Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt

Use this file to discover all available pages before exploring further.

Role Availability | ❌ Read-Only ❌ Investigator ✔️ Analyst ✔️ Manager USM Anywhere includes the option of searching items of interest on the page. There are several filters displayed by default. You can either filter your search or enter what you are looking for in the search field. You can configure more filters and change which filters to display by clicking the Configure Filters link located in the upper-left side of the page. The management of filters is similar to that for assets. See Managing Filters for more information. The following table lists the filters you see on the page. Filters Displayed by Default in the Main System Events Page
Filter NameMeaning
Last 24 HoursFilter system events triggered in the last hour, last 24 hours, last 7 days, last 30 days, or last 90 days. You can also configure your own period of time by clicking the Custom Range option. This option enables you to customize a range. When you click Custom Range, a calendar opens. You can choose the first and last day to delimit your search by clicking the days on the calendar or entering the days directly. Then select the hours, minutes, and seconds by clicking the specific box. Finally, select AM or PM.
SuppressedFilter suppressed system events.
Not SuppressedFilter hiding suppressed system events. The suppressed system events are hidden by default.
Event NameFilter system events by the short, user-readable description of the system event.
SensorFilter system events by the associated USM Anywhere sensor.
Source User EmailFilter system events by the email of the user that performed the action. For example, when user email@alienvault.com logs in, the source email is email@alienvault.com.
Destination User EmailFilter system events by the email of the user that the action is being performed on. For example, if user email@alienvault.com modifies or creates user new@alienvault.com, then the destination email is new@alienvault.com.
Event OutcomeFilter system events by the success of an action.
Event ChangeFilter system events by the description of what was changed in the system event.
Source AssetFilter system events by the hostname or IP address of the host that initiates the system event.
The number between brackets displayed by each filter indicates the number of items that matches the filter. You can also use the filter controls to provide a method of organizing your search and filtered results. The following table shows the icons displayed with each filter box. Icons Next to the Filter Title
IconMeaning
Sort the filters alphabetically.
Sort the filters by number of items that matches them
In the upper-left side of the page, you can see any filters you have applied. Remove filters by clicking the icon next to the filter. Or clear all filters by clicking Reset.
Note: When applying filters, the search uses the logical AND operator if the used filters are different. However, when the filter is of the same type, the search uses the logical OR operator.
Those filters that have more than 10 options include a Filter Values search field for writing text and making the search easier. If there are more than 50 search results, a icon appears to the right of the Filter Values search field. Click this icon to download a CSV containing up to 1024 results. USM Anywhere enables you to toggle the mode of search. The available modes are Standard and Advanced. You can change from one mode to the other by clicking the icon or clicking the icon located in the upper left corner of the page.

Standard Mode

This mode enables you to select one value per filter at the same time, and then the search is automatically performed. This mode is on by default. To activate the standard mode when the advanced mode is on
  1. Go to Activity > System Events.
  2. In the upper-left corner of the page, click the icon.
  3. This turns the icon gray, .
    If you exit the advanced mode and the selected filters are not compatible with the standard mode, a warning dialog box opens to inform you the current filters will be removed.

Advanced Mode

Advanced mode enables you to select more than one value per filter at the same time. This mode is off by default. To activate the advanced mode
  1. Go to Activity > System Events.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode. This turns the icon green, .
To perform a search in the advanced mode
  1. Go to Activity > Alarms.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode. This turns the icon green, .
  3. Click the filters that you want to select. The selected filters display inside a dashed rectangle.
  4. In the lower-left corner of the page, click Apply Filters. Or in the upper side of the page, click Apply.
    The result of your search displays.
To search using the NOT operator
  1. Go to Activity > Alarms.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode.
  3. Click the filter that you want to exclude.
  4. In the filter group, click Not.
    You have to select a filter to see this operator.
    The selected filter displays the icon and the filter chiclet is labeled in red.
    Some filters don’t include the NOT operator (for example, Services or Software).
  5. Click Apply.
To search all values of a filter
  1. Go to Settings > System Events.
  2. In the upper-left corner of the page, click the icon to activate the advanced mode.
  3. Select a filter title to select all filters below that title.

Searching System Events by Using the Search Field

To search for System Events using the search field
  1. Go to Settings > System Events.
  2. Enter your query in the search field. If you want to search for an exact phrase having two or more words, you need to put quotation marks around the words in the phrase. This includes email addresses (for example, “bob@mycompany.com”).
    Wildcard characters are considered as literal characters.
  3. Click the icon.
The result of your search displays with the items identified.