> ## Documentation Index > Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt > Use this file to discover all available pages before exploring further. # Operators in the Orchestration Rules USM Anywhere enables you to use operators in orchestration rules to match specific events or alarms. The following table lists the orchestration rule operators, their meanings, and an example for each. **Orchestration Rules: Operators** | Operator | Meaning | Example | | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Assign or Equal | Checks whether a field is equal to a value in the list. A value will be assigned if empty. If the variable is populated it acts like Equals. | **Note:** USM Anywhere completes the value according to the field you have selected. The structure is always "var" followed by the field name. In the example above, the first condition assigns the destination IP address to \[var\_destination\_address] and a list of variables, and the second condition looks for the source IP address that equals a variable in the list. Essentially, when both conditions are met, you will see events or alarms whose destination IP address is the same as their source IP address.
**Note:** Rules are only muted if the user or field matches a value in the variable list. If the user or field is not equal to a value found in the list, this operator adds the value to the list.

For example, `source_username >> [user] mute length="6h"` will trigger when user Bob is found and will not trigger again for Bob in the next 6 hours. But when Mary meets the condition, it will trigger the alarm again, as `“Mary”` does not exist in the `source_username list [“Bob“]`.
See [Examples of Using the Assign or Equal Operator](https://cybersecurity.att.com/documentation/usm-anywhere/user-guide/rules-management/orchestration-rules-operators). | | Assign or Equal, case insensitive | Checks whether a field is equal to a value in the list. A value will be assigned if empty. If the variable is populated it acts like Equals, ignoring case considerations. | | | Contains | Checks for the presence of a substring in a string. | | | Contains, case insensitive | Checks for the presence of a substring in a string, ignoring case considerations. | | | Equals | Compares the field to the specified value. | | | Equals, case insensitive | Compares the field to the specified value, ignoring case considerations. | | | Greater than | Returns true if the left operand is greater than the right operand. | | | In | Searches for character and numeric values that are equal to one from a list of comma-separated values. | | | In, case insensitive | Searches for character and numeric values that are equal to one from a list of comma-separated values, ignoring case considerations. | | | In List | Returns true if the value is included in the correlation list (see [Example: Creating an Alarm Rule Using a Correlation List](https://cybersecurity.att.com/documentation/usm-anywhere/user-guide/rules-management/ex-correlation-list)). | | | In List, case insensitive | Returns true if the value is included in the correlation list, ignoring case considerations. | | | Is Empty | Finds elements that have an empty value (operates in the same way as Equals but matches against an empty string). | | | Is Not Empty | Finds elements that have a value. They cannot be blank. | | | Is In CIDR | Finds elements that are included in the given IP range, using Classless Inter-Domain Routing (CIDR) notation. | | | Is Not In CIDR | Find elements that are not included in the given IP range (using CIDR notation). | | | Less Than | Returns true if the left operand is less than the right operand. | | | Match | Finds elements that match a specified pattern [using regular expressions](/documentation/usm-anywhere/user-guide/rules-management/orchestration-rules-operators). | | | Match, case insensitive | Finds elements that match a specified pattern using regular expressions, ignoring case considerations. | | | Not Equals | Returns true when the specified field does not match the specified value. | | | Not Equals, case insensitive | Returns true when the specified field does not match the specified value, ignoring case considerations. | | ## Examples of Using the Assign or Equal Operator ## Monitor Fields with Variable Values Without using the Assign or Equal operator, a rule cannot be created that distinguishes between variable values in fields such as logins by different users. ***Example: Using unique logins*** Use the Assign or Equal operator to create a rule that monitors unique logins by triggering an alarm if any user successfully logs in more than three times in five minutes, with an hour mute time. This alarm triggers regardless of whether a separate user has also triggered the alarm within the mute time. For example: ``` plugin == "some_plugin" AND event_type =='SUCCESS_LOGIN' AND source_username >> [var_source_username] mute length="1h" ``` By using the Assign or Equal operator, when a user successfully logs in their unique name is assigned to a list. If that same user logs in again, that username is equal to a value in the list, therefore that value is incremented by one. Once that value reaches 3 within 5 minutes, the alarm is triggered. Mute is applied at this point for this user only. ### Use as a Comparison Assign and Equal can be used to compare values in logs. ***Example: Comparing IP addresses*** Use the Assign or Equal operator to apply a rule if the source IP and destination IP are the same. USM Anywhere assigns the source IP address to the variable var\_source\_address and then compares the destination\_address against that variable. For example: ``` plugin == 'some_plugin' AND source_address >> [var_source_address] AND destination_address >> [var_source_address] ``` ## Using Regular Expressions in USM Anywhere The `Match` and `Match`, `case insensitive` operators enable you to use regular expressions (regex) to define a pattern to match the content of a field. **Important:** USM Anywhere uses the [Java Regular Expression Syntax](https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html), which is different from JavaScript, Perl, Gnu, and other flavors of regex. Be sure to read their documentation and familiarize yourself with the differences. It is highly recommended that you find and use a tool to test your regular expressions before saving them into rules. Some popular examples include [Java Regular Expression Tester](https://www.freeformatter.com/java-regex-tester.html) or [RegexPlanet](https://www.regexplanet.com/advanced/java/index.html). When using regular expressions in USM Anywhere, keep the following in mind: * The expression pattern must be delimited with the forward slash ("/") character. For example: ``` /Router -.*/ ``` * Use a backslash ("\\") to escape special characters that would otherwise be interpreted as regex syntax, which includes the "\\" character itself. For example: ``` /C:\\Windows\\System\\.*/ ``` **Note:** Since the backslashes are not used as literals in Java code, but are carried as data in strings in the system, you do not need to double-escape them like you would if you were putting a regex pattern into a Java literal in coding. * You can use capture and grouping syntax such as \1, \$1, or (?:). * Modifiers such as /i, /x, /m, and /s are not supported. ## Possible Messages When Creating Rules When you are creating a rule, you may receive one or more of the following messages. **Rules Messages** | Message | This Message Is Displayed When | | ----------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | At least one criterion is required besides packet type | *Packet Type* is the unique criterion in the rule condition. | | All condition fields must have a value | The condition value is missing. | | Case insensitive operator does not apply to numbers | You selected a *case insensitive* operator and the condition value is a number. | | A regular expression must be used with "Match" operator (example: \~ /value/) | You selected the *Match* operator and the condition value has to be a valid regex. | | A variable expression must be used with "Assign or Equal" operator (example: >> varname) | You selected the *Assign* or *Equal* operator and the condition value must be a valid variable name between brackets. | | Some characters used could be part of a regular expression (use "Match" operator) | Your condition value contains \*, +, \[, or ], but the *Match* operator is not selected. | ## Related Video Content