Documentation Center
AlienVault® USM Anywhere™

Orchestration Rules

  Role Availability   Read-Only   Analyst   Manager

About Orchestration Rules

USM Anywhere enables you to create and manage your own orchestration rules. Keep in mind that these rules verify whether they match with every new eventAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall. coming into the system.

USM Anywhere includes these orchestration rules:

Note: USM Anywhere follows a specific order for applying orchestration rules. See Orchestration Rules Workflow for more information.

Note: Keep in mind that the order of the conditions is significant and USM Anywhere follows a specific order in the rules conditions; they are read from left to right. In addition, if your rule includes the packet_type and plugin_device fields they should always go first and in that order.

You can also create orchestration rules from the details of an event or alarm. The functionality works the same way and the popup window is similar when you are creating a rule either from a detail page of an event or alarm or from the settings page.

Important: The easiest way to configure an orchestration rule is from the Alarm and from the Events details pages. See Creating Notification Rules from the Alarms Page, Creating Alarm Rules from the Events Page, and Creating Notification Rules from the Events Page for more information.

See Example: Creating an Orchestration Rule if you want to see an example of an orchestration rule.

AlienApp™ Orchestration Rules

Some of the AlienAppsAlienApps extend the threat detection and security orchestration capabilities of the USM Anywhere platform to other security tools that your IT team uses, providing a consolidated approach to threat detection and response. available in USM Anywhere enable you to automate and orchestrate response actions in third-party security tools, which simplifies and accelerates your threat detection and incident responseIncident response is a business process or plan dictating how an organization handles security incidents such as a security breach or attack. processes. With a configured integration, these AlienApps include support for app actions in orchestration rules:

Managing Orchestration Rules

To filter orchestration rules by name

  1. Go to Settings > Rules.
  2. Click the box next to Filter by.
  3. Enter your search.

To filter orchestration rules by rule status

  1. Go to Settings > Rules.
  2. Click the combo box next to Rule Status.
  3. Select All Rules, Enabled, or Disabled.

To edit an orchestration rule

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. Click the icon of the orchestration rule you want to edit.
  3. Modify the data of the items that need to be modified.
  4. Click Save Rule.

To delete an orchestration rule

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. Click the icon of the orchestration rule you want to delete.
  3. Confirm by clicking Accept.

To enable an orchestration rule

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. Click the icon of the orchestration rule you want to enable.

To disable an orchestration rule

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. Click the icon of the orchestration rule you want to disable.

To enable all orchestration rules

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. In the list of rules, click the first box in the first column to select all the orchestration rules.
  3. Click Enable All Rules.

To disable all suppression rules

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. In the list of rules, click the first box in the first column to select all the orchestration rules.
  3. Click Disable All Rules.
  4. Confirm by clicking Accept.