Write a Chain Rule
Learn how to write a Chain rule.
This topic has information about Chain rules and how to create them in the CSE UI.
About Chain rules
A Chain rule is similar to a Threshold rule. A Threshold rule fires when one rule expression is matched at least a certain number times during a specified length of time. In a Chain rule you configure two more rule expressions, and for each expression, the number of matches that are required for the rule to fire a Signal. The interval you define within which the matches must occur applies to all of the rule expressions in the rule.
Create a Chain rule
- Choose Rules from the Content menu.
- On the Create a Rule page, click Create in the Chain card.
- In the rules editor:
- Name. Enter a name for the rule. Signals fired by the rule will have this name.
- Enabled. By default the rule will be enabled. It's good practice to use the slider to disable the rule so that it won’t be applied to incoming Records until you’ve tested it.
Configure “If Triggered” settings
- When ... Records match the expression. Enter two or more rule expressions. For each, select the number of matches that are required.
- Grouped by. By default, a chain rule implicitly groups by the entity field you’ll select below when configuring the Then Create a Signal options. You can select additional “group by” fields with the matches grouped by option, so that a Signal is only created if the count for the group is above the threshold count specified above.
- in ... order. Choose either:
- any if matches can occur in any order.
- exact if matches must occur in the same order as you have ordered the rule expressions. If you choose this option, you can only have two rule expressions.
Test your rule expressions
Configure “Then Create a Signal” settings
- On Entity. Define the Entity field—an IP address, hostname, or username—in the Record that the resulting Signal should be associated with. (In CSE, an Insight is a set of Signals with the same Entity field.) Select a value from the pull-down list.
- with the summary.
- with the description. Enter a description for the Signal. The Signal description should be a good indication of what the rule looks for.
- with a severity of. Severity is an estimate of the criticality of the detected activity, from 1 (lowest) to 10 (highest).
- with tags. If desired, you can add metadata tags to your rule. Tags are useful for adding context to items like Rules, Insights, Signals, Entities. You can also search for and filter items by tag. For more information, see Using Tags with Insights, Signals, Entities, and Rules.