The AlienApp for Cisco Umbrella allows you to create orchestration rules that automatically send suspicious domains to your Cisco Umbrella environment. There are four actions you can trigger with orchestration rules to report domains to Cisco Umbrella when matching events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. or alarms Alarms provide notification of an event or sequence of events that require attention or investigation. occur:
- Report by HTTP hostname on an event
- Report by URL on an event
- Report by Domain Name System (DNS) record on an event
- Report names found on an alarm
All rules include a rule name and conditional expression. They can also include optional multiple occurrence and window length parameters. There are multiple methods for creating a new AlienApp for Cisco Umbrella orchestration rule in USM Anywhere:
On the Rules tab of the AlienApp page: This tab provides various tools that you can use to create and manage the orchestration rules that use the AlienApp for Cisco Umbrella actions. For easy rule creation, you can use a suggested rule as the basis for the new orchestration rule. This tab also provides a method to easily create a new rule based on your own matching criteria where the sensor and app are already selected, and displays all rules associated with the AlienApp so that you can easily enable or disable rules as needed.
From an Applied Response Action: You can automatically create a rule using the response action that you apply to an existing alarm or event. This makes it easy to set the matching conditions for the rule based on the existing item and use the same settings that you applied to that item.
In the confirmation dialog box, click Create rule for similar alarms or Create rule for similar events.
From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules,
event rules,filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.
In the left navigation menu, go to Settings > Rules > Orchestration Rules. Then click Create Orchestration Rule > Response Action Rule to define the new rule.
Depending on your Cisco Umbrella configuration and how it processes the domain information, these actions will result in events that USM Anywhere retrieves through Cisco Umbrella log collection.
When you use one of the suggested rules, you can start with a set of matching criteria for common use cases, such as sending the HTTP hostname from phishing events to Cisco Umbrella.
To create a new rule from a suggested rule
- In USM Anywhere, go to Data Sources > AlienApps.
- Click the Available Apps tab.
- Search for the AlienApp, and then click the tile.
Select the Rules tab.
Locate the rule that matches your use case and click Use this Rule.
This opens the Create Rule dialog box with preconfigured options for the new rule. You can keep these options exactly as they are, or make some changes according to your specific needs.
(Optional.) Modify any of default rule settings, if needed:
- Change the name of the rule.
- Select a different Action.
- Add one or more Rule Condition items to narrow the scope for a matching event or alarm.
- Include a multiple occurrence parameter (click the More link to display the fields).
- Click Save Rule.
Use the Create Rule dialog box to specify the new rule, including the Cisco Umbrella action to run and the criteria for a matching event or alarm that triggers the rule.
To define a Cisco Umbrella response action rule
- Enter a unique name for the rule.
Select the App Action for the rule.
At the bottom of the dialog box, set the rule condition parameters to specify the criteria for a matching alarm or event to trigger the rule.
- This section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
- If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
- At the bottom of the dialog box, click More to display the optional multiple occurrence and window-length parameters.
Select an operator and add one or more conditions to form the conditional expression. You can include a condition group to evaluate a subset of conditions. The Current Rule pane displays the constructed expression in standard syntax. The box displays a red border if the expression is syntactically invalid as currently specified. A valid expression is required to save the rule definition.
Select the operator used to determine the match for multiple conditions:
- AND: Match all conditions.
- OR: Match any one condition.
- AND NOT: Exclude items matching all conditions after the first.
- OR NOT: Include all items that do not match any conditions after the first.
Click Add Condition to add a condition. For each condition, specify the field name, evaluator, and value. If the evaluation returns true for the condition, it is a match.
Click Add Group to add a condition group. A new group includes a condition and its own operator used to match the conditions within the group. You can nest condition groups.Occurrences
Specify the number of event or alarm occurrences that produce a match on the conditional expression to trigger the rule. The default value is 1. You can enter the number of occurrences or use the arrow to scroll the value up or down.
USM Anywhere uses this in conjunction with the Length option to specify the number of occurrences within a time period that will trigger the rule. For example, you can define a rule to trigger for an unauthorized access attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login occurs three times within a five-minute window.Length
Specify the length of the window to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours. This time period identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule does not trigger.
- Click Save Rule.