Documentation Center
AlienVault® USM Central™

Orchestration Rules

USM Central allows you to synchronize orchestration rules with your connected USM Anywhere deployments and create rules in the USM Central UI for use with the other deployments. By default, any rules that exist in connected USM Anywhere deployments are synchronized with Central.

In the Rules tab under Settings, all of the orchestration rules are displayed by default. The sidebar to the left allows you to filter by rule type. You can also filter rules by using the filtering tools above the list of rules. You can type in a specific word to search by in the Filter by field, you can search by rules associated with specific deployments by entering one or more deployment instance in the Deployments field, and you can filter by active and inactive rules in the Status field.

Types of Orchestration Rules

  • Filtering Rules allow your sensor to ignore the events related to the conditions of the rule. You can use filtering rules to keep certain events from being processed and correlated or stored, allowing you to save data space.
  • Suppression Rules allow you to save the events that result from the rule without displaying the events in the UI. This allows you to limit potential false-positiveA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology. and reduce noise while still allowing you to review the events later by going to the alarms page and clicking on the Show Suppressed button.
  • Notification Rules can be used to send a notification if the conditions of the rule are met. Notifications can be sent through Amazon SNS, Datadog, Email, PagerDuty, or Slack.
  • Response Action Rules can be set up in conjunction with a specific AlienApp and sensor to a designated app action.
  • Alarm Rules trigger an alarm when the conditions are met. These rules allow you to associate intent, strategy, and priority to the alarm and designate event types to the alarm so that you can easily manage and respond to the alarms.

General Rule Actions

To filter alarm rules

  1. Go to SettingsRules.
  2. Above the list of rules, you can use one or more of the filtering methods
    • Click the Filter By field and type the name of the rule.
    • Click the All Deployments dropdown and select one or more deployments.
    • Click the Status dropdown and select Enabled, Disabled, or All Rules.

To bulk select rules

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to copy.
  3. Click the check box next to the alarms you want to bulk select.

    From here you can bulk enable or disable the rules.

To copy a rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to copy.
  3. Click the icon next to the rule to copy it.
  4. Make any necessary changes to the copied rule.
  5. Click Save.

To edit an rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to edit.
  3. Click name of the rule you want to edit.
  4. Make any necessary changes to the rule.
  5. Click Save.

To delete an alarm rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to delete.
  3. Click the icon next to the rule to delete it.
  4. Click Accept to confirm you are sure you want to delete the rule.

To enable or disable an alarm rule

  1. Go to SettingsRules.
  2. Filter the alarms to find the rule you want to enable or disable.
  3. Click the icon to enable the rule or the icon to disable the rule.

To show triggered alarms rules

  1. Go to Settings > Rules to open the All Orchestration Rules page.
  2. Click the icon in the right column of the suppression or alarm rule you want to examine.

    The Alarms List view page opens.

  3. The page includes Rules Name as a filter so that you can see how many alarms are matching with the selected rule.