USM Anywhere™

Alarm Rules from the Orchestration Rules Page

Role Availability Read-Only Analyst   Manager

USM Anywhere enables you to easily identify existing and emerging threats that are of interest. Through alarm Alarms provide notification of an event or sequence of events that require attention or investigation. rules, you can organize your threats and only see high-priority alarms, which can be received via email and will help you to reduce noise and focus on important things.

To create an alarm rule

  1. Go to Settings > Rules > Orchestration Rules.
  2. Select Create Orchestration Rule > Alarm Rule.

    Create an alarm rule

  3. Select a Boolean operator.

    The options are AND, OR, AND NOT, and OR NOT.

  4. Select a packet type in the Match drop-down list.

    Match Drop Down List

  5. Click Add Conditions and select the property values you want to include in the rule to create a matching condition.
  6. Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

    Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

    Important: Instead of using the equals and equals, case insensitive operators for array fields, AT&T Cybersecurity recommends the use of the in or contains operators.

    Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.

  7. (Optional.) Click Add Group to group your conditions.

    Note: See Operators in the Orchestration Rules for more information.

  8. Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.

  9. Click Next.

    Rules Verifications Dialog Box

    Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

  10. Enter a name for the rule and, if desired, a description to clarify its use in the Description field.
  11. Select an intent.
  12. The intent describes the context of the behavior that is being observed. These intents roughly map to the stages of the intrusion kill chains but are collapsed to ensure that each is discrete. See Intent for more information about the available threat categories.

  13. Enter a method.
  14. If known, it is the method of attack or infiltration Indicator that specifies the method of attack that generated an alarm. For Open Threat Exchange® (OTX™) pulses, this method is the pulse name. associated with the indicator that generated the alarm.

    Note: This is a required field; if you do not complete this field, the Save button remains inactive.

  15. Select a strategy.
  16. The strategy describes the broad-based strategy or behavior that is detected. The intention is to describe the malicious Activity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems. user's strategy to achieve their goal.

  17. Enter a priority.
  18. See Priority Field for Alarms for more information.

  19. Configure a mute duration set in seconds, minutes, and hours.
  20. You can use the mute value to set the period of time during which, once an alarm is createdUSM Anywhere will not create a new alarm based on the same conditions.

    Note: Take care to set a mute duration that is long enough to cover the span of time in which matching events will occur to maximize the efficacy of your mute.

    Important: If your USM Anywhere™ is restarted when one of your alarm mutes is active, or if there is an update or hotfix, the alarm mute will be canceled.

  21. Modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
    • Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the beginning to end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

      Specify multiple occurances to match for the rule

      In this example, the rule applies when the configured conditions happen five times every three hours.

    These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

  22. (Optional.) Select the fields that you want to display in the generated alarm.

    You can select or remove the fields you want to include in the details of the alarm. A field passes from one column to the other by clicking it.

  23. Click Save.

    The created rule displays in the list of rules. You can see it from Settings > Rules. See Orchestration Rules for more information.

  24. Important: It takes a few minutes for an orchestration rule to become active.

To filter alarm rules by name

  1. Go to Settings > Rules.
  2. Click the box next to Filter by.
  3. Enter your search.

To filter alarm rules by rule status

  1. Go to Settings > Rules.
  2. Click the combo box next to Rule Status.
  3. Select All Rules, Enabled, or Disabled.

To edit an alarm rule

  1. Go to Settings > Rules.
  2. Click the icon of the rule you want to edit.
  3. Modify the data of the items that need to be modified.
  4. Click Next.
  5. Click Save.

To delete an alarm rule

  1. Go to Settings > Rules.
  2. Click the icon of the rule you want to delete.
  3. Confirm by clicking Accept.

To enable an alarm rule

  1. Go to Settings > Rules.
  2. Click the icon of the rule you want to enable.

To disable an alarm rule

  1. Go to Settings > Rules.
  2. Click the icon of the rule you want to disable.

To enable all alarm rules

  1. Go to Settings > Rules.
  2. In the list of rules, select the first checkbox in the first column to select all the rules.
  3. Click Enable All Rules.

To disable all alarm rules

  1. Go to Settings > Rules.
  2. In the list of rules, select the first checkbox in the first column to select all the rules.
  3. Click Disable All Rules.
  4. Confirm by clicking Accept.