USM Anywhere enables you to make the sensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. drops future eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. that match the rule. These events will be neither correlated nor stored. Through these rules, you are able to define which event data you are going to store in USM Anywhere. You will pay for the data you use.
Note: Filtering rules are not retroactive. The rule applies to future items and it does not apply to previous items, even if those items follow the rule.
Important: You can't use a correlation list when you create a filtering rule.
To create a filtering rule from the Events page
- Go to Activity > Events.
- Search the events which you want to include in the filtering rule. See Searching Events for more information.
- Click one of them.
- Select Create Rule > Create Filtering Rule.
- Enter a name for the rule.
- You have already suggested property values to create a matching condition. If you want to add new property values, click Add Condition.
- (Optional.) Click Add Group of Conditions to group your conditions.
- Click Save Rule.
Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.
Note: Keep in mind that the Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
Note: See Operators in the Orchestration Rules for more information.
The filtering rule has been created. You can see it from Settings > Rules, see Filtering Rules from the Orchestration Rules Page for more information.