Write a Match Rule
This topic has information about Match rules and how to create them in the Cloud SIEM UI.
If you are new to writing rules, see About Cloud SIEM Rules for information about rule expressions and other rule options.
About Match rules
A Match rule is the simplest type of Cloud SIEM rule. Each time a single Record matches the rule expression, a Signal is fired.
A Match rule doesn’t allow you to define other conditions for Signal, like requiring multiple Records to match the rule expression, or looking for events of the different types within a timespan.
Here’s an example of the rule expression for a Match rule:
metadata_vendor = 'Amazon AWS' AND metadata_product = 'CloudTrail' AND metadata_deviceEventId = 'AwsApiCall-CreateUserPoolClient'
This rule fires a Signal each time a UserPoolClient, which has permission to call unauthenticated API operations, is created.
Watch this micro lesson to learn how to create a Match rule.