-
- Go to Settings > Rules.
-
- Select Create Orchestration Rule > Create Response Action Rule.3.
- Enter a name for the rule.
- Select a deployment.
-
Select an Action Type:
- Agent Query: You can run a user-initiated agent query. There are several ad-hoc queries, which are in your environment by default. These queries generate events that can be used for a forensic investigation, so you can focus on fast response and remediation. See LevelBlue Agent Events and Queries for more information.
- Authenticated Asset Scanner: See Performing Vulnerability Scans for more information.
-
Cisco Umbrella: This is used to stop current and emergent threats over all ports and protocols. See BlueApp for Cisco Umbrella Actions for more information.
This option displays if your environment has Cisco Umbrella Events.
- LevelBlue and Response App: See Scheduling a Forensics and Response Job for more information.
-
Click Add Condition and select the property values you want to include in the rule to create a matching condition.
If the field is related to the name of a country, you should use the country code defined by the ISO 3166.The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
-
(Optional.) Click Add Group to group your conditions.
See Operators in the Orchestration Rules for more information.
- In the Occurrences text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.
- (Optional.) Click the More link to include a multiple occurrence parameter.
-
In the Length text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.
Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an for an attempt when a failed occurs three times within a five-minute window.
-
Click Save Rule.
The created rule displays in the list of rules.
It takes a few minutes for an orchestration rule to become active.
- Go to Settings > Rules.
- Click the box next to Filter By.
- Enter your search.
- Go to Settings > Rules.
- In the left navigation pane, click Response Action Rules.
- Click the box Deployment.
- Select All Rules, Enabled, or Disabled.
- Go to Settings > Rules.
- Click the combo box next to Rule Status.
- Select All Rules, Enabled, or Disabled.
- Go to Settings > Rules.
- On the left navigation pane, click Response Action Rules.
- Click the
icon of the rule you want to edit. - Modify the data of the items that need to be modified.
- Click Save Rule.
- Go to Settings > Rules.
- On the left navigation pane, click Response Action Rules.
- Click the
icon of the rule you want to delete. - Confirm by clicking Accept.
- Go to Settings > Rules.
- On the left navigation pane, click Response Action Rules.
- Click the
icon of the rule you want to enable.
- Go to Settings > Rules.
- On the left navigation pane, click Response Action Rules.
- Click the
icon of the rule you want to disable.
- Go to Settings > Rules.
- On the left navigation pane, click Response Action Rules.
- In the list of rules, select the first checkbox in the first column to select all the rules.
- Click Enable All Rules.
- Go to Settings > Rules.
- On the left navigation pane, click Response Action Rules.
- In the list of rules, select the first checkbox in the first column to select all the rules.
- Click Disable All Rules.
- Confirm by clicking Accept.