CSE Rules
This guide has information about Cloud SIEM Enterprise (CSE) rules, including how to write rules, rules syntax, and CSE built-in rules.
In this section, we'll introduce the following concepts:
ποΈ About CSE Rules
Learn about CSE rules, rules syntax, and how to write rules.
ποΈ Before You Write a Custom Rule
Learn how to plan a custom rule and prototype rule expressions in the Sumo Logic platform.
ποΈ Match Rule
Learn how to write a match rule.
ποΈ Chain Rule
Learn how to write a Chain rule.
ποΈ Aggregation Rule
Learn how to write an Aggregation rule.
ποΈ Threshold Rule
Learn how to write a Threshold rule.
ποΈ Rules Syntax
Learn about the functions you can use when writing CSE Rules.
ποΈ Built-In Rules
See a list and descriptions of CSE's built-in rules.
ποΈ Import YARA Rules
Learn how to import YARA rules from GitHub into CSE.
ποΈ Normalized Authentication Rules
CSE's Normalized Authentication Rules detect activities that compromise accounts using authentication logs from any data source that CSE parsers and mappings support.
ποΈ Normalized Threat Rules
CSE's built-in threat rules pass alerts from a security product to the Signal generation process, and are normalized work across multiple security products.
ποΈ Rule Tuning
Rule tuning expressions allow you to tailor the logic of a built-in rule without logic without replicating and modifying the rule.
ποΈ Tailor a Global Rule
You can override selected fields in all CSE rule types. After you have overridden a field, you can revert to the original field value.
