Manage rules using the Rules Editor

Supported in:

Google secops SIEM

To use the Rules Editor to create and edit rules, follow these steps:

Click Detections > Rules & Detections > the Rules Editor tab.
Use the Search rules field to search for an existing rule. You can also scroll through the rules using the scroll bar. Click any of the rules in the left panel to view the rule in the rule display panel.
Select the rule you are interested in from the Rules List. The rule is displayed in the rule editing window. By selecting a rule, you open the rule menu and can select from the following options:
- Live Rule—Enable or disable the rule.
- Duplicate Rule—Make a copy of the rule; helpful if you want to make a similar rule.
- View Rule Detections—Open the Rule Detections window to display the detections captured by this rule.
Use the Rule Editing window to edit existing rules and to create new rules. The Rule Editing window includes an automatic completion feature to enable you to view the correct YARA-L syntax available for each section of the rule. Whenever composing or editing a rule, Google Security Operations recommends walking through the automatic recommendations to ensure your completed rule uses the correct syntax. To update the rule scope, select the scope from the Bind to scope menu. For more information about associating a scope with a rule, see data RBAC impact on Rules. For more information, see YARA-L 2.0 language syntax.
Click New in the Rules Editor to open the Rules Editor Window. It automatically populates it with the default rule template. Google SecOps automatically generates a unique name for the rule. Create your new rule in YARA-L. To add a scope to the rule, select the scope from the Bind to scope menu. For more information about adding a scope to rules, see data RBAC impact on Rules. When you have finished, click SAVE NEW RULE. Google SecOps checks the syntax of your rule. If the rule is valid, it is saved and automatically enabled. If the syntax is invalid, it returns an error. To delete the new rule, click DISCARD.

Note: After you have saved a rule, you cannot delete it from the Rules Editor or the Rules Dashboard.
Note: For Multi-event rules correlating more than one event with a match section size of over one hour, the rule's run frequency (when executing as a Live Rule) is automatically set to 1 hour.
To view information on the current detections associated with a rule, click the rule in the rules list and click View Rule Detections to open Rule Detections view.

The Rule Detections view displays the metadata attached to the rule and a graph showing the number of detections found by the rule over recent days.
Click Edit Rule to return to the Rules Editor.

Multicolumn view

The Timeline tab is also available and lists the events detected by the rule. As with the Timeline tab in other Google SecOps views, you can select an event and open the associated raw log or UDM event.

Click view_column Columns to open the multicolumn view options and change the information shown on the Timeline tab. The multicolumn view lets you choose from various categories of log information, including common types, such as hostname and user and more specific categories provided by UDM.

Click RUN TEST to test your rule. Google SecOps runs the rule on events in the specified time range, generates results, and displays them in the TEST RULE RESULTS window.
Click CANCEL TEST at any time to stop the process.

For Community blogs on managing rules, see:

Rules Editor Navigation

Need more help? Get answers from Community members and Google SecOps professionals.

Manage rules using the Rules Editor

Multicolumn view