> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Alarm Rules from the Events Page

USM Anywhere enables you to easily identify existing and emerging threats, which are of interest. Through <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip> rules on <Tooltip tip="Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.">events</Tooltip> that match the rule. These events will be neither correlated nor stored. Through these rules, you can define which event data you are going to store in USM Anywhere. You will pay for the data you use.

**To create an alarm rule from the Events page**

1. Go to **Activity > Events**.

2. Search the events which you want to include in the alarm rule.

   See [Searching Events](searching-events) for more information.

3. Click one of them.

4. Select **Create Rule > Create Alarm Rule**.

5. Select a Boolean operator.

   The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/LRsr4s1iGr_CM6ff/images/usm-anywhere/user-guide/rules-management/matchcombofiltsupp.webp?fit=max&auto=format&n=LRsr4s1iGr_CM6ff&q=85&s=644cde037e34d769431ea7df02f01014" width="308" height="263" data-path="images/usm-anywhere/user-guide/rules-management/matchcombofiltsupp.webp" />
   </Frame>

   * **Logs**: Use this packet type for event-based rules.
   * **Configuration Issues**: Use this packet type for configuration issues-based rules<Tooltip tip="This packet type refers to configuration issues that are used to identify incorrect uses of certain features. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the AWS security features.">¹</Tooltip>.
   * **Vulnerabilities**: Use this packet type for vulnerabilities-based rules.
   * **Alarms**: Use this packet type for console user alarms-based rules.
   * **Console User Events**: Use this packet type for console user events-based rules.

7. You have already suggested property values to create a matching condition. If you want to add new property values, click **Add Condition**.

   <Note>
     \*\*Note: \*\*Less common parameters will appear as paired *Custom Header N* and *Custom Field N* rows with the parameter's name and value. *N* represents the number that is automatically given to the parameter.
   </Note>

   <Note>
     **Note:** If the field is related to the name of a country, you should use the country code defined by the [ISO 3166](https://www.iso.org/iso-3166-country-codes.html).
   </Note>

   <Note>
     **Note:** The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
   </Note>

   <Warning>
     **Important:** Instead of using the `equals` and `equals`, `case insensitive` operators for array fields, LevelBlue recommends the use of the `in` or `contains` operators.
   </Warning>

   <Note>
     **Note:** If you need to add a property value that maps with a property key, you need to know the mapping of the field. See [Determining the Mapping of a Field](../rules-management/mapping-field) for more information.
   </Note>

8. (Optional) Click **Add Group** to group your conditions.

   <Note>
     **Note:** See [Operators in the Orchestration Rules](../rules-management/orchestration-rules-operators) for more information.
   </Note>

9. In the **Occurrences** text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

   You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

   <Note>
     Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.
   </Note>

10. Click **Next**.

    <Frame>
      <img src="https://mintcdn.com/levelblue-5324744e/LRsr4s1iGr_CM6ff/images/usm-anywhere/user-guide/rules-management/ruleverification.webp?fit=max&auto=format&n=LRsr4s1iGr_CM6ff&q=85&s=52719fcab619098656679ab0756735fa" width="358" height="234" data-path="images/usm-anywhere/user-guide/rules-management/ruleverification.webp" />
    </Frame>

    <Warning>
      **Important:** A dialog box opens if there are warning messages. Click **Cancel** to review the warning messages, or click **Accept** to continue creating the rule.
    </Warning>

11. Enter a name for the rule and, if desired, a description to clarify its use in the Description field.

12. Select an intent.

    The intent describes the context of the behavior that is being observed. These intents roughly map to the stages of the intrusion kill chains but are collapsed to ensure that each is discrete. See [Intent](../rules-management/correlation-rules) for more information about the available threat categories.

13. Enter a method.

    If known, it is the method of attack or <Tooltip tip="Indicator that specifies the method of attack that generated an alarm. For Open Threat Exchange® (OTX™) pulses, this method is the pulse name.">infiltration</Tooltip> associated with the indicator that generated the alarm.

    <Note>
      **Note:** This is a required field; if you do not complete this field, the Save button remains inactive.
    </Note>

14. Select a strategy.

    The strategy describes the broad-based strategy or behavior that is detected. The intention is to describe the <Tooltip tip="Activity in a system that exceeds or misuses that access in a manner that negatively affects the confidentiality, integrity, or availability of the organization's information systems.">malicious</Tooltip> user's strategy to achieve their goal.

15. Enter a priority.

    See [Priority Field for Alarms](../alarms/alarms-list-priority-field) for more information.

16. Configure a mute duration set in seconds, minutes, and hours.

    You can use the mute value to set the period of time during which, once an alarm is createdUSM Anywhere will not create a new alarm based on the same conditions.

    <Note>
      **Note:** Take care to set a mute duration that is long enough to cover the span of time in which matching events will occur to maximize the efficacy of your mute.
    </Note>

    <Warning>
      **Important:** If your USM Anywhere™ is restarted when one of your alarm mutes is active, or if there is an update or hotfix, the alarm mute will be canceled.
    </Warning>

17. In the **Length** text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

    This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

    <Note>
      Note: Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip> for an <Tooltip tip="An incident-type categorization that may be a precursor to other actions or stages of an attack.">unauthorized access</Tooltip> attempt when a failed SSH <Tooltip tip="Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password.">login</Tooltip> occurs three times within a five-minute window.
    </Note>

18. (Optional) Select the fields that you want to display in the generated alarm.

    You can select or remove the fields you want to include in the details of the alarm. A field passes from one column to the other by clicking it.

19. Click **Save**.

    The created rule displays in the list of rules. You can see it from **Settings > Rules**. See [Orchestration Rules](../rules-management/orchestration-rules) for more information.

    <Warning>
      **Important:** It takes a few minutes for an orchestration rule to become active.
    </Warning>