USM Anywhere Sensors sometimes disconnect from the USM Anywhere service (for example, during an update process). There is a process every hour to verify if the sensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect logs and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. has been disconnected for 30 minutes or longer. When this happens, USM Anywhere informs users in a Manager role by email and generates an event. A new event is generated every 30 minutes until the sensor reconnects.
Warning: Currently, the Sensor Appears Offline and Sensor Reconnected events are generated at the same time as the regular events and system events. Soon, these events will be generated only as system events. See Regular Events and System Events, Orchestration Rule for the "Sensor Appears Offline" System Event, and Orchestration Rule for the "Sensor Reconnected" System Event for more information.
Note: Logs, including NXLog messages, are cached locally and will be forwarded to USM Anywhere when the connection resumes.
When a sensor disconnects from the USM Anywhere service, it sends an email notice within two hours to the email address you used to sign into USM Anywhere (as long as you are in a Manager role). This notice informs you that your sensor is not connected. You can immediately take action to restore your service either by working with AT&T Cybersecurity Technical Support or by making an environmental, network connectivity change.
The notification will be generated daily until the sensor is reconnected. After seven days, the notifications will no longer be issued.
USM Anywhere checks every hour to verify whether the sensor has been reconnected. After your sensor reconnects, you receive an email notification informing you that your service has been restored. Because of this automated notification, you do not have to log in to the product to check the sensor connection status. USM Anywhere generates an event when a sensor reconnects.
Important: If you are not receiving notifications of a disconnection, or your notifications are being sent outside of the expected window, that could indicate issues in your control node. See View Network Testing Information for instructions on how to verify your control node's connection.
Creating an Alarm Rule from These Events
Although USM Anywhere informs users in a Manager role by email when a sensor has been disconnected from the service and when the sensor has been reconnected, you can create an alarm rule to have more control when these events occur. The following activity is an example of how to create an alarm rule from the sensor offline event. You can do the same for the sensor reconnected event by entering reconnected in step 2.
To create an alarm rule from the Sensor Appears Offline event
- Go to Activity > Events.
Enter offline in the Enter search phrase field.
- Click one of the events.
- Select Create Rule > Create Alarm Rule.
The Create Alarm Rule dialog box opens.
Select a packet type in the Match drop-down list.
The first match criteria for all rules must be the packet_type detail field:
- Logs: Use this packet type for event-based rules.
- Configuration Issues: Use this packet type for configuration issues-based rules1.
- Vulnerabilities: Use this packet type for vulnerabilities-based rules.
- System Events: Use this packet type for system events-based rules.
- Console User Events: Use this packet type for console user events-based rules.
Click Add Conditions and select these properties values:
- Click Next.
- Enter a name for the rule.
- (Optional.) Enter a description for identifying this rule.
- Select an intent.
- Enter a method.
- Select a strategy.
- Enter a priority.
- Configure a mute duration set in seconds, minutes, and hours.
Modify these two options:
- Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule applies when the configured conditions happen five times every three hours.
These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSHProgram to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.
(Optional.) Select the fields that you want to display in the generated alarm.
You can select or remove the fields you want to include in the details of the alarm. A field passes from one column to the other by clicking it.
The created rule displays in the list of rules. You can see it from Settings > Rules > Orchestration Rules. See Orchestration Rules for more information.
The intent describes the context of the behavior that is being observed. These intents roughly map to the stages of the intrusion kill chains but are collapsed to ensure that each is discrete. See Intent for more information about the available threat categories.
If known, it is the method of attack or infiltrationIndicator that specifies the method of attack that generated an alarm. For Open Threat Exchange® (OTX™) pulses, this method is the pulse name. associated with the indicator that generated the alarm.
Note: This is a required field; if you do not complete this field, the Save button remains inactive.
The strategy describes the broad-based strategy or behavior that is detected. The intention is to describe the maliciousActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems. user's strategy to achieve their goal.
See Priority Field for Alarms for more information.
You can use the mute value to set the period of time during which, once an alarm is createdUSM Anywhere will not create a new alarm based on the same conditions.
Note: Take care to set a mute duration that is long enough to cover the span of time in which matching events will occur to maximize the efficacy of your mute.
Important: If your USM Anywhere™ is restarted when one of your alarm mutes is active, or if there is an update or hotfix, the alarm mute will be canceled.