Adding a Data Source Rule

Role Availability Read-Only Investigator Analyst Manager

USM Anywhere enables you to add and apply rules to files stored in your Amazon Simple Storage Service (S3) bucket.

To add a rule

  1. Go to Data Sources > Cloud Connectors to open the Cloud Connectors main page.
  2. Click the icon of the cloud connector for which you want to add a rule, and then select View Connector.
  3. Click the Data Source Rules tab.
  4. Click Add Rule.

    Important: The AWS Cloud Connector must be enabled.

    The Add New Data Source Rule dialog box opens.

    Add New Data Source Rule dialog box

  5. In the Connector Source drop-down list, choose the Amazon S3 bucket.

    You can choose one of them or all.

  6. (Optional.) In the Filenames Matching With field, use regular expressions (regex) to specify a pattern that must be followed by the files.

    If you don't specify anything, USM Anywhere will match all files in the Amazon S3 bucket with the specified data source. See Using Regular Expressions in USM Anywhere for more information. For example:


    This expression pattern means that all files inside the CloudTrail folder will match with the rule.

    Important: If the file name is not matching any rule, USM Anywhere tries to identify the data source based on the file name and the event format. The events are parsed as generic if the data source can't be identified.

  7. In the Data Sources field, enter the data source you want to match with the files.

    If you enter more than one data source, USM Anywhere will try to match with the first data source. If USM Anywhere can't generate an event, then it will try to match with the following data source, and so on. If the file doesn't match with any data source, then USM Anywhere will create an event as an AlienVault Generic Data Source. See LevelBlue Generic Data Source for more information.

    Note: We recommend entering data sources known to be contained in the files, and using files separated by data source.

  8. Click Save.