USM Anywhere enables you to use operators in orchestration rules to match specific events or alarms.
The following table lists the orchestration rules operators, its meaning, and an example.
| Operator | Meaning | Example |
|---|---|---|
| Assign or Equal | Assigns a value if empty. Or if the variable is populated, it will act like Equals. |
Note: USM Anywhere completes the value according to the field you have selected. The structure is always "var" followed by the field name. In the example above, the first condition assigns the destination IP address to [var_destination_address], a variable, and the second condition looks for the source IP address that equals the same variable. Essentially, when both conditions are met, you will see events or alarms whose destination IP address is the same as their source IP address. |
| Assign or Equal, case insensitive | Assigns a value if empty. Or if the variable is populated, it acts like Equals, ignoring case considerations. |
|
| Contains | Checks for the presence of a substring in a string. |
|
| Contains, case insensitive | Checks for the presence of a substring in a string, ignoring case considerations. |
|
| Equals | Compares the field to the specified value. |
|
| Equals, case insensitive | Compares the field to the specified value, ignoring case considerations. |
|
| Greater than | Returns true if the left operand is greater than the right operand. |
|
| In | Searches for character and numeric values that are equal to one from a list of values, separated by commas. |
|
| In, case insensitive | Searches for character and numeric values that are equal to one from a list of values, separated by commas, ignoring case considerations. |
|
| In List | Returns true if the value is included in the correlation list (see Example: Creating an Alarm Rule Using a Correlation List). |
|
| In List, case insensitive | Returns true if the value is included in the correlation list, ignoring case considerations. |
|
| Is Empty | Finds elements that have an empty value (it is the same as the Equals but with an empty string). |
|
| Is Not Empty | Finds elements that do not have a value. |
|
| Is In CIDR | Find elements that are included in the given IP range (using CIDR notation). |
|
| Is Not In CIDR | Find elements that are not included in the given IP range (using CIDR notation). |
|
| Less than | Returns true if the left operand is less than the right operand. |
|
| Match | Finds elements that match a specified pattern using regular expressions. |
|
| Match, case insensitive | Finds elements that match a specified pattern using regular expressions, ignoring case considerations. |
|
| Not Equals | The value of the specified field does not match the specified value. |
|
| Not Equals, case insensitive | The value of the specified field does not match the specified value, ignoring case considerations. |
|
Using Regular Expressions in USM Anywhere
The Match and Match, case insensitive operators enable you to use regular expressions (regex) to define a pattern to match the content of a field.
Important: USM Anywhere uses the Java Regular Expression Syntax, which is different from JavaScript, Perl, Gnu, and other flavors of regex, so be sure to read their documentation and familiarize yourself with the differences.
It is highly recommended that you find and use a tool to test your regular expressions before saving them into rules. Some popular examples include Java Regular Expression Tester or RegexPlanet.
When using regular expressions in USM Anywhere, keep the following in mind:
-
The expression pattern must be delimited with the forward slash "/" character. For example:
/Router -.*/
-
Use a backslash ("\") to escape special characters that would otherwise be interpreted as regex syntax, which includes the "\" character itself. For example:
/C:\\Windows\\System\\.*/
Note: Since the backslashes are not used as literals in Java code, but are carried as data in strings in the system, you do not need to double-escape them like you would if you were putting a regex pattern into a Java literal in coding.
- You can use capture and grouping syntax such as \1, $1, or (?:).
- Modifiers such as /i, /x, /m, and /s are not supported.
Possible Messages When Creating Rules
When you are creating a rule, you can get some of these messages.
| Message | This Message Is Displayed When |
|---|---|
| At least one criterion is required besides packet type | Packet Type is the unique criterion in the rule condition. |
| All condition fields must have a value | The condition value is missing. |
| Case insensitive operator does not apply to numbers | You select a case insensitive operator and the condition value is a number. |
| A regular expression must be used with "Match" operator (example: ~ /value/) | You select the Match operator and the condition value has to be a valid regexp. |
| A variable expression must be used with "Assign or Equal" operator (example: >> varname) | You select the Assign or Equal operator and the condition value must be a valid variable name between brackets. |
| Some characters used could be part of a regular expression (use "Match" operator) | Your condition value contains *, +, [, or ], but the Match operator is not selected. |
Related Video Content
Feedback