Matching rules page

View your existing alerting rules on the Matching rules page. You can also add new alerting rules.

Rules list

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Click the plus icon to add a new alerting rule.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Each row displays a summary of an alerting rule. The list contains the following columns:

Timestamp

Indicates when the rule was created. The time is shown in the currently selected timezone.

Click the delete icon to delete the rule.

Click the expand icon to view the rule matches.

The list is sorted by timestamp, by default in decreasing order (latest at the top). Click the angle up icon to sort the list in increasing order (oldest at the top). Click the angle down icon to toggle to the default.

Rule UUID

The UUID of the rule.

Click the sort icon to sort the list by UUID.

Rule

The definition of the rule. The rule may be truncated if it is too long. You can view the full rule on the Matching results page if it returns any results.

A rule definition can not be edited. Such modification would invalidate the matching history of the rule. Instead you should disable or delete the rule and create a new one.

Click the sort icon to sort the list alphabetically by the rule.

Title

The name of the rule.

Click the sort icon to sort the list alphabetically by the title.

Status

The status of the rule, either Active or Inactive. Click the button to toggle the rule status.

Click the sort icon to sort the list by status.

Build a rule

On the Add Rule page, create a new rule by filling the Rule field and then providing a Title.

Ensure you have the required permissions to access or manage the rules (see Alerting permissions).

Rule language

Matching rules are defined using the same query language as defined in Build a query. A rule consists of one or more expressions, joined by operators.

Regular expressions

The rule language is enriched by the support of regular expressions. To indicate to the system that a value contains a regular expression, the single quotes delimiting the value just have to be replaced by slashes. For example, if you want to be alerted on suspicious use of mail addresses within your company, you can craft a rule as follows:

string: 'mypreciseaddress@mycompanyname.com'

becomes:

string: /.*@mycompanyname\.com/

When using regular expressions for your rules, be aware of the following:

  • Alerting performs case-insensitive matching. Case-insensitive matching makes rules more robust, in particular for cases where the character case is of little relevance such as threat names or file paths.

  • Alerting uses standard regular expression syntax, meaning that all metacharacters must be properly escaped, including backslashes.

Rules from search

You can also create new rules directly from the search interface by saving your query as a rule using the Save rule option from the search form. You will be automatically redirected to the page to create new rules. You will be given the opportunity to change the title as well as the rule definition in case you want to transform it into a more generic regular expression. If you choose to do so, remember to escape all potentially ambiguous metacharacters such that, for example:

file_name: 'C:\Users\User\myfile123.txt'

becomes:

file_name: /C:\\Users\\User\\myfile\d\.txt/