This guide has information about Cloud SIEM Enterprise (CSE) rules, including how to write rules, rules syntax, and CSE built-in rules.
In this section, we'll introduce the following concepts:
About CSE Rules
Learn about CSE rules, rules syntax, and how to write rules.
Before You Write a Custom Rule
Learn how to plan a custom rule and prototype rule expressions.
Learn about the functions you can use when writing CSE Rules.
Learn how to write a match rule.
Learn how to write a chain rule.
Learn how to write an Aggregation rule.
Learn how to write a Threshold rule.
First Seen Rule
Learn how to write a First Seen rule.
Learn how to write an Outlier rule.
Look at the various page lists and CSE's built-in rules.
Import YARA Rules
Learn how to import YARA rules from GitHub into CSE.
Normalized Authentication Rules
Detect activities that compromise accounts using authentication logs.
Normalized Threat Rules
Learn about CSE’s built-in normalized threat rules.
Learn how to create and use tuning expressions for rules.
Tailor a Global Rule
Learn how to tailor global (built-in) rules in CSE.
Learn how to adjust rules to improve Insight generation.