Running a rule against live data

When you create a rule, it does not initially search for detections based on events received in your Chronicle account in real time. However, you set the rule to search for detections in real time by setting the Live Rule toggle to enabled.

To set a rule to live, complete the following steps:

  1. Navigate to the Rules Dashboard.

  2. Click the Rules option icon for a rule and toggle the Live Rule to enabled.

    Live rule

    Live Rule

  3. You can view detections generated by a live rule by choosing View Rule Detections.

Rules Quota

Click the capacity button to display the limits to the number of rules that can be enabled as live. It is located in the upper right corner of the Rules Dashboard.

Chronicle imposes the following rule limits:

  • Multiple Events Rules Quota—Shows the current count of Multiple Event rules enabled as live and the maximum number of rules that can be enabled as live. More information about the difference between Single Event and Multiple Event Rules can be found here.
  • Total Rules Quota—Shows the current total count of rules enabled as live across all rule types and the maximum number of rules that can be enabled as live.

More information on the different types of rules can be found here.