Every networked environment generates thousands of logs from assorted systems. USM Anywhere enables you to manage those logs and, through the use of rules, you can prevent and frustrate attacks. The management of the different USM Anywhere rules helps you to make the most of your environment.

Keep in mind that setting up a rule base is an iterative process. That means it happens relatively slowly and needs to be tuned over a period of time. There are always new attacks and new indicators to monitor.

USM Anywhere includes these rules:

• Correlation rules A correlation rule correlates incoming events based on previously defined relationships defined in the correlation directive, associating multiple events, of the same or different event types, from the same data source.: These are predefined rules, which are developed by LevelBlue. See Correlation Rules for more information.
• Orchestration rules: You can create and customize these rules to add specific policies for a particular event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall. or alarm Alarms provide notification of an event or sequence of events that require attention or investigation.. See Orchestration Rules for more information. These are the orchestration rules:
  • Suppression rules: Use these rules to suppress events or alarms that create noise in your system. See Suppression Rules from the Orchestration Rules Page for more information.
  • Filtering rules: Use these rules to make the sensor Sensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. drop future events that match the rule. See Filtering Rules from the Orchestration Rules Page for more information.
  • Alarm rules: Use these rules to identify existing and emerging threats. See Alarm Rules from the Orchestration Rules Page for more information.
  • Notification rules: Use these rules to create your own rules and receive notifications Communication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms.. See Notification Rules from the Orchestration Rules Page for more information.
  • Response action rules: Use these rules to respond to an event or an alarm running an BlueApp. See Response Action Rules from the Orchestration Rules Page for more information.