Creating a Forensics and Response Rule

Role Availability Read-Only Investigator Analyst Manager

The AlienApp for AT&T Cybersecurity Forensics and Response enables you to create orchestration rules that automatically run a data collection or enforcement action in response to future events or alarms that meet your criteria. You can define the rule to run the action on the associated source asset, associated destination asset, or any asset you specify.

All rules include a rule name and conditional expression. They can also include optional multiple occurrence and window length parameters. There are two methods for creating a new AlienApp for AT&T Cybersecurity Forensics and Response orchestration rule in USM Anywhere.

  • From an Applied Action: You can automatically create a rule using the action that you apply from an existing alarm or event. This makes it easy to set the matching conditions for the rule based on the existing item and use the same settings that you applied to that item.

    In the confirmation dialog box, click Create rule for similar alarms or Create rule for similar events.

    You can create a rule to launch a Forensics and Response action for similar alarms

  • From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, event rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.

    In the left navigation menu, go to Settings > Rules > Orchestration Rules. Then click Create Orchestration Rule > Response Action Rule to define the new rule.

    Create a new response action rule

Both of these methods display the Create Response Action Rule dialog box. Use this to specify the new rule, including the Forensics and Response action to run and the criteria for a future event or alarm that triggers the rule.

To define a Forensics and Response rule

  1. Enter a unique name for the rule.
  2. Select the Action for the rule.

    Review the information in Supported Actions to determine the action that you want to use for the rule.

  3. Select the target Asset for the action.

    Set the parameters to launch the Forensics and Response action for the rule

    • Source Asset: Use this option to use the source endpoint of the alarm or event as the target asset.
    • Destination Asset: Use this option to use the destination endpoint of the alarm or event as the target asset.
    • Select another Asset: Use this option to specify the asset that is always the target for the action when the rule is triggered. Use the search text box or click Browse Assets to locate and select the asset.
  4. At the bottom of the dialog box, set the rule condition parameters to specify the criteria for a matching alarm or event to trigger the rule.

    Set the matching conditions for triggering the rule

    • This section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
    • If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
    • At the bottom of the dialog box, click More to display the optional multiple occurrence and window-length parameters.
  5. Click Save Rule.
  6. Click OK in the confirmation dialog box.