Operators in the Correlation Rules

USM Anywhere provides built-in rules and adds more every week through the AT&T Alien Labs™ OTX Subscription The AT&T Alien Labs™ Threat Intelligence Subscription provides subscribers with the ability to detect the latest threats with continually updated correlation rules, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, collection and integrations, and report templates.. These rules are the result of the combination of operators and USM Anywhere fields.

Correlation Rules: Operators
Operator Meaning Example
== Equals: Compares the field to the specified value. plugin_device == 'GuardDuty'
==* Equals, case insensitive: Compares the field to the specified value, ignoring case considerations. event_activity ==* 'Executable download'
>> Assign or equal: For use with variables, it will assign a value if empty or if the variable is populated it will act like ==. source_canonical >> [source]
>>* Assign or equal, case insensitive: For use with variables, it will assign a value if empty or if the variable is populated it will act like ==*. source_username >>* [username]
> Greater than. user_id > 500
< Less than. user_id < 505
in List contains: Will return true if the list contains the value. This will perform a == comparison for every value in the list returning true on the first match. event_subcategory in ('Microsoft-Windows-MountMgr', 'MountMgr')
in* List contains, case insensitive: Will return true if the list contains the value. This will perform a ==* comparison for every value in the list returning true on the first match. event_name in* ('Update route in route table','Update route table for VPC')
~ Match: Takes a regular expression delimited by '/' as the argument. hostname ~ /.*\.eng/
~* Match case insensitive: Takes a regular expression delimited by '/' as the argument. (source_process_commandline ~* /[a-z0-9]{15,45}\.[a-z0-9]{1,15}\.[a-z0-9]{1,4}/ )
==> Checks the value against a list filled with previous events values. Will validate the condition if the element is not already included in the list. source_country ==> |countries|
|| Or: Can be used to chain two comparisons, return true if either comparison evaluates to true. ((device_direction == 'outbound') || (event_activity == 'C&C Response' and device_direction == 'inbound))
&& And. Can be used to chain two comparisons, will return true if both comparisons evaluate to true. rep_device_rule_id == '15457' && source_username >>* [username]
! Not. Will negate the return value of the expression directly following it. source_country != ''
or Or: Alternative to ||. (source_process_commandline contains* ' aaaa' OR source_process_commandline contains* '=aaaa')
and And: Alternative to &&. event_subcategory == 'Microsoft-Windows-Sysmon' AND rep_device_rule_id == '1'
!-> Not in List: Checks that a value is not contained in a correlation list. source_name !-> [[SAFE_NAMES]]
!->* Not in List, case insensitive: Checks that a value is not contained in a correlation list, ignoring case considerations. source_name !->* [[SAFE_NAMES]]

Related Video Content

To view other related training videos, click here.