> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Akamai EAA Response Action Rules

You can create orchestration rules in USM Anywhere that automatically trigger an Akamai Enterprise Application Access (EAA) response action when <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarms</Tooltip> or <Tooltip tip="Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.">events</Tooltip> match the criteria that you specify. After you create a rule, new vulnerabilities that match the rule conditions will trigger the Akamai EAA response action to create a new incident. The rule does not trigger for existing alarms or events.

You can create a new rule as follows:

* **From the Rules page**: The Rules page provides access to all your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, event rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See [Orchestration Rules](../../user-guide/rules-management/orchestration-rules) for more information about managing orchestration rules.

  Go to **Settings > Rules** and select **Response Action Rules** on the left navigation panel. Then click **Create Response Action Rule** to define the new rule.

* **From the app**: Go to the BlueApp for Akamai Enterprise Application Access page and click the **Rules** tab. Click **Create New Rule** to define the new rule.

**To define a new Akamai EAA response action rule**

1. Enter a name for the rule.

2. Select the app action for the rule and specify the information for the Akamai EAA incident.

3. At the bottom of the dialog box, set the Rule Condition parameters to specify the criteria for a matching vulnerability to trigger the rule.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/ElsAVGG4IM3pFRzT/images/usm-anywhere/alienapps/rules-conditions.webp?fit=max&auto=format&n=ElsAVGG4IM3pFRzT&q=85&s=ed0c95231c90d03bf18126555ab587e4" width="972" height="419" data-path="images/usm-anywhere/alienapps/rules-conditions.webp" />
   </Frame>

   * If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
   * At the bottom of the dialog box, click **More** to display the optional multiple occurrence and window length parameters.

   <AccordionGroup>
     <Accordion title="Conditional Expression">
       Select an operator and add one or more conditions to form the conditional expression. You can include a condition group to evaluate a subset of conditions. The Current Rule pane displays the constructed expression in standard syntax. The box displays a red border if the expression is syntactically invalid as currently specified. A valid expression is required to save the rule definition.

       Select the operator used to determine the match for multiple conditions:

       * **AND**: Match all conditions.
       * **OR**: Match any one condition.
       * **AND NOT**: Exclude items matching all conditions after the first.
       * **OR NOT**: Include all items that do not match any conditions after the first.

       Click **Add Condition** to add a condition. For each condition, specify the field name, evaluator, and value. If the evaluation returns true for the condition, it is a match.

       Click **Add Group** to add a condition group. A new group includes a condition and its own operator used to match the conditions within the group. You can nest condition groups.
     </Accordion>

     <Accordion title="Occurrences">
       Specify the number of event or alarm occurrences that produce a match on the conditional expression to trigger the rule. The default value is 1. You can enter the number of occurrences or use the arrow to scroll the value up or down.

       USM Anywhere uses this in conjunction with the Length option to specify the number of occurrences within a time period that will trigger the rule. For example, you can define a rule to trigger for an unauthorized access attempt when a failed <Tooltip tip="Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP).">SSH</Tooltip> login occurs three times within a five-minute window.
     </Accordion>

     <Accordion title="Length">
       Specify the length of the window to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours. This time period identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule does not trigger.
     </Accordion>
   </AccordionGroup>

4. Click **Save Rule**.

5. In the confirmation dialog box, click **OK**.