Archive rules

Archiving a rule enables you to hide the security data related to that rule (and all of its versions) without actually deleting the rule. Much of the functionality available for active rules (for example, enabling a rule) is not available for archived rules.

Note the following:

Rules Dashboard does not display archived rules.
Test Rule can be used on archived rules.

Viewing rules

Complete the following steps to navigate to the View Rules page:

In the navigation bar, click Detection > Rules & Detections.
Select the Rules Editor tab to view the rules page.
Click the filter icon at the top-right corner of the left navigation tab. The menu provides the following options: Show All, Active Rules, and Archived Rules.

Viewing rule detections

On the Rules Editor tab, select View Rule Detections from the drop-down list available on the top-right corner. The Rule Detections page appears.

Archiving a rule

To archive a rule, complete the following steps:

Select a rule in the left navigation and click the option icon in the top- right corner of the Chronicle user interface. Select Archive Rule from the menu.

Note the following:
- Archiving is allowed even if the Alerting toggle is ON, it is automatically disabled.
- Archiving is NOT allowed unless the Live toggle is disabled.
- Archiving is NOT allowed unless there are NO Retrohunts in progress.
Archive Rule menu
The following window is displayed with a message confirmation.

Confirm Archive message

Confirm Archive message continued

Unarchiving a rule

To unarchive a rule, complete the following steps:

Click the option icon for a specific rule in the left navigation pane. A menu appears with the following options: View Detections, Duplicate, and Unarchive.
Select Unarchive.
Select a rule in the left navigation pane and click the option icon in the top right corner of the Chronicle user interface. A menu appears with the following options: View Detections, Duplicate, and Unarchive.