Rules Status
This article describes the status of Cloud SIEM rules and how to address rules that are in a degraded or failed state.
View a rule's status​
You can see a rule's status while viewing the rule:
- On the rules list page:
- On the rule details page:
Search for rules by status​
- Classic UI. In the top menu select Content > Rules.
New UI. In the main Sumo Logic menu select Cloud SIEM > Rules. You can also click the Go To... menu at the top of the screen and select Rules. - Click Filters at the top of the Rules screen.
- Select the Status field.
- For Operator select is.
- Select a status.
Kinds of rule status​
Following are the different kinds of rule status. A rule's status can change depending on whether it exceeds rule limits.
| Status | Description | Action required |
|---|---|---|
| Active | The rule is executing normally. | No action required. |
| Degraded | The rule is approaching a rule limit and it is removed from execution for one hour to allow processing to catch up. At the end of the hour, the rule is allowed to execute again and its status changes back to Active. | Click the information button  on the Degraded label for details. Depending on the information provided, you may want to edit the rule to reduce the chance it will become degraded again later. See Degraded rules below for more information. |
| Disabled | The rule was manually disabled using the toggle in the UI, or was disabled with the API. | Enable the rule with the toggle in the UI, or enable the rule with the API. |
| Failed | The rule exceeded a rule limit and was automatically disabled. | Click the information button on the Failed label for details about the failure. Depending on the reasons provided in the details, you may need to edit the rule to prevent it from failing again in the future. After addressing the reasons for the failure, enable the rule with the toggle in the UI, or enable the rule with the API. |
Degraded rules​
A degraded rule is one that has been temporarily shut off to prevent it from exceeding a processing limit. If you write a custom rule that becomes degraded, you must tune the rule to correct the problem.
For example, rules have a limit on the number of records per second they can evaluate. If there is a value used in the "group by" field that causes the rule to exceed that threshold, Cloud SIEM might display a message like this:
The aggregation on the group key 'admin@company.com' has a record volume exceeding the supported limit, and has been disabled. Consider tuning the rule to exclude records producing this group key.
To resolve a degraded rule issue, create a rule tuning expression to address the portion of the rule causing the rule degradation.
Rule limits​
Limits are set on how often a rule fires so that the system is not overloaded. For example, if a rule fires too many signals in an hour, it can cause performance problems for all rule processes. If a rule exceeds a limit, its rule status changes from Active to Failed and the rule is disabled.
| Type | Limit |
|---|---|
| Signals per hour | 100K |
| Signals per 24 hours | 1M |
Query for rule status changes​
You can query audit logs for rule status changes. For more information about querying audit logs, see Cloud SIEM Audit Logging and Cloud SIEM audit log definitions.
Query for disabled rules​
Use the following query to find rules that are disabled. It finds rules that are manually disabled by users (in _index=sumologic_audit_events) or automatically disabled by the system (in _index=sumologic_system_events).
(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=cseRule
| where (%"aggregationrule.enabled" = "false"
or %"chainrule.enabled" = "false"
or %"firstseenrule.enabled" = "false"
or %"matchrule.enabled" = "false"
or %"outlierrule.enabled" = "false"
or %"templatedMatchRule.enabled" = "false"
or %"thresholdrule.enabled" = "false")
Query for updated rules​
Use the following query to find rules that have been updated. This query finds rules that are updated for any reason. The update may not result in a status change for the rule.
(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=cseRule
| where (eventName = "AggregationRuleUpdated"
or eventName = "ChainRuleUpdated"
or eventName = "FirstSeenRuleUpdated"
or eventName = "MatchRuleUpdated"
or eventName = "OutlierRuleUpdated"
or eventName = "TemplatedMatchRuleUpdated"
or eventName = "ThresholdRuleUpdated" )
| sort by eventName asc
Create a monitor to alert on rule status changes​
You can create a monitor to generate alerts when rules statuses change. This will alert you when you need to take action.
For example, you could use the query for disabled rules above in your monitor. It will alert when rules are disabled.
