Skip to main content

Tailor a Global Rule

This topic has instructions for tailoring global (built-in) rules in Cloud SIEM. 

You can override selected rule fields in all Cloud SIEM rule types: Match, Threshold, Chain and Aggregation. After you have overridden a field, you can revert to the original field value.

note

You cannot override fields in legacy rules—rules whose ID looks like LEGACY-xxxxxxx.

If you want to tailor a rule expression—the expression to which incoming Records are compared—see Rule Tuning Expressions.

Signal generation fields you can override

You can override any of the settings in the Then Create a Signal section on the right side of the rule editor.  

SettingNotes
EntityIn the On Entity area, you can change the Entity or Entities upon which Signals will fire when the rule is triggered. 
Signal nameIf the using the name field is present, you can override the name that will be assigned to Signals fired by the rule.
SummaryIn the with the summary field, you can override the description of the situation that causes the rule to fire a Signal.
DescriptionIn the with the description field, you can override the description of what conditions the rule looks for. 
Severity settingsYou can change the severity type from constant to dynamic and vice versa, change the severity level for a constant severity, or change the field used for dynamic severity.
TagsYou can add tags, but you can’t edit or delete the tags already configured for the rule.
Create a signal

“If triggered” fields you can override

You can override some of the fields in the If Triggered section on the left side of the Rules editor. What you can edit depends on the rule type. The table below lists the rule settings that you can override for each rule type. See Screenshots below for a visual overview.

Rule typeWhat you can override
Matchnothing
Aggregation
  • grouped by—You can add and remove fields to group Records by.
  • within—You can change the time window over which the aggregation conditions are applied.
Chain
  • grouped by—You can add and remove fields to group Records by.
  • within—You can change the time window over which the aggregation conditions are applied.
Threshold
  • matches Records with ... values—You can override the number of Records that must match the rule expression.

Screenshots

Aggregation ruleChain RuleThreshold rule
Aggregation ruleChain ruleThreshold rule

Reverting overridden settings

You can revert any overrides you’ve made at any time back to the original value (only). 

Once you save the overrides to a rule, a revert button appears next to each edited field, as shown in the screenshot below. If you hover over the revert button, you can see what the original value was.

Revert settings

To revert an override, just click the revert button next to it. After reverting all desired fields, click Save Edits at the bottom of the page. 

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.