Documentation Center
AlienVault® USM Anywhere™

Operators in the Correlation Rules

USM Anywhere provides built-in rules and adds more every week through the AlienVault Labs Threat Intelligence SubscriptionAlienVault Labs Threat Intelligence Subscription provides subscribers with the ability to detect the latest threats with continually updated correlation rules, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, collection and data source plugins, and report templates.. These rules are the result of the combination of operators and USM Anywhere fields.

Correlation Rules: Operators
Operator Meaning Example
== Equals. Compares the field to the specified value plugin_device == 'GuardDuty'
==* Equals, case insensitive. Compares the field to the specified value, ignoring case considerations event_activity ==* 'Executable download'
>> Assign or equal. For use with variables, it will assign a value if empty or if the variable is populated it will act like == source_canonical >> [source]
>>* Assign or equal, case insensitive. For use with variables, it will assign a value if empty or if the variable is populated it will act like ==* source_username >>* [username]
> Greater than user_id > 500
< Less than user_id < 505
in List contains. Will return true if the list contains the value. This will perform a == comparison for every value in the list returning true on the first match event_subcategory in ('Microsoft-Windows-MountMgr', 'MountMgr')
in* List contains, case insensitive. Will return true if the list contains the value. This will perform a ==* comparison for every value in the list returning true on the first match event_name in* ('Update route in route table','Update route table for VPC')
~ Match, takes a regular expression delimited by '/' as the argument hostname ~ /.*\.eng/
~* Match case insensitive, takes a regular expression delimited by '/' as the argument (source_process_commandline ~* /[a-z0-9]{15,45}\.[a-z0-9]{1,15}\.[a-z0-9]{1,4}/ )
==> Checks the value against a list filled with previous events values. Will validate the condition if the element is not already included in the list source_country ==> |countries|
|| Or. Can be used to chain two comparisons, return true if either comparison evaluates to true ((device_direction == 'outbound') || (event_activity == 'C&C Response' and device_direction == 'inbound))
&& And. Can be used to chain two comparisons, will return true if both comparisons evaluate to true rep_device_rule_id == '15457' && source_username >>* [username]
! Not. Will negate the return value of the expression directly following it source_country != ''
or Alternative to || (source_process_commandline contains* ' aaaa' OR source_process_commandline contains* '=aaaa')
and Alternative to && event_subcategory == 'Microsoft-Windows-Sysmon' AND rep_device_rule_id == '1'