Working with rules

    When you open the Rules page, all rules are listed in the table. Use the search bar to search for specific rules by entering a full or partial name and pressing Return/Enter on your keyboard. The list is filtered and displays matching results.

    To see rule details, select the rule in the Rule name column of the list. The rule details pane opens.

    1. Either drag a YAML-formatted Sigma rule into the window or browse for the file by selecting the link and opening it. The Import a rule window opens and the rule definition fields are automatically populated.
    2. Verify or modify the information in the fields.
    3. After you confirm the information for the rule is accurate, select the Create button in the lower-right corner of the window. A new rule is created, and it appears in the list of rules on the main page of the Rules window.

    An alternative to importing a rule is duplicating a Sigma rule and then modifying it to create a custom rule. First search for or filter rules in the Rules list to locate the rule you want to duplicate.

    1. Select the Duplicate button in the upper-right corner of the pane. The Duplicate rule window opens and all of the fields are automatically populated with the rule’s details. Selecting the duplicate button
    2. Modify any of the fields to customize the rule.
    3. After performing any modifications to the rule, select the Create button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window.