USM Anywhere enables you to use operators in orchestration rules to match specific events or alarms.
The following table lists the orchestration rule operators, their meanings, and an example for each.
Operator | Meaning | Example |
---|---|---|
Assign or Equal |
Checks whether a field is equal to a value in the list. If the value is not found, adds the value to the list. |
Note: USM Anywhere completes the value according to the field you have selected. The structure is always "var" followed by the field name. In the example above, the first condition assigns the destination IP address to [var_destination_address], a list of variables, and the second condition looks for the source IP address that equals a variable in the list. Essentially, when both conditions are met, you will see events or alarms whose destination IP address is the same as their source IP address. Note: Rules are only muted if the user/field matches a value in the variable list. If the user/field is not equal to a value found in the list, this operator acts as add to list. |
Assign or Equal, case insensitive | Assigns a value if empty. If the variable is populated it acts like Equals, ignoring case considerations. |
|
Contains | Checks for the presence of a substring in a string. |
|
Contains, case insensitive | Checks for the presence of a substring in a string, ignoring case considerations. |
|
Equals | Compares the field to the specified value. |
|
Equals, case insensitive | Compares the field to the specified value, ignoring case considerations. |
|
Greater than | Returns true if the left operand is greater than the right operand. |
|
In | Searches for character and numeric values that are equal to one from a list of comma-separated values. |
|
In, case insensitive | Searches for character and numeric values that are equal to one from a list of comma-separated values, ignoring case considerations. |
|
In List | Returns true if the value is included in the correlation list (see Example: Creating an Alarm Rule Using a Correlation List). |
|
In List, case insensitive | Returns true if the value is included in the correlation list, ignoring case considerations. |
|
Is Empty | Finds elements that have an empty value (operates in the same way as Equals but matches against an empty string). |
|
Is Not Empty | Finds elements that do not have a value. |
|
Is In CIDR | Find elements that are included in the given IP range (using CIDR notation). |
|
Is Not In CIDR | Find elements that are not included in the given IP range (using CIDR notation). |
|
Less than | Returns true if the left operand is less than the right operand. |
|
Match | Finds elements that match a specified pattern using regular expressions. |
|
Match, case insensitive | Finds elements that match a specified pattern using regular expressions, ignoring case considerations. |
|
Not Equals | Returns true when the specified field does not match the specified value. |
|
Not Equals, case insensitive | Returns true when the specified field does not match the specified value, ignoring case considerations. |
|
Using Regular Expressions in USM Anywhere
The Match
and Match, case insensitive
operators enable you to use regular expressions (regex) to define a pattern to match the content of a field.
Important: USM Anywhere uses the Java Regular Expression Syntax, which is different from JavaScript, Perl, Gnu, and other flavors of regex, so be sure to read their documentation and familiarize yourself with the differences.
It is highly recommended that you find and use a tool to test your regular expressions before saving them into rules. Some popular examples include Java Regular Expression Tester or RegexPlanet.
When using regular expressions in USM Anywhere, keep the following in mind:
-
The expression pattern must be delimited with the forward slash "/" character. For example:
/Router -.*/
-
Use a backslash ("\") to escape special characters that would otherwise be interpreted as regex syntax, which includes the "\" character itself. For example:
/C:\\Windows\\System\\.*/
Note: Since the backslashes are not used as literals in Java code, but are carried as data in strings in the system, you do not need to double-escape them like you would if you were putting a regex pattern into a Java literal in coding.
- You can use capture and grouping syntax such as \1, $1, or (?:).
- Modifiers such as /i, /x, /m, and /s are not supported.
Possible Messages When Creating Rules
When you are creating a rule, you may receive one or more of these messages.
Message | This Message Is Displayed When |
---|---|
At least one criterion is required besides packet type | Packet Type is the unique criterion in the rule condition. |
All condition fields must have a value | The condition value is missing. |
Case insensitive operator does not apply to numbers | You selected a case insensitive operator and the condition value is a number. |
A regular expression must be used with "Match" operator (example: ~ /value/) | You selected the Match operator and the condition value has to be a valid regexp. |
A variable expression must be used with "Assign or Equal" operator (example: >> varname) | You selected the Assign or Equal operator and the condition value must be a valid variable name between brackets. |
Some characters used could be part of a regular expression (use "Match" operator) | Your condition value contains *, +, [, or ], but the Match operator is not selected. |