CSE Rules

This guide has information about Cloud SIEM Enterprise (CSE) rules, including how to write rules, rules syntax, and CSE built-in rules.

In this section, we will introduce the following concepts:

📄️ About CSE Rules

A CSE rule is logic that fires based on information in incoming Records. When a rule fires, it creates a Signal.

📄️ Before You Write a Custom Rule

This topic has information about writing custom CSE rules.

📄️ Write a Match Rule

This topic has information about the Match rules and how to create them in the CSE UI.

📄️ Write a Chain Rule

This topic has information about Chain rules and how to create them in the CSE UI.

📄️ Write an Aggregation Rule

This topic has information about CSE Aggregation rules and how to write them.

📄️ CSE Rules Syntax

This topic describes commonly used CSE rules language functions. Rules language functions are used in CSE rule expressions. For information about rules and rule expressions, see About CSE Rules.

📄️ CSE Built-In Rules

<!--

📄️ Import YARA Rules

This page has instructions for importing YARA rules from GitHub into CSE.

📄️ Normalized Authentication Rules

Normalized Authentication Rules detect activities that compromise accounts using authentication logs from any data source that CSE parsers

📄️ Normalized Threat Rules

This topic has information about CSE’s built-in normalized threat rules.

📄️ Rule Tuning Expressions

This topic has instructions for creating and using tuning expressions for Rules.

📄️ Tailor a Global Rule

This topic has instructions for tailoring global (built-in) rules in CSE.