Managing rules using the Rules Editor

The Rules Editor enables you to edit existing rules and create new rules.

Chronicle Rules Editor Rules Editor

  1. Use the Search rules field to search for an existing rule. You can also scroll through the rules using the scroll bar. Click any of the rules in the left panel to view the rule in the rule display panel.

  2. Select the rule you are interested in from the Rules List. The rule is displayed in the rule editing window. By selecting a rule, you open the rule pop-up menu and select the following options:

    • Live Rule—Enable or disable the rule.
    • Duplicate Rule—Make a copy of the rule, helpful if you want to make a similar rule.
    • View Rule Detections—Open the Rule Detections window to display the detections captured by this rule.
  3. Use the Rule Editing window to edit existing rules and to create new rules. The Rule Editing window includes an automatic completion feature to enable you to view the correct YARA-L syntax available for each section of the rule. Whenever composing or editing a rule, Chronicle recommends walking through the automatic recommendations to ensure your completed rule uses the correct syntax. More details about the YARA-L syntax and best practices can be found here.

  4. Click New in the Rules Editor to open the Rules Editor Window. It automatically populates it with the default rule template as shown in the following figure. Chronicle automatically generates a unique name for the rule. Create your new rule in YARA-L. When you have finished, click SAVE NEW RULE. Chronicle checks the syntax of your rule. If the rule is valid, it is saved and automatically enabled. If the syntax is invalid, it returns an error. To delete the new rule, click DISCARD.

    New Rule Template New Rule Template

  5. To view information on the current detections associated with a rule, click the rule in the rules list and click View Rule Detections to open Rule Detections view.

    The Rule Detections view displays the metadata attached to the rule and a graph showing the number of detections found by the rule over recent days.

  6. Click Edit Rule to return to the Rules Editor.

    Rule Detections Rule Detections

    Multicolumn view

    The Timeline tab is also available and lists the events detected by the rule. As with the Timeline tab in other Chronicle views, you can select an event and open the associated raw log or UDM event.

    You can also manipulate what information is displayed on the Timeline tab by clicking the Columns icon to open the multicolumn view options. Multicolumn view enables you to select a variety of categories of log information to display, including common types such as hostname and user and many more specific categories provided by UDM.

    multicolumn-view

    Multicolumn view

  7. Click RUN TEST to run the rule displayed in the rule editing window. Chronicle begins to collect detections. This gives you a quick way to check if the rule is working as expected. The detection information is displayed in the TEST RULE RESULTS window. At any time you can click CANCEL TEST to stop this process.

    multicolumn-view Test Rule Results