Role Availability | ❌ Read-Only ❌ Investigator ✔️ Analyst ✔️ Manager You can create orchestration rules in USM Anywhere that automatically trigger a Salesforce response action when events, alarms, or vulnerabilities match the criteria that you specify. For example, you might create a rule where USM Anywhere automatically creates a new Salesforce incident when malware is detected so that a member of your response team can manage and address the issue. Salesforce events are updated on an hourly basis. After you create a rule, new events, alarms, or vulnerabilities that match the rule conditions will trigger the Salesforce response action to create a new incident. The rule does not trigger for existing events, alarms, or vulnerabilities. You can create a new rule as follows:
  • From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, event rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules. Go to Settings > Rules and select Response Action Rules on the left navigation pane. Then click Create Response Action Rule to define the new rule.
To define a new Salesforce response action rule
  1. Enter a name for the rule.
  2. Select the App Action for the rule and specify the information for the Salesforce incident. The Salesforce parameters that you set will depend on the action that you select.
    • Create a New Incident from a Vulnerability Status Update Creating a new incident from a vulnerability status update is the default action if you create the rule after applying a Salesforce response action to a vulnerability. Use this action to open a new incident when a status change occurs for vulnerabilities that satisfy the matching criteria.
      To match vulnerability status updates, your rule must include the following criteria: (packet_type == 'system_event' AND object_type == 'AssetVulnerabilityStatus').However, it is important to be aware that this will return all vulnerability status changes matching these rules. It is advisable to narrow the rule with further conditions. Additionally, you can create a similar alarm rule first to test the amount of responses it would generate when active before you use the rule to create Salesforce cases.
    • Create a New Incident from an Alarm Creating a new incident from an alarm is the default action if you create the rule after applying a Salesforce response action to an alarm. Use this action to open a new Salesforce incident for a new alarm that satisfies the matching criteria.
    • Create a New Issue from Event-Based Orchestration
    -Use the action of creating a new issue from event-based orchestration to open a new Salesforce incident for any event that satisfies the matching criteria.
  3. At the bottom of the dialog box, set the Rule Condition parameters to specify the criteria for a matching alarm or event to trigger the rule.
    • If you create the rule from an applied action, this section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
    • If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
    • At the bottom of the dialog box, click More to display the optional multiple occurrence and window length parameters.
  4. Click Save Rule.
  5. In the confirmation dialog box, click OK.