Documentation Center
DOCUMENTATION > AlienVault® USM Anywhere™ > User Guide > Rules Management > Orchestration Rules
AlienVault® USM Anywhere™

Orchestration Rules

  Role Availability   Read-Only   Analyst   Manager

About Orchestration Rules

USM Anywhere allows you to create and manage your own orchestration rules. Keep in mind that these rules verify whether they match with every new event coming into the system.

USM Anywhere includes the following orchestration rules

Note: USM Anywhere follows a specific order for applying orchestration rules. See Orchestration Rules Workflow for further information.

You can also create orchestration rules from the details of an event or alarm. The functionality works the same way and the popup window is similar when you are creating a rule either from a detail page of an event or alarm or from the settings page.

Important: The easiest way to configure an orchestration rule is from the Alarm and from the Events details pages. see Creating Notification Rules from the Alarms Page, Creating Alarm Rules from the Events page, and Creating Notification Rules from the Events Page for further information.

If you want to see an example of an orchestration rule, see Example: Creating an Orchestration Rule.

AlienApp™ Orchestration Rules

Some of the AlienApps available in USM Anywhere enable you to automate and orchestrate response actions in third-party security tools, which simplifies and accelerates your threat detection and incident response processes. With a configured integration, the following AlienApps include support for app actions in orchestration rules:

Managing Orchestration Rules

To edit an orchestration rule

  1. Navigate to SETTINGS > RULES.
  2. The all orchestration rules page displays.

  3. Click the Edit icon () of the orchestration rule you want to edit.
  4. Modify the data you need to.
  5. Click Save Rule.

To delete an orchestration rule

  1. Navigate to SETTINGS > RULES.
  2. The all orchestration rules page displays.

  3. Click the Delete icon () of the orchestration rule you want to delete.
  4. A popup window displays to confirm the deletion.

  5. Click Accept.

To enable an orchestration rule

  1. Navigate to SETTINGS > RULES.
  2. The all orchestration rules page displays.

  3. Click the ON icon () of the orchestration rule you want to enable.

To disable an orchestration rule

  1. Navigate to SETTINGS > RULES.
  2. The all orchestration rules page displays.

  3. Click the OFF icon () of the orchestration rule you want to disable.

To enable all orchestration rules

  1. Navigate to SETTINGS > RULES.
  2. The all orchestration rules page displays.

  3. In the list of rules, click the first box in the first column to select all the orchestration rules.
  4. Click Enable All Rules.

To disable all suppression rules

  1. Navigate to SETTINGS > RULES.
  2. The all orchestration rules page displays.

  3. In the list of rules, click the first box in the first column to select all the orchestration rules.
  4. Click Disable All Rules.
  5. A warning popup window displays.

  6. Click Accept.