Today, we are going to build a multi event rule in Chronicle SIEM, but this time we will use a sliding window versus the default hop window that we have used in previous examples. 

In previous multi-event rule videos, we used a hop window which gathered all relevant events without regard for time. That doesn't mean we don't care about ordering events. In fact we demonstrated how we can order events within a hop window! A sliding window provides another option that can be used to identify additional events before or after a defined event with a very slight syntax change. While sliding windows can provide additional flexibilty, there are performance costs that we need to be mindful of.

Follow along in the video below to see in action how to use a sliding window within a multi event rule.

Remember that sliding windows can look for events before or after that initial defined event that opens the window for a defined period of time. Also keep in mind that this event that opens the window should be an event that is not seen frequently, otherwise we risk maintaining too many open windows. Finally, hop windows with event ordering  and sliding windows can be used in rules and the best option depends on the use case.

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events