch the Conducting Security Analysis with LevelBlue USM Anywhere customer training webcast on-demand to learn how to leverage USM Anywhere to perform security analyst duties.
This topic discusses these subtopics:
I