CSE Rules

This guide has information about Cloud SIEM Enterprise (CSE) rules, including how to write rules, rules syntax, and CSE built-in rules.

In this section, we'll introduce the following concepts:

📄️ About CSE Rules

Learn about CSE rules, rules syntax, and how to write rules.

📄️ Before You Write a Custom Rule

Learn how to plan a custom rule and prototype rule expressions in the Sumo Logic platform.

📄️ Match Rule

Learn how to write a match rule.

📄️ Chain Rule

Learn how to write a Chain rule.

📄️ Aggregation Rule

Learn how to write an Aggregation rule.

📄️ Threshold Rule

Learn how to write a Threshold rule.

📄️ Rules Syntax

Learn about the functions you can use when writing CSE Rules.

📄️ Built-In Rules

See a list and descriptions of CSE's built-in rules.

📄️ Import YARA Rules

Learn how to import YARA rules from GitHub into CSE.

📄️ Normalized Authentication Rules

CSE's Normalized Authentication Rules detect activities that compromise accounts using authentication logs from any data source that CSE parsers and mappings support.

📄️ Normalized Threat Rules

CSE's built-in threat rules pass alerts from a security product to the Signal generation process, and are normalized work across multiple security products.

📄️ Rule Tuning

Rule tuning expressions allow you to tailor the logic of a built-in rule without logic without replicating and modifying the rule.

📄️ Tailor a Global Rule

You can override selected fields in all CSE rule types. After you have overridden a field, you can revert to the original field value.