> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Response Action Rules from the Orchestration Rules Page

|                       |           |              |             |             |
| --------------------- | --------- | ------------ | ----------- | ----------- |
| **Role Availability** | Read-Only | Investigator | **Analyst** | **Manager** |

**To create a notification rule from the Orchestration rules page**

1. Go to **Settings > Rules**.

2. Select **Create Orchestration Rule > Response Action Rule**.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/WKvzNH1Td8kzeWqz/images/usm-anywhere/createresponseactionrule.webp?fit=max&auto=format&n=WKvzNH1Td8kzeWqz&q=85&s=b4df740707a23b9be6450be82c9495f0" alt="" width="921" height="469" data-path="images/usm-anywhere/createresponseactionrule.webp" />
   </Frame>

3. Select a Boolean operator.

   The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/JttNYaikKbN1las-/images/usm-anywhere/matchcombofiltsupp.webp?fit=max&auto=format&n=JttNYaikKbN1las-&q=85&s=ef7be78ac0d34c2a47ca89c8bc6813df" alt="" width="308" height="263" data-path="images/usm-anywhere/matchcombofiltsupp.webp" />
   </Frame>

   * **Logs:** Use this packet type for event-based rules.
   * **Configuration Issues:** Use this packet type for configuration issues-based rules1.
   * **Vulnerabilities:** Use this packet type for vulnerabilities-based rules.
   * **System Events:** Use this packet type for system events-based rules.
   * **Console User Events:** Use this packet type for console user events-based rules.
   * **Alarms:** Use this packet type for console user alarms-based rules.

5. Click **Add Conditions** and select the property values you want to include in the rule to create a matching condition.

   <Note>
     **Note:** If the field is related to the name of a country, you should use the country code defined by the [ISO 3166](https://www.iso.org/iso-3166-country-codes.html).
   </Note>

   <Note>
     **Note:** The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
   </Note>

   <Warning>
     **Important:** Instead of using the `equals` and `equals`, `case insensitive` operators for array fields, LevelBlue recommends the use of the in or contains operators.
   </Warning>

   <Note>
     **Note:** If you need to add a property value that maps with a property key, you need to know the mapping of the field. See [Determining the Mapping](/documentation/usm-anywhere/user-guide/rules-management/mapping-field) of a Field for more information.
   </Note>

6. (Optional.) Click **Add Group** to group your conditions.

   <Note>
     **Note:** See [Operators in the Orchestration Rules](/documentation/usm-anywhere/user-guide/rules-management/orchestration-rules-operators) for more information.
   </Note>

7. In the **Occurrences** text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

   You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

   <Note>
     **Note:** The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.
   </Note>

8. Click **Next**.

   <Frame>
     <img src="https://mintcdn.com/levelblue-5324744e/MlnJpGwLYAWOIbAS/images/usm-anywhere/ruleverification.webp?fit=max&auto=format&n=MlnJpGwLYAWOIbAS&q=85&s=db9109c8ba7ebb9fd8e01d9dae4b1987" alt="" width="358" height="234" data-path="images/usm-anywhere/ruleverification.webp" />
   </Frame>

   <Warning>
     **Important:** A dialog box opens if there are warning messages. Click **Cancel** to review the warning messages, or click **Accept** to continue creating the rule.
   </Warning>

9. Enter a name for the rule.

10. (Optional.) Enter a description for identifying this rule.

11. Select an Action Type:

    * **AT\&T Cybersecurity <Tooltip tip="Process and method of investigation, including the collection, recording, and analysis of events to discover the source of network attacks and other potentially malicious or harmful activities.">Forensics</Tooltip> and Response App:** See [Scheduling a Forensics and Response Job](/documentation/usm-anywhere/alienapps-guide/forensics-response/log-collect-blueapp-forensics-resp) for more information.
    * **Authenticated Asset Scanner:** See [Performing Vulnerability Scans](/documentation/usm-anywhere/user-guide/vulnerability-assessment/perf-vulnerability-scans) for more information.
    * **Agent Query:** You can run a user-initiated agent query. There are several ad-hoc queries, which are in your environment by default. These queries generate events which can be used for a forensic investigation, so you can focus on fast response and remediation. See [The LevelBlue Agent](/documentation/usm-anywhere/agents/alienvault-agents) for more information.

