AT&T Cybersecurity recommends that you create new orchestration rules regarding the Sensor appears offline system event.
The usual way is to create alarm rules or notification rules. See Alarm Rules from the Orchestration Rules Page and Notification Rules from the Orchestration Rules Page for more information.
To create a notification rule for the Sensor appears offline system event
- Go to Settings > Rules > Orchestration Rules.
- Select Create Orchestration Rule > Notification Rule.
Select System Events in the Match drop-down list.
Click Add Conditions and select the property values you want to include in the rule to create a matching condition.
Note: You can check the fields from Settings > System Events. See Viewing System Event Details for more information.
(Optional.) Click Add Group to group your conditions.
Note: See Operators in the Orchestration Rules for more information.
- Click Next.
Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.
- Enter a name for the rule.
- (Optional.) Enter a description for identifying this rule.
- Select a notification method:
- Amazon SNS: This method requires the setup of the Amazon Simple Notification Service (SNS) API call from the USM Anywhere server. There is no limit to the number of Amazon SNS endpoint notifications sent. However, this method requires having an Amazon Web Services (AWS) account for setup and use. The Amazon SNS allows the first 1000 email notifications per month to fall into the free messaging tier. See Sending Notifications Through Amazon SNS for more information.
- Datadog: This method requires the creation of a Datadog API key and additional steps. See Sending USM Anywhere Notifications to Datadog for more information.
- Email: This method sends the notification by email. You need to enter information for the email subject and enter a destination email address. Multiple comma-separated email addresses are possible. This method uses a built-in integration with the Amazon Simple Email Service (SES) function and is limited to a maximum of 200 emails per rolling 24-hour period. The only user-customizable information available is the email subject line.
- PagerDuty: This method is performed using an integration in the product, and user setup is required. See Sending USM Anywhere Notifications to PagerDuty for more information.
- Slack: This method makes use of a user-created Slack Webhook integration. Slack integration can also be performed using Amazon SNS. See Sending USM Anywhere Notifications to Slack for more information.
Note: The rolling 24-hour, 200-email limit refers to all email accounts. For example, you can have a rule with multiple emails, which counts as a single email delivery. Alternately, if you have several rules with several emails, each of these counts as an individual email account. Sensor-disconnect emails do not count against this number because they are critical and are only sent to users whose role is manager.
Select the Sanitize Email Content checkbox to replace detailed email contents with a generic message and a link that requires user authentication to view further information.
Modify these two options:
- Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule applies when the configured conditions happen five times every three hours.
These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.
The created rule displays in the list of rules. You can see it from Settings > Rules > Orchestration Rules. See Orchestration Rules for more information.
Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.
Important: It takes a few minutes for an orchestration rule to become active.