> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# USM Anywhere Network Security Concepts and Terminology

When working with USM Anywhere and using the USM Anywhere web UI to perform network security operations, it is important to understand a few basic USM network security concepts. First, a key principle of the USM system is that it monitors <Tooltip tip="An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers.">assets</Tooltip>. Assets are all devices in an enterprise that have some value to the enterprise and, generally, that it is possible to monitor or gather information about, such as their status, health or availability, configuration, activity, or <Tooltip tip="Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.">events</Tooltip>. The value comprises either the cost of the device itself, or the value of the data that is stored on the device or travels through the device.

* An asset is defined as a unique IP address
* Assets are organized into networks based on IP addressing
* Networks are organized into locations, based on their geographical location

Typically, at least one USM Anywhere Sensor is used to monitor one geographically self-contained location. If several locations are used by an enterprise, each location is monitored with at least one USM Anywhere Sensor, which sends information to USM Anywhere about assets that are in the same location. BlueApps are used in the USM Anywhere Sensor to extract and normalize data from different data sources into standard-format events. USM Anywhere provides a wide assortment of integrations that can be used to collect events for most commonly encountered data sources.

USM Anywhere includes <Tooltip tip="A correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source.">correlation rules</Tooltip> for identifying important events or patterns of events within large volumes of data. <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">Alarms</Tooltip> are generated by an explicit call within the rules, either orchestration or <Tooltip tip="A correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source.">correlation rules</Tooltip>. Correlation rules detect threats and are continuously provided as part of the [LevelBlue Labs™ Security Research Team](https://cybersecurity.att.com/who-we-are/alienvault-labs). Information about specific threats is obtained from sources such as those reported by <Tooltip tip="The LevelBlue Labs™ Threat Intelligence Subscription provides subscribers with the ability to detect the latest threats with continually updated correlation rules, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, collection and integrations, and report templates.">LevelBlue Labs™ Threat Intelligence Subscription</Tooltip> and LevelBlue Labs™ Open Threat Exchange® (OTX™). For example, OTX provides <Tooltip tip="An artifact observed with some degree of confidence to be an indication of a threat or intrusion.">indicators of compromise</Tooltip> and <Tooltip tip="Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms.">notifications</Tooltip> of malicious <Tooltip tip="Reference to a computer on a network.">hosts</Tooltip>, which can link assets by their vulnerabilities to specific threats and notification about events that involve known or suspect malicious hosts. USM Anywhere can also perform scans which identify assets' vulnerabilities to specific and identified threats.

See Rules Management for more information.