In a DataTap configuration, you can use Detection Engine rules as a filter to define the events that are published to a Pub/Sub topic.
To use rules in a DataTap configuration, follow these steps:
Use the Detection Engine API's CreateRule endpoint to
create one or more single event rules. When creating each rule, specify a data_tap_label in the request body. Keep the rules simple (under 100 lines). For general information about the Detection Engine API, such as how to authenticate, see Chronicle Detection Engine API.
Use the DataTap Configuration API's Create endpoint to create a DataTap configuration that specifies a LABELED_UDM_EVENTS filter.
CreateRule
Create a new rule without setting the rule to live.
Request
POST https://backstory.googleapis.com/v2/detect/rules
Request body
{
"ruleText": "<rule text here>"
"labels": "<labels here>"
}
Body parameters
Parameter Name
Type
Required
Description
ruleText
string
Required
Text of the new rule in YARA-L 2.0 format.
labels
RuleLabels
Optional
A set of labels to apply on events that match the rule.
labels.label
RuleLabel
Optional
A label to apply on events that match the rule.
labels.label.state
enum
Optional
Specifies the status of the label. Valid values are:
ENABLED
DISABLED
labels.label.data_tap_label
string
Optional
This label is used to filter the data published on a DataTap
configuration that specifies the LABELED_UDM_EVENTS filter. If a rule applies a data_tap_label to an event, then that event will be published for any LABELED_UDM_EVENTS DataTap configuration whose topicId matches the sink_name specified in the data_tap_label.
labels.label.data_tap_label.sink_name
string
Optional
The name of the DataTap configuration. This should match the value of the displayName specified in a DataTap configuration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eDataTap configurations can utilize Detection Engine rules to filter events that are published to a Pub/Sub topic.\u003c/p\u003e\n"],["\u003cp\u003eTo use rules for filtering, you need to create single event rules through the Detection Engine API's \u003ccode\u003eCreateRule\u003c/code\u003e endpoint, specifying a \u003ccode\u003edata_tap_label\u003c/code\u003e within the rule.\u003c/p\u003e\n"],["\u003cp\u003eWhen setting the \u003ccode\u003edata_tap_label\u003c/code\u003e, it will include a sink_name which needs to match the \u003ccode\u003edisplayName\u003c/code\u003e that you have configured for your DataTap configuration.\u003c/p\u003e\n"],["\u003cp\u003eYou must use the DataTap Configuration API's \u003ccode\u003eCreate\u003c/code\u003e endpoint and \u003ccode\u003eLABELED_UDM_EVENTS\u003c/code\u003e filter when creating a DataTap configuration to take advantage of event filtering with rules.\u003c/p\u003e\n"],["\u003cp\u003eThis feature is currently under Pre-GA offerings terms and may have limited regional availability and support.\u003c/p\u003e\n"]]],[],null,["# Use rules to filter events in a DataTap configuration\n=====================================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\n\u003cbr /\u003e\n\n| **Note:** This feature is not available to all customers in all regions.\n\n\u003cbr /\u003e\n\nIn a DataTap configuration, you can use Detection Engine rules as a filter to define the events that are published to a [Pub/Sub topic](/pubsub/docs/create-topic).\n\nTo use rules in a DataTap configuration, follow these steps:\n\n1. Use the Detection Engine API's [CreateRule](#create-rule) endpoint to\n create one or more [single event rules](/chronicle/docs/detection/yara-l-2-0-overview#single-event-rule). When creating each rule, specify a `data_tap_label` in the request body. Keep the rules simple (under 100 lines). For general information about the Detection Engine API, such as how to authenticate, see [Chronicle Detection Engine API](/chronicle/docs/reference/detection-engine-api).\n\n2. Use the DataTap Configuration API's [Create](./datatapconfig-api#create) endpoint to create a DataTap configuration that specifies a `LABELED_UDM_EVENTS` filter.\n\nCreateRule\n----------\n\nCreate a new rule without setting the rule to live.\n| **Note:** CreateRule uses the POST method.\n\n#### Request\n\n POST https://backstory.googleapis.com/v2/detect/rules\n\n##### Request body\n\n {\n \"ruleText\": \"\u003crule text here\u003e\"\n \"labels\": \"\u003clabels here\u003e\"\n }\n\n##### Body parameters\n\n##### Sample request\n\n https://backstory.googleapis.com/v2/detect/rules\n {\n \"ruleText\": \"rule singleEventRule2 {\n meta:\n author = \\\"securityuser\\\"\n description = \\\"single event rule that should generate detections\\\"\n\n events:\n $e.metadata.event_type = \\\"NETWORK_DNS\\\"\n\n condition:\n $e\n }\"\n \"labels\": {\n \"label\": [\n {\n \"state\": \"ENABLED\",\n \"data_tap_label\": {\n \"sink_name\": \"tap1\",\n }\n }\n ]\n }\n }\n\n#### Response\n\n##### Response fields\n\nThe response is the same as for [GetRule](/chronicle/docs/reference/detection-engine-api#getrule), and it also includes the label fields.\n\n##### Sample response\n\n {\n \"ruleId\": \"ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d\",\n \"versionId\": \"ru_1f54ab4b-e523-48f7-ae25-271b5ea8337d@v_1605892700_409247000\",\n \"ruleName\": \"singleEventRule2\",\n \"metadata\": {\n \"author\": \"securityuser\",\n \"description\": \"single event rule that should generate detections\"\n },\n \"ruleText\": \"rule singleEventRule2 {\n meta:\n author = \\\"securityuser\\\"\n description = \\\"single event rule that should generate detections\\\"\n events:\n $e.metadata.event_type = \\\"NETWORK_DNS\\\"\n condition:\n $e\n }\",\n \"ruleType\": \"SINGLE_EVENT\",\n \"versionCreateTime\": \"2020-11-20T17:18:20.409247Z\",\n \"compilationState\": \"SUCCEEDED\",\n \"labels\": {\n \"label\": [\n {\n \"state\": \"ENABLED\",\n \"data_tap_label\": {\n \"sink_name\": \"tap1\",\n }\n }\n ]\n }\n }"]]
