In this post, we’re going to get to know Chronicle SIEM with a focus on the various options available in the rules engine, including retrohunts, versioning, and alerting. 

For each rule, we have a number of options available to us. At a high level, these include turning the rule on or off, when we run the rule, and the version of the rule we have available to us.

Follow along in the video below to see in action how these options apply to a rule.

The options provided in the rules engine allow us to control whether a rule is being applied against our live data and if an alert is generated on a match. It also provides us the ability to define the frequency a rule is run and if it is run against historical data and if so, what span of time it should consider.

These options also allow us to compare versions of the rule that have been saved over time, make copies of rules for other uses, as well as archive rules that are no longer needed.

If you have any questions, please feel free to leave a comment below. Also, check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events