In this example we are going to create an orchestration rule to generate an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. when an access to a specific path is detected in a web server.
To create an orchestration rule for generating an alarm when an access to a specific path is detected in a web server
- Navigate to SETTINGS > RULES.
- Click Create Orchestration Rule > Create Alarm Rule.
- Type a name for the rule, for instance 'Secret Path Accessed.'
- Select an Intent. The intent describes the context of the behavior that is being observed. These intents roughly map to the stages of the ‘Intrusion Kill Chains’ but collapsed so as to ensure that each is discrete. See Intent for further information about the available threat categories.
- Type a Method. If known, it is the method of attack or infiltrationIndicator that specifies method of attack that generated an alarm. For OTX pulses, this method is the pulse name. associated with the indicator that generated the alarm.
- Select a Strategy. The strategy describes the broad-based strategy or behavior that is detected. The intention is to describe the strategy the maliciousActivity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems. user is using to achieve their goal.
- Type a Priority. See Priority Field for Alarms for more information.
- Configure a Mute value. Once an alarm is created, you can set the time that USM Anywhere will not create a new alarm based on the same conditions. This configured time is the mute value and you can specify it in seconds, minutes, and hours.
- Select the fields you want to display in the generated alarm. You can select or remove the fields you want to include in the details of the alarm by clicking the Right Arrow icon () and the Left Arrow icon ().
- Select the following property values
(Optional) To include a multiple occurrence parameter, click the More... link.
These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP.loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five minute window.
- Occurrences — Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length — Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule will apply when the configured conditions happen five times every three hours.
- Click Save Rule.
Note: This is a required field; if you do not fill this field, the Save button will remain inactive.
Note: Keep in mind that the order of the conditions is significant and USM Anywhere follows a specific order in the rules conditions; they are read from left to right. In addition, if your rule includes the packet_type and plugin_device fields they should always go first and in that order.
The rule has been created. You can see it from SETTINGS > RULES. See Orchestration Rules for further information.