diff --git a/cid-redirects.json b/cid-redirects.json index 141eab3f74..57e2eada7a 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -1667,6 +1667,7 @@ "/cid/10147": "/docs/cse/integrations", "/cid/10148": "/docs/cse/rules", "/cid/101481": "/docs/cse/rules/about-cse-rules", + "/cid/101482": "/docs/cse/rules/rules-status", "/cid/10149": "/docs/cse/rules/write-match-rule", "/cid/1015": "/docs/send-data/reference-information/use-wildcards-paths", "/cid/10150": "/docs/cse/rules/write-threshold-rule", diff --git a/docs/cse/rules/before-writing-custom-rule.md b/docs/cse/rules/before-writing-custom-rule.md index d637321c5e..4088edf479 100644 --- a/docs/cse/rules/before-writing-custom-rule.md +++ b/docs/cse/rules/before-writing-custom-rule.md @@ -104,13 +104,3 @@ Now we have a query we can use as the rule expression for our rule. Note that You can use an expression like this example in any rule type. Here is an example Match rule with the expression, shown in the rules editor. Example in editor - -## Degraded rules - -A degraded rule is one that has had a portion of the rule shut off to prevent it from exceeding a processing limit. If you write a custom rule that becomes degraded, you must tune the rule to correct the problem. - -For example, rules have a limit on the number of records per second they can evaluate. If there is a value used in the "group by" field that causes the rule to exceed that threshold, the particular value will be ignored, but the rest of the rule is still be used. In this case, Cloud SIEM might display a message like this: - -`The aggregation on the group key 'admin@company.com' has a record volume exceeding the supported limit, and has been disabled. Consider tuning the rule to exclude records producing this group key.` - -To resolve a degraded rule issue, create a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions/) to address the portion of the rule causing the rule degradation. diff --git a/docs/cse/rules/index.md b/docs/cse/rules/index.md index 8033c3f4da..c1722544bf 100644 --- a/docs/cse/rules/index.md +++ b/docs/cse/rules/index.md @@ -17,6 +17,12 @@ In this section, we'll introduce the following concepts:

Learn about Cloud SIEM rules, rules syntax, and how to write rules.

+
+
+ Flow diagram icon

Rules Status

 +

Learn about Cloud SIEM rules statuses and how to address rules in a degraded or failed state.

+
+
Flow diagram icon

Before You Write a Custom Rule

 diff --git a/docs/cse/rules/rules-status.md b/docs/cse/rules/rules-status.md new file mode 100644 index 0000000000..988c4337aa --- /dev/null +++ b/docs/cse/rules/rules-status.md @@ -0,0 +1,127 @@ +--- +id: rules-status +title: Rules Status +sidebar_label: Rules Status +description: Learn about Cloud SIEM rules statuses and how to address rules in a degraded or failed state. +keywords: + - cloud siem + - rules +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +This article describes the status of Cloud SIEM rules and how to address rules that are in a degraded or failed state. + +## View a rule's status + +You can see a rule's status while viewing the rule: +* On the rules list page:
Rule status on list page +* On the rule details page:
Rule status on details page + +## Search for rules by status + +1. [**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the top menu select **Content > Rules**.
[**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Cloud SIEM > Rules**. You can also click the **Go To...** menu at the top of the screen and select **Rules**. +1. Click **Filters** at the top of the **Rules** screen. +1. Select the **Status** field.
Filter on rule status +1. For **Operator** select **is**. +1. Select a status.
Select status to filter on
+ +## Kinds of rule status + +Following are the different kinds of rule status. A rule's status can change depending on whether it exceeds [rule limits](#rule-limits). + +| Status | Description | Action required | +| :-- | :-- | :-- | +| **Active** | The rule is executing normally. | No action required. | +| **Degraded** | The rule is approaching a rule limit and it is removed from execution for one hour to allow processing to catch up. At the end of the hour, the rule is allowed to execute again and its status changes back to Active. | Click the information button Rule status information button on the **Degraded** label for details. Depending on the information provided, you may want to edit the rule to reduce the chance it will become degraded again later. See [Degraded rules](#degraded-rules) below for more information. | +| **Disabled** | The rule was manually disabled using the toggle in the UI, or was disabled with the API. | Enable the rule with the toggle in the UI, or enable the rule with the [API](https://api.sumologic.com/docs/sec/#operation/UpdateRuleEnabled). | +| **Failed** | The rule exceeded a rule limit and was automatically disabled. | Click the information button Rule status information button on the **Failed** label for details about the failure. Depending on the reasons provided in the details, you may need to edit the rule to prevent it from failing again in the future.

