Documentation Center
AlienVault® USM Central™

Orchestration Rules

USM Central allows you to synchronize orchestration rules with your connected USM Anywhere deployments and create rules in the USM Central UI for use with the other deployments. By default, any rules that exist in connected USM Anywhere deployments are synchronized with Central.

In the Rules tab under Settings, all of the orchestration rules are displayed by default. The sidebar to the left allows you to filter by rule type. You can also filter rules by using the filtering tools above the list of rules. You can type in a specific word to search by in the Filter by field, you can search by rules associated with specific deployments by entering one or more deployment instance in the Deployments field, and you can filter by active and inactive rules in the Status field.

Types of Orchestration Rules

  • Filtering Rules allow your sensor to ignore the events related to the conditions of the rule. You can use filtering rules to keep certain events from being processed and correlated or stored, allowing you to save data space.
  • Suppression Rules allow you to save the events that result from the rule without displaying the events in the UI. This allows you to limit potential false-positiveA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology. and reduce noise while still allowing you to review the events later by going to the alarms page and clicking on the Show Suppressed button.
  • Notification Rules can be used to send a notification if the conditions of the rule are met. Notifications can be sent through Amazon SNS, Datadog, Email, PagerDuty, or Slack.
  • Response Action Rules can be set up in conjunction with a specific AlienApp and sensor to a designated app action.
  • Alarm Rules trigger an alarm when the conditions are met. These rules allow you to associate intent, strategy, and priority to the alarm and designate event types to the alarm so that you can easily manage and respond to the alarms.

General Rule Actions

To filter alarm rules

  1. Go to SettingsRules.
  2. Above the list of rules, you can use one or more of the filtering methods
    • Click the Filter By field and type the name of the rule.
    • Click the All Deployments dropdown and select one or more deployments.
    • Click the Status dropdown and select Enabled, Disabled, or All Rules.

To bulk select rules

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to copy.
  3. Click the check box next to the alarms you want to bulk select.

    From here you can bulk enable or disable the rules.

To copy a rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to copy.
  3. Click the Copy () icon next to the rule.
  4. Make any necessary changes to the copied rule.
  5. Click Save.

To edit an rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to edit.
  3. Click name of the rule you want to edit.
  4. Make any necessary changes to the rule.
  5. Click Save.

To delete an alarm rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to delete.
  3. Click delete icon () next to the rule you want delete.
  4. Click Accept to confirm you are sure you want to delete the rule.

To enable or disable an alarm rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to enable or disable.
  3. Click the on/off toggle icon to enable the rule () or disable the rule () .