This guide has information about Cloud SIEM Enterprise (CSE) rules, including how to write rules, rules syntax, and CSE built-in rules.
In this section, we'll introduce the following concepts:
📄️ About CSE Rules
Learn about CSE rules, rules syntax, and how to write rules.
📄️ Before You Write a Custom Rule
Learn how to plan a custom rule and prototype rule expressions in the Sumo Logic platform.
📄️ Match Rule
Learn how to write a match rule.
📄️ Chain Rule
Learn how to write a Chain rule.
📄️ Aggregation Rule
Learn how to write an Aggregation rule.
📄️ Threshold Rule
Learn how to write a Threshold rule.
📄️ First Seen Rule
First Seen rules allow you to generate a Signal when behavior by an Entity (user) is encountered that hasn't been seen before.
📄️ Rules Syntax
Learn about the functions you can use when writing CSE Rules.
📄️ Built-In Rules
See a list and descriptions of CSE's built-in rules.
📄️ Import YARA Rules
Learn how to import YARA rules from GitHub into CSE.
📄️ Normalized Authentication Rules
CSE's Normalized Authentication Rules detect activities that compromise accounts using authentication logs from any data source that CSE parsers and mappings support.
📄️ Normalized Threat Rules
CSE's built-in threat rules pass alerts from a security product to the Signal generation process, and are normalized work across multiple security products.
📄️ Rule Tuning
Rule tuning expressions allow you to tailor the logic of a built-in rule without replicating and modifying the rule.
📄️ Tailor a Global Rule
You can override selected fields in all CSE rule types. After you have overridden a field, you can revert to the original field value.