12. Select an App Action.

    The options vary depending on the selected action type.

13. In the **Length** text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

    This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

    <Note>
      **Note:** Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an <Tooltip tip="Alarms provide notification of an event or sequence of events that require attention or investigation.">alarm</Tooltip> for an <Tooltip tip="An incident-type categorization that may be a precursor to other actions or stages of an attack.">unauthorized access</Tooltip> attempt when a failed <Tooltip tip="Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP).">SSH</Tooltip> <Tooltip tip="Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password.">login</Tooltip> occurs three times within a five-minute window.
    </Note>

14. Click **Save**.

    The created rule displays in the list of rules. You can see it from **Settings > Rules**. See [Orchestration Rules](https://cybersecurity.att.com/documentation/usm-anywhere/user-guide/rules-management/orchestration-rules) for more information.

    <Warning>
      **Important:** It takes a few minutes for an orchestration rule to become active.
    </Warning>

**To filter response action rules by name**

1. Go to **Settings > Rules**.
2. Click the box next to Filter By.
3. Enter your search.

**To filter response action rules by rule status**

1. Go to **Settings > Rules**.
2. Click the combo box next to Rule Status.
3. Select **All Rules**, **Enabled**, or **Disabled**.

**To edit a response action rule**

1. Go to **Settings > Rules**.
2. Click the <img src="https://mintcdn.com/levelblue-5324744e/2zcwC17_yhGqZqy4/images/usm-anywhere/pencil-new.svg?fit=max&auto=format&n=2zcwC17_yhGqZqy4&q=85&s=3fe3fa0ee6ce2b44857bf81d5ab975d9" className="inline" width="24" height="24" data-path="images/usm-anywhere/pencil-new.svg" /> icon of the rule you want to edit.
3. Modify the data of the items that need to be modified.
4. Click **Next**.
5. Click **Save**.

**To delete a response action rule**

1. Go to **Settings > Rules**.
2. Click the <img src="https://mintcdn.com/levelblue-5324744e/9HhQ6wK11ydctaHc/images/usm-anywhere/trash-alt.svg?fit=max&auto=format&n=9HhQ6wK11ydctaHc&q=85&s=2a750f9ee3d6466fc6799984309cddf0" className="inline" width="24" height="24" data-path="images/usm-anywhere/trash-alt.svg" /> icon of the rule you want to delete.
3. Confirm by clicking **Accept**.

**To enable a response action rule**

1. Go to **Settings > Rules**.
2. Click the <img src="https://mintcdn.com/levelblue-5324744e/9HhQ6wK11ydctaHc/images/usm-anywhere/toggle-off-new.svg?fit=max&auto=format&n=9HhQ6wK11ydctaHc&q=85&s=bed00ce5e148a8148e763548ae6c8199" className="inline" width="32" height="16" data-path="images/usm-anywhere/toggle-off-new.svg" /> icon of the rule you want to enable.

**To disable a response action rule**

1. Go to **Settings > Rules**.
2. Click the <img src="https://mintcdn.com/levelblue-5324744e/9HhQ6wK11ydctaHc/images/usm-anywhere/toggle-on-new.svg?fit=max&auto=format&n=9HhQ6wK11ydctaHc&q=85&s=b0ecf1b6c804d5cf5eac9ea50b41480d" className="inline" width="32" height="16" data-path="images/usm-anywhere/toggle-on-new.svg" /> icon of the rule you want to disable.

**To enable all response action rules**

1. Go to **Settings > Rules**.
2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click **Enable All Rules**.

**To disable all response action rules**

1. Go to **Settings > Rules**.
2. In the list of rules, select the first checkbox in the first column to select all the rules.
3. Click **Disable All Rules**.
4. Confirm by clicking **Accept**.