USM Anywhere™

Configure Amazon SNS Notifications in USM Anywhere

Role Availability Read-Only Analyst Manager

After you set up the Amazon SNS topic and create the access key for Amazon Web Services (AWS), you can configure Amazon SNS notifications in USM Anywhere.

To configure Amazon SNS Credentials for notifications

  1. Go to Settings > Notifications.
  2. In the left navigation panel, click Amazon SNS.
  3. Select the AWS Region name.

  4. Enter the Access key and Secret key. See Create an AWS Access Key for more information.

    Specify the AWS region and SNS access kep parameters in USM Anywhere

  5. Click Save Credentials.

To create an orchestration rule for sending a notification request to Amazon SNS

  1. Go to Activity > Alarms or Activity > Events.
  2. Click the alarm or event to open the details.

  3. Click Create Rule and select Create Notification Rule.

    Create a notification rule from the alarm details

  4. Enter the Rule Name and set the matching conditions you want for the rule.

    The Create Rule dialog box displays property values for the selected alarm or event that you can use to specify the match conditions. See Notification Rules from the Orchestration Rules Page for more information.

  5. For Notification Method, select the Amazon SNS option.

  6. Enter the SNS Topic Name you created in the AWS console. See Set Up an Amazon SNS Topic for more information.

    Set options to launch the Amazon SNS notification for the orchestration rule

  7. At the bottom of the dialog box, set the rule condition parameters to specify the criteria for a matching alarm or event to trigger the rule.

    Set the matching conditions for triggering the rule

    • This section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
    • If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
    • At the bottom of the dialog box, click More to display the optional multiple occurrence and window-length parameters.

    Select an operator and add one or more conditions to form the conditional expression. You can include a condition group to evaluate a subset of conditions. The Current Rule pane displays the constructed expression in standard syntax. The box displays a red border if the expression is syntactically invalid as currently specified. A valid expression is required to save the rule definition.

    Select the operator used to determine the match for multiple conditions:

    • AND: Match all conditions.
    • OR: Match any one condition.
    • AND NOT: Exclude items matching all conditions after the first.
    • OR NOT: Include all items that do not match any conditions after the first\.

    Click Add Condition to add a condition. For each condition, specify the field name, evaluator, and value. If the evaluation returns true for the condition, it is a match.

    Click Add Group to add a condition group. A new group includes a condition and its own operator used to match the conditions within the group. You can nest condition groups.

    Specify the number of event or alarm occurrences that produce a match on the conditional expression to trigger the rule. The default value is 1. You can enter the number of occurrences or use the arrow to scroll the value up or down.

    USM Anywhere uses this in conjunction with the Length option to specify the number of occurrences within a time period that will trigger the rule. For example, you can define a rule to trigger for an unauthorized access attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login occurs three times within a five-minute window.

    Specify the length of the window to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours. This time period identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule does not trigger.

  8. Click Save Rule.

    9. When a matching alarm or event is generated in USM Anywhere, you can go to your AWS console and select the Lambda function you created to verify that the function is being called. You can also open the Amazon CloudWatch logs to see the message in JavaScript Object Notation (JSON) format.