Skip to main content
When you first start using USM Anywhere, it is a good idea to let it run for a few days to determine which events and alarms you can consider “noise” and which ones to investigate further. By noise, we mean false positives that obscure true positives. Because no system is perfect, you must ensure that you have actionable alarms and useful reports, not hundreds of things to review. What you learn from the baseline collection and the evaluation of those events helps you create orchestration and suppression rules that tell USM Anywhere what is important or not. Alarms are also created from correlation rules, which are created by the LevelBlue Labs™ Security Research Team. See Rules Management for more information.

Baselining

To be able to tune the system, you need to create a baseline for what constitutes normal behavior in your network. This is called baselining. The alarms and events generated during this initial period represent currently normal behavior, in other words, a snapshot in time. Of course, there may be things you want to filter out right away. But in general, you should resist the temptation and wait until you have had a chance to observe any patterns in your network.

Evaluating Results

After you collect these data points, you need to start making decisions about them, based on these criteria:
  • Which events have value and applicability to my system?
  • Which events have to do with network policy and therefore are not potential threats?
  • Was the rule properly assessed?
  • Which events have value for reporting?
  • Who should receive notification when this event occurs?
Answering these questions for the first time is best done in a group setting with the relevant stakeholders. In subsequent iterations of this process, usually only the analysts participate, because the fundamental questions for each event can be applied through taxonomy. Because LevelBlue releases new signatures frequently, this decision making process will be a recurring event.

Filtering Out the Noise

You may want to identify and filter out right away some false positives. One example might be an alarm indicating scanning of hosts in the network. Such activity can be completely legitimate if performed by an internal network mapper. On the other hand, it may be currently benign, but may also be a precursor to a real attack. USM Anywhere treats both events equally. If you examine an alarm and you determine that the event that triggered it was noise, not a real threat, consider taking these steps:
  1. Create an orchestration rule that prevents USM Anywhere from processing new events from the source. For example, let’s say that USM Anywhere properly detected vulnerability scanning coming from an internal scanner but such events do not interest you, because the internal vulnerability scanner is controlled by your environment. See Orchestration Rules for more information.
  2. If not interested in specific alarms, you can do:
    • Reconfigure the external data source to not send such events.
    • Use a rule to discard such events.
    • Modify or remove the rule.
  3. Suppress all occurrences of the alarm from USM Anywhere. See Creating Suppression Rules from the Alarms Page for information on how to do this.
Next… See USM Anywhere Dashboards
I