Documentation Center
AlienVault® USM Central™

Orchestration Rule Creation

You can create and manage your rules for all your deployments from the rules page in the Settings menu. Once you have created a rule, you can also copy it and make modifications for alternate uses or for use in other deployments.

Rule Creation

Orchestration Rule Operators

The table below displays the types of operators used in the individual rule conditions.

Rules Operators
Operator Meaning Example
Equals Compares the field to the specified value

Data Source Equals Okta

Equals, case insensitive Compares the field to the specified value, ignoring case considerations Packet Type Equals Log
Not Equals The value of the specified field does not match the specified value

Event Activity Not Equals Beacon

Not Equals, case insensitive The value of the specified field does not match the specified value, ignoring case considerations Event Activity Not Equals, case insensitive beacon
Contains Checks for the presence of a substring in a string Event Name Contains Login Failed
Contains, case insensitive Checks for the presence of a substring in a string, ignoring case considerations Event Name Contains, case insensitive login failed
Assign or Equal Assigns a value if empty or if the variable is populated it will act like Equals Username Assign or Equal [var_source_username]
In Searches for character and numeric values that are equal to one from a list of values. The list of values must be in parentheses, with each character value in quotation marks and separated by either a comma or blank

Event Name In Invalid User, Illegal User, Failed Password, RootHigh-level user account with full administrative privileges. Login Refused

In, case insensitive Searches for character and numeric values that are equal to one from a list of values. The list of values must be in parentheses, with each character value in quotation marks and separated by either a comma or blank, ignoring case considerations Event Name In, case insensitive invalid user, illegal user, failed password, root login refused
Match Finds elements that match a specified pattern using regular expressionsSequence of characters that define a search pattern. See also regex. Destination HostnameA hostname is a label that is assigned to a device connected to a computer network and is used to identify the device on the network.Match /.*\.google/
Match, case insensitive Finds elements that match a specified pattern using regular expressions, ignoring case considerations Destination Hostname Match, case insensitive /.*\.Google/
Greater than Returns true if the left operand is greater than the right operand

Src Port Greater than 10000

Less than Returns true if the left operand is less than the right operand Src Port Less than 100