Console
    Start free

    Get started with unified rules

    Supported in:

    The unified rules interface provides deployment and management capabilities for custom and curated rules. This document provides information on getting started with the unified rules interface, and the required permissions for access.

    The interface consists of the following components:

    • Rules dashboard:A centralized management and monitoring console. It provides real-time visibility into rule status, execution metrics, and deployment history across all environments.

    • Rules editor:A unified interface for viewing and authoring rules.

    • Rules API:API endpoints for Create, Read, Update, and Delete (CRUD) operations on rules.

    Required permissions

    This section lists the permissions you need for accessing the unified rules dashboard and editor.

    Rules dashboard

    Permission
    Required IAM permission
    View
    • chronicle.rules.list
    • chronicle.retrohunts.list
    • chronicle.ruleDeployments.list
    • chronicle.legacies.legacySearchCustomerStats
    • chronicle.legacies.legacyGetRuleCounts
    • chronicle.legacies.legacyGetRulesTrends
    • chronicle.legacies.legacyGetCuratedRulesTrends
    Edit
    • chronicle.retrohunts.create
    • chronicle.ruleDeployments.update
    • chronicle.ModifyRules

    Rules editor

    Component IAM permission (if you use IAM) Analyst permission (if you use legacy RBAC)
    Rules editorpage

    chronicle.ruleDeployments.list

    chronicle.rules.list

    		detectRulesView
    Related reference list section

    chronicle.referenceLists.get

    chronicle.referenceLists.list

    		referenceListView
    Related data table section

    chronicle.dataTables.get

    chronicle.dataTables.list

    		N/A
    Create new rulebutton

    chronicle.rules.verifyRuleText

    chronicle.rules.create

    		detectRulesCreate
    Test rulebutton
    		 chronicle.legacies.legacyRunTestRule detectRulesRun
    Rule scopemenu
    		 chronicle.rules.update detectRulesEdit
    Save rulebutton
    		 chronicle.rules.update detectRulesEdit
    Save as new rulebutton
    		 chronicle.rules.create detectRulesCreate
    Rule retro huntbutton
    		 chronicle.retrohunts.create detectRulesRun
    Rule livetoggle
    		 chronicle.ruleDeployments.update detectRulesEdit
    Rule alerttoggle
    		 chronicle.ruleDeployments.update detectRulesEdit
    Rule run frequencytoggle
    		 chronicle.ruleDeployments.update detectRulesEdit
    Rule archive and unarchivetoggle
    		 chronicle.ruleDeployments.update detectRulesEdit
    View curated rule in editor
    		 chronicle.featuredContentRules.list N/A

    Opt-in to the unified Rules dashboard

    1. Go to the Rules dashboardpage.

    2. Click Try Our New Unified Rules Page.

    Your instance always loads the unified Rules dashboardpage by default.

    Opt-out of the unified Rules dashboard

    To return to the legacy Rules dashboard, do the following:

    1. Go to the Rules dashboardpage.

    2. Click Go back to the Legacy Rules Dashboard.

    Your instance always loads the legacy Rules dashboardpage by default.

    Opt-in to the unified Rules editor

    1. Go to the Rules editorpage.

    2. Click New Rule Editor page.

    Your instance loads the unified Rules editorpage by default.

    Opt-out of unified Rules editor

    To return to the legacy Rules editorpage, do the following:

    1. Go to the Rules editorpage.

    2. Click Legacy Rules Editor page.

    Your instance loads the legacy Rules editorpage by default.

    What's next

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: