Viewing rules in Rules Dashboard

To open the Rules Dashboard in Chronicle, select Rules from the menu icon . The Rules Dashboard displays all of the rules you currently have stored within your Chronicle account and includes the following features:

  • Trend chart displays the rule with the greatest number of detections over the past 3 weeks.
  • Displays a graph of the activity associated with the rules. Hovering over a bar in the chart displays the date and number of detections.
  • Run frequency indicates the approximate frequency the rule will execute.
  • Live Status (Enabled or Disabled).
  • Rule severity as in the Rule metadata.

If you hover over a rule and click the menu icon to the right, you can open the Rule Settings menu and manipulate the Live Rule, Run Frequency, and Notifications options.

  • Live Rule monitors your incoming logs for threats until it is deleted or disabled.
  • Alerting indicates an anomaly in the normal workflow of traffic within the enterprise. You should investigate alerts as a possible breach of security.
  • Run Frequency indicates the approximate frequency the rule will execute and impacts the latency with which detections are discovered for each rule.
  • YARA-L Retrohunt enables you to use the selected rule to search for detections throughout existing data in Chronicle.
  • Edit Rule enables you to edit existing rules and create new rules.
  • View Rule Detections enables you to view detections generated by a live rule.
  • Archive hides the rule and the security data related to that rule (and all of its versions) without actually deleting the rule.

Clicking a rule name opens the Rule Detections view.

Chronicle Rules Dashboard Rules Dashboard to view the status of rules