Archive rules

Archiving a rule enables you to hide the security data related to that rule (and all of its versions) without actually deleting the rule. Much of the functionality available for active rules (for example, enabling a rule) is not available for archived rules.

Note the following:

  • Rules Dashboard does not display archived rules.
  • Alerts for the archived rules are not displayed on the Enterprise Insights page.
  • Test Rule can be used on archived rules.

Viewing rules

Complete the following steps to navigate to the View Rules page:

  1. To open the application drop-down menu, click the application menu icon.

    Application menu Application menu

  2. Select View Rules. The Rules Dashboard tab is displayed.

  3. Select the Rules Editor tab to view the rules page.

  4. Click the filter icon at the top-right corner of the left navigation tab. The pop-up menu provides the following options: Show ALL, Archive Rules and Archived Rules.

    Archive pop-up menu Archive pop-up menu

Viewing rule detections

On the Rules Editor tab, select View Rule Detections from the drop-down list available on the top-right corner as shown in the following figure.

View rule detections View Rule Detections

The Rule Detections page is displayed. Rules detections page Rule Detections page

Archiving a rule

To archive a rule, complete the following steps:

  1. Select a rule in the left navigation and click the option icon in the top- right corner of the Chronicle user interface. Select Archive Rule from the menu.

    Note the following:

    • Archiving is allowed even if the Alerting toggle is ON, it is automatically disabled.
    • Archiving is NOT allowed unless the Live toggle is disabled.
    • Archiving is NOT allowed unless there are NO Retrohunts in progress.

    Archive Rule pop-up menu Archive Rule pop-up menu

  2. The following window is displayed with a message confirmation.

    Confirm Archive message Confirm Archive message

    Confirm Archive message continued Confirm Archive message continued

Unarchiving a rule

To unarchive a rule, complete the following steps:

  1. Click the option icon for a specific rule in the left navigation pane. A pop-up menu is displayed as shown in the following figure. This menu includes the following options: View Detections, Duplicate, and Unarchive.

    Rules pop-up menu Rules pop-up menu

  2. Select Unarchive.

  3. Select a rule in the left navigation pane and click the option icon in the top right corner of the Chronicle user interface. A pop-up menu is displayed and includes the following options: View Detections, Duplicate, and Unarchive.

    Rules pop-up menu - View Detections, Duplicate, and Unarchive Rules pop-up menu - View Detections, Duplicate, and Unarchive