Skip to main content
Sumo Logic

Write a Chain Rule

  1. Last updated
  2. Save as PDF
Learn how to write a Chain rule.

This topic has information about the Match rule UI, and the data you provide to create a Match rule.

A Chain rule is similar to a Threshold rule. A Threshold rule fires when one rule expression is matched at least a certain number times during a specified length of time. In a Chain rule you configure two more rule expressions, and for each expression, the number of matches that are required for the rule to fire a Signal. The interval you define within which the matches must occur applies to all of the rule expressions in the rule.

Chain rule UI

The screenshot below shows the UI for creating a Chain rule. The path to this page is Content > Rules > Create a Rule > Chain.

threshold-rule.png

Define Chain rule options

For a Chain rule, you configure:

  • Name. Enter a name for the rule. Signals fired by the rule will have this name.
  • When ... Records match the expression. Enter at least two rule expressions. For each, select the number of matches that are required, and enter the expression.
  • in ... order. Choose either:
    • any if matches can occur in any order.
    • exact if matches must occur in the same order as you have ordered the rule expressions. If you choose this option, you can only have two rule expressions.
  • within. Select the duration within which each rule expression must evaluate to “true” more than the number of times specified as the Limit for the expression.
  • On Entity. Define the Entity field—an IP address, hostname, or username—in the Record that the resulting Signal should be associated with. (In CSE, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list. 
  • with the description.Enter a description for the Signal. The Signal description should be a good indication of what the rule looks for.
  • with the stage. Select the MITRE attack chain stage that best describes the behavior the rule is looking for, for example, “initial access” or “execution”.
  • with a severity of. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest). There are several ways to specify Severity.
    • with a constant severity. Choose constant, and select a severity level.
    • with a dynamic severity. Use dynamic if you want to base the severity level on a value of a field in the Record. Select a field from the list. If you want the severity to be exactly the value of the field, you’re done. Or, you can use the Configure Mappings option to define a default Severity and specific Severity values based on Record values. Here’s an abbreviated example of doing that. 
      dynamic-field-mapping.png
  • Save this rule as a prototype. Click this checkbox to save the rule as a prototype, so that Signals created by the rule won’t be used to generate Insights.

Built-in Chain rules

If you'd like to see some existing Match rules, CSE has built-in examples.

  1. Go to Content > Rules, click in the Filter area, and select Type from the list. filter-rules-by-type.png
  2. On the Operators popup, select is.
    choose-operator.png
  3. Select Chain from the list of rule types.
    select-type.png
  4. A list of chain rules appears. Click a rule to view it. Here is an example:
    example-built-in-chain.png