Archiving a rule enables you to hide the security data related to that rule (and all of its versions) without actually deleting the rule. Much of the functionality available for active rules (for example, enabling a rule) is not available for archived rules.
Note the following:
- Rules Dashboard does not display archived rules.
- Alerts for the archived rules are not displayed on the Enterprise Insights page.
- Test Rule can be used on archived rules.
Complete the following steps to navigate to the View Rules page:
To open the application drop-down menu, click the application menu icon.
Select View Rules. The Rules Dashboard tab is displayed.
Select the Rules Editor tab to view the rules page.
Click the filter icon at the top-right corner of the left navigation tab. The pop-up menu provides the following options: Show ALL, Archive Rules and Archived Rules.
Archive pop-up menu
Viewing rule detections
On the Rules Editor tab, select View Rule Detections from the drop-down list available on the top-right corner as shown in the following figure.
View Rule Detections
The Rule Detections page is displayed. Rule Detections page
Archiving a rule
To archive a rule, complete the following steps:
Select a rule in the left navigation and click the option icon in the top- right corner of the Chronicle user interface. Select Archive Rule from the menu.
Note the following:
- Archiving is allowed even if the Alerting toggle is ON, it is automatically disabled.
- Archiving is NOT allowed unless the Live toggle is disabled.
- Archiving is NOT allowed unless there are NO Retrohunts in progress.
Archive Rule pop-up menu
The following window is displayed with a message confirmation.
Confirm Archive message
Confirm Archive message continued
Unarchiving a rule
To unarchive a rule, complete the following steps:
Click the option icon for a specific rule in the left navigation pane. A pop-up menu is displayed as shown in the following figure. This menu includes the following options: View Detections, Duplicate, and Unarchive.
Rules pop-up menu
Select a rule in the left navigation pane and click the option icon in the top right corner of the Chronicle user interface. A pop-up menu is displayed and includes the following options: View Detections, Duplicate, and Unarchive.
Rules pop-up menu - View Detections, Duplicate, and Unarchive