USM Anywhere enables you to make the sensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. drops future eventsAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. that match the rule. These events will be neither correlated nor stored. Through these rules, you are able to define which event data you are going to store in USM Anywhere. You will pay for the data you use.
Note: Filtering rules are not retroactive. The rule will apply to future items and it does not apply to previous items, even if those items follow the rule.
To create a filtering rule from the Events page
- Go to Activity > Events.
- Search the events which you want to include in the filtering rule. See Searching Events for more information.
- Click one of them.
- Select Create Rule > Create Filtering Rule.
- Enter a name for the rule.
- You have already suggested property values to create a matching condition. If you want to add new property values, click Add Condition.
- (Optional.) Click Add Group Of Conditions to group your conditions.
(Optional.) To include a multiple occurrence parameter, click the More link.
These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP.loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five minute window. These are the two options that you can modify:
- Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length: Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time-unit value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the first to last. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule applies when the configured conditions happen five times every three hours.
- Click Save Rule.
Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.
Note: Keep in mind that the Sources or Destinations field needs to match the UUID (Universally Unique Identifier) of the event or alarm. You can use Source Name or Destination Name instead.
Note: See Operators in the Orchestration Rules for more information.
The filtering rule has been created. You can see it from Settings > Rules, see Filtering Rules from the Orchestration Rules page for more information.