Skip to main content
Sumo Logic

Write a Match Rule

Learn how to write a match rule.

This topic has information about the Match rule UI, and the data you provide to create a Match rule.

Match rule UI

The screenshot below shows the UI for creating a Match rule. The path to this page is Content > Rules > Create a Rule > Match.

match-rule.png

Define Match rule options

For a Match rule, you define the following:

  • Name. Enter a name for the rule. 
  • When a Record matches the expression. Enter the rule expression, a boolean expression that when “true”, causes the rule to fire.
  • On Entity. Define the Entity field—an IP address, hostname, or username—in the Record that the resulting Signal should be associated with.  (In CSE, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
  • Using the name. Define the name for Signals fired by the rule. You can enter text, and include Record fields from the custom token list. Including Record field values in the Signal name can make it more meaningful.  
  • with the description. Define the description for the Signal the same way you did the Sigval name, using text and Record fields. The Signal description should be a good indication of what the rule looks for.
  • with the stage. Select the MITRE attack chain stage that best describes the behavior the rule is looking for, for example, “initial access” or “execution”.
  • with a severity of. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). There are several ways to specify Severity.
    • with a constant severity. Choose constant, and select a severity level.
    • with a dynamic severity. Use dynamic if you want to base the severity level on a value of a field in the Record. Select a field from the list. If you want the severity to be exactly the value of the field, you’re done. Or, you can use the Configure Mappings option to define a default Severity and specific Severity values based on Record values. Here’s an abbreviated example of doing that:
      dynamic-field-mapping.png
  • Save this rule as a prototype. Click this checkbox to save the rule as a prototype, so that Signals created by the rule won’t be used to generate insights.

Built-in Match rules

If you'd like to see some existing Match rules, CSE has plenty of built-in examples.

  1. Go to Content > Rules, click in the Filter area, and select Type from the list. filter-rules-by-type.png
  2. On the Operators popup, select is.
    choose-operator.png
  3. Select Match from the list of rule types.
    select-type.png
  4. A list of Match rules appears. Click a rule to view it. Here is an example:
    example-built-in-match.png