Every networked environment generates thousands of logs from assorted systems. USM Anywhere and USM Central enable you to manage those logs and, through the use of rules, you can prevent and frustrate attacks. The management of the different rules helps you to make the most of your environment.
Keep in mind that setting up a rule base is an iterative process. That means it happens relatively slowly and needs to be tuned over a period of time. There are always new attacks and new indicators to monitor.
USM Central enables you to create and customize these rules to add specific policies for a particular eventAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. or alarmAlarms provide notification of an event or sequence of events that require attention or investigation.. There are these orchestration rules:
- Suppression Rules: Use these rules to suppress events or alarms that create noise in your system. See Suppression Rules from the Orchestration Rules Page for more information.
- Filtering Rules: Use these rules to make the sensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. drop future events that match the rule. See Filtering Rules from the Orchestration Rules Page for more information.
- Alarm rules: Use these rules to identify existing and emerging threats. See Alarm Rules from the Orchestration Rules Page for more information.
- Notification Rules: Use these rules to create your own rules and receive notificationsCommunication of an important event, typically through an email message or other desktop display. In USM Appliance, notifications are typically triggered by events, policies, and correlation directives, and in USM Anywhere, they are typically triggered by notification rules or directly from alarms.. See Notification Rules from the Orchestration Rules Page for more information.
- Response Action Rules: Use these rules to respond to an event or an alarm running an AlienApp. See Response Action Rules from the Orchestration Rules Page for more information.