You can create your own notificationCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms. rules from the Orchestration Rules page or from the EventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall. details page, which are the easiest ways to configure the matching conditions.
To create a Notification Rule from the Events page
- Go to Activity > Events.
- Search the events that you want to include in the notification rule. See Searching Events for more information.
- Click one of them.
- Select Create Rule > Create Notification Rule.
Select a Boolean operator.
The options are AND, OR, AND NOT, and OR NOT.
Select a packet type in the Match drop-down list.
- Logs: Use this packet type for event-based rules.
- Configuration Issues: Use this packet type for configuration issues-based rules1.
- Vulnerabilities: Use this packet type for vulnerabilities-based rules.
- System Events: Use this packet type for system events-based rules.
- Console User Events: Use this packet type for console user events-based rules.
- Alarms: Use this packet type for console user alarms-based rules.
- You have already suggested property values to create a matching condition. If you want to add new property values, click Add Condition.
(Optional.) Click Add Group to group your conditions.
Note: See Operators in the Orchestration Rules for more information.
- Click Next.
- Enter a name for the rule.
- (Optional.) Enter a description for identifying this rule.
- Select a notification method:
- Amazon SNS: This method requires the setup of the Amazon Simple Notification Service (SNS) API call from the USM Anywhere server. There is no limit to the number of Amazon SNS endpoint notifications sent. However, this method requires having an Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the first 1000 email notifications per month to fall into the free messaging tier. See Sending Notifications Through Amazon SNS for more information.
- Datadog: This method requires the creation of a Datadog API key and additional steps. See Sending USM Anywhere Notifications to Datadog for more information.
- Email: This method sends the notification by email. You need to enter information for the email subject and enter a destination email address. Multiple comma-separated email addresses are possible. This method uses a built-in integration with the Amazon Simple Email Service (SES) function and is limited to a maximum of 200 emails per rolling 24-hour period. The only user-customizable information available is the email subject line.
- PagerDuty: This method is performed using an integration in the product, and user setup is required. See Sending USM Anywhere Notifications to PagerDuty for more information.
- Slack: This method makes use of a user-created Slack Webhook integration. Slack integration can also be performed using Amazon SNS. See Sending USM Anywhere Notifications to Slack for more information.
Note: The rolling 24-hour, 200-email limit refers to all email accounts. For example, you can have a rule with multiple emails, which counts as a single email delivery. Alternately, if you have several rules with several emails, each of these counts as an individual email account. Sensor-disconnect emails do not count against this number because they are critical and are only sent to users whose role is manager.
Select the Sanitize Email Content checkbox to replace detailed email contents with a generic message and a link that requires user authentication to view further information.
Modify these two options:
- Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule applies when the configured conditions happen five times every three hours.
These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSHProgram to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.
The created rule displays in the list of rules. You can see it from Settings > Rules > Orchestration Rules. See Orchestration Rules for more information.
Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.
Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
Important: Instead of using the equals and equals, case insensitive operators for array fields, AT&T Cybersecurity recommends the use of the in or contains operators.
Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.
Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.
Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.
Important: It takes a few minutes for an orchestration rule to become active.