Before creating an orchestration rule, it is necessary to understand what an orchestration rule is, the different orchestration rules you can create, and how an orchestration rule operates. See Orchestration Rules Workflow and Orchestration Rules Best Practices before creating an orchestration rule.

There are two ways of creating an orchestration rule:

• From the detail of an alarm or event, select the create rule option.

• From the orchestration rules page, select the rule you want to create.

When orchestration rules are active, USM Anywhere inspects and validates them to show you how well the rule is working. Be sure to check your rule's validation, and make recommended or necessary changes to optimize the rule based on the validation status. See Orchestration Rule Validation for more information.

To create an orchestration rule from an alarm or an event

1. Go to Activity > Alarms or Activity > Events.
2. Locate the alarms or events you want to include in the rule.
3. Click an alarm or event to see its details.
4. Click Create Rule:
   • If you are displaying an alarm, you can choose between a suppression or a notification rule.
   • If you are displaying an event, you can choose between an alarm, filtering, notification, or suppression rule.

5. Select a Boolean operator.

   The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

   The options vary depending on the selected rule.

7. You have already suggested property values to create a matching condition, but you can add new property values by clicking Add Condition.

Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

Important: Instead of using the equals and equals, case insensitive operators for array fields, AT&T Cybersecurity recommends the use of the in or contains operators.

Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.

8. (Optional.) Click Add Group to group your conditions.

   Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.

9. Click Next.



Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

10. Enter a name for the rule.
11. (Optional.) Enter a description for identifying this rule.
12. Depending on the selected rule, you should fill in different fields.

13. Modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.

    • Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

      

      In this example, the rule applies when the configured conditions happen five times every three hours.

    These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

14. (Optional.) Click the box labeled Schedule Rule to configure a schedule within which this rule will apply.
    Modify these two options:
    • Start Date and Time: Specify the date and time at which this rule will begin applying.

    • End Date and Time: Specify the date and time at which this rule will stop applying.
      

    If an otherwise matching event occurs outside of this set schedule, it will not be considered a match and will not trigger an alarm.

15. (Optional.) If you choose to configure a schedule for this rule, you can also set it to recur on a configured schedule.
    Click the box labeled Set Recurrence Details to configure when and how frequently or on which days this new rule will apply.

    
    

16. Click Save.

    The created rule displays in the list of rules. You can see it from Settings > Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

To create an orchestration rule from the orchestration rules page

1. Go to Settings > Rules and select the rule you want to create:
   • Suppression Rule (see Suppression Rules from the Orchestration Rules Page for more information)
   • Filtering Rule (see Filtering Rules from the Orchestration Rules Page for more information)
   • Alarm Rule (see Alarm Rules from the Orchestration Rules Page for more information)
   • Notification Rule (see Notification Rules from the Orchestration Rules Page for more information)
   • Response Action Rule (see Response Action Rules from the Orchestration Rules Page for more information)

2. Select a Boolean operator.

   The options are AND, OR, AND NOT, and OR NOT.

3. Select a packet type in the Match drop-down list.

   The options vary depending on the selected rule.

4. Click Add Conditions and select the property values you want to include in the rule to create a matching condition.

Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

Important: Instead of using the equals and equals, case insensitive operators for array fields, AT&T Cybersecurity recommends the use of the in or contains operators.

Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.

5. (Optional.) Click Add Group to group your conditions.

   Note: See Operators in the Orchestration Rules for more information.

Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.

6. Click Next.

   

   Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

7. Enter a name for the rule.
8. (Optional.) Enter a description for identifying this rule.
9. Depending on the selected rule, you should fill in different fields.

10. Modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.

    • Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

      

      In this example, the rule applies when the configured conditions happen five times every three hours.

    These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

11. (Optional.) Click the box labeled Schedule Rule to configure a schedule within which this rule will apply.
    Modify these two options:
    • Start Date and Time: Specify the date and time at which this rule will begin applying.

    • End Date and Time: Specify the date and time at which this rule will stop applying.
      

    If an otherwise matching event occurs outside of this set schedule, it will not be considered a match and will not trigger an alarm.

12. (Optional.) If you choose to configure a schedule for this rule, you can also set it to recur on a configured schedule.
    Click the box labeled Set Recurrence Details to configure when and how frequently or on which days this new rule will apply.

    
    

13. Click Save.

    The created rule displays in the list of rules. You can see it from Settings > Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.