There are two types of rules in Cloud SIEM:
-
A protected rule is a rule defined by Logz.io. These rules appear in the Rule definitions list with a Logz.io rule tag. You cannot edit the name or logic of a protected rule unless you duplicate the rule as described in this document. You can, however, define what accounts to apply the rule to, edit the trigger conditions, tags and recipient endpoints of a protected rule.
-
A regular rule is a rule defined by the user. These rules appear in the Rule definitions list without a tag. You can edit the name and logic of a regular rule, as well as define what accounts to apply the rule to, edit the trigger conditions, tags and recipient endpoints of the rule.
To edit a regular rule:
-
Sign in to Logz.io.
-
Go to SIEM > Rules.
-
Select the three dots menu on the right side of a rule that you need to edit.
-
Select Edit.
-
Edit the rule.
-
Select Save.
If you need to customize a protected rule, you can clone it, adjust the cloned rule to your needs and then disable the original protected rule. To do tis:
To edit a rule:
-
Sign in to Logz.io.
-
Go to SIEM > Rules.
-
Select the three dots menu on the right side of a rule that you need to clone.
-
Select Duplicate.
-
Edit the rule.
-
Select Save.
-
In the State column of the original protected rule, set the state selector to the disabled mode.