After addressing the reasons for the failure, enable the rule with the toggle in the UI, or enable the rule with the [API](https://api.sumologic.com/docs/sec/#operation/UpdateRuleEnabled). | + + + +### Degraded rules + +A degraded rule is one that has been temporarily shut off to prevent it from exceeding a processing limit. If you write a [custom rule](/docs/cse/rules/before-writing-custom-rule/) that becomes degraded, you must tune the rule to correct the problem. + +For example, rules have a limit on the number of records per second they can evaluate. If there is a value used in the "group by" field that causes the rule to exceed that threshold, Cloud SIEM might display a message like this: + +`The aggregation on the group key 'admin@company.com' has a record volume exceeding the supported limit, and has been disabled. Consider tuning the rule to exclude records producing this group key.` + +To resolve a degraded rule issue, create a [rule tuning expression](/docs/cse/rules/rule-tuning-expressions/) to address the portion of the rule causing the rule degradation. + +## Rule limits + +Limits are set on how often a rule fires so that the system is not overloaded. For example, if a rule fires too many signals in an hour, it can cause performance problems for all rule processes. If a rule exceeds a limit, its rule status changes from Active to Failed and the rule is disabled. + +| Type | Limit | +| :-- | :-- | +| Signals per hour | 100K | +| Signals per 24 hours | 1M | + + + +## Query for rule status changes + +You can query audit logs for rule status changes. For more information about querying audit logs, see [Cloud SIEM Audit Logging](/docs/cse/administration/cse-audit-logging/) and [Cloud SIEM audit log definitions](/docs/manage/security/audit-indexes/documentation-audit-log-definitions/#cloud-siem-audit-log-definitions). + +### Query for disabled rules + +Use the following query to find rules that are disabled. It finds rules that are manually disabled by users (in `_index=sumologic_audit_events`) or automatically disabled by the system (in `_index=sumologic_system_events`). + +```sql +(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=cseRule +| where (%"aggregationrule.enabled" = "false" +or %"chainrule.enabled" = "false" +or %"firstseenrule.enabled" = "false" +or %"matchrule.enabled" = "false" +or %"outlierrule.enabled" = "false" +or %"templatedMatchRule.enabled" = "false" +or %"thresholdrule.enabled" = "false") +``` + +### Query for updated rules + +Use the following query to find rules that have been updated. This query finds rules that are updated for any reason. The update may not result in a status change for the rule. + +```sql +(_index=sumologic_audit_events OR _index=sumologic_system_events) _sourceCategory=cseRule +| where (eventName = "AggregationRuleUpdated" +or eventName = "ChainRuleUpdated" +or eventName = "FirstSeenRuleUpdated" +or eventName = "MatchRuleUpdated" +or eventName = "OutlierRuleUpdated" +or eventName = "TemplatedMatchRuleUpdated" +or eventName = "ThresholdRuleUpdated" ) +| sort by eventName asc +``` + +## Create a monitor to alert on rule status changes + +You can [create a monitor](/docs/alerts/monitors/create-monitor/) to generate alerts when rules statuses change. This will alert you when you need to take action. + +For example, you could use the [query for disabled rules](#query-for-disabled-rules) above in your monitor. It will alert when rules are disabled. + +Example monitor for rule status change + + + diff --git a/sidebars.ts b/sidebars.ts index 5c2d4229dd..93b5e4fccf 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2855,6 +2855,7 @@ integrations: [ link: {type: 'doc', id: 'cse/rules/index'}, items: [ 'cse/rules/about-cse-rules', + 'cse/rules/rules-status', 'cse/rules/before-writing-custom-rule', 'cse/rules/cse-rules-syntax', 'cse/rules/write-match-rule', diff --git a/static/img/cse/example-monitor-for-rule-status-change.png b/static/img/cse/example-monitor-for-rule-status-change.png new file mode 100644 index 0000000000..49a4bcb5af Binary files /dev/null and b/static/img/cse/example-monitor-for-rule-status-change.png differ diff --git a/static/img/cse/filter-on-rule-status-1.png b/static/img/cse/filter-on-rule-status-1.png new file mode 100644 index 0000000000..ebaeef0af0 Binary files /dev/null and b/static/img/cse/filter-on-rule-status-1.png differ diff --git a/static/img/cse/filter-on-rule-status-2.png b/static/img/cse/filter-on-rule-status-2.png new file mode 100644 index 0000000000..c7ae2e6968 Binary files /dev/null and b/static/img/cse/filter-on-rule-status-2.png differ diff --git a/static/img/cse/rule-degraded-info-button.png b/static/img/cse/rule-degraded-info-button.png new file mode 100644 index 0000000000..06af2decfc Binary files /dev/null and b/static/img/cse/rule-degraded-info-button.png differ diff --git a/static/img/cse/rule-failed-info-button.png b/static/img/cse/rule-failed-info-button.png new file mode 100644 index 0000000000..bcdb0e3970 Binary files /dev/null and b/static/img/cse/rule-failed-info-button.png differ diff --git a/static/img/cse/rule-status-information-button.png b/static/img/cse/rule-status-information-button.png new file mode 100644 index 0000000000..cd20597660 Binary files /dev/null and b/static/img/cse/rule-status-information-button.png differ diff --git a/static/img/cse/rule-status-on-detail-page.png b/static/img/cse/rule-status-on-detail-page.png new file mode 100644 index 0000000000..43eecbf7f4 Binary files /dev/null and b/static/img/cse/rule-status-on-detail-page.png differ diff --git a/static/img/cse/rule-status-on-list-page.png b/static/img/cse/rule-status-on-list-page.png new file mode 100644 index 0000000000..b061e7a551 Binary files /dev/null and b/static/img/cse/rule-status-on-list-page.png differ diff --git a/static/img/cse/rule-warning-info-button.png b/static/img/cse/rule-warning-info-button.png new file mode 100644 index 0000000000..8963322836 Binary files /dev/null and b/static/img/cse/rule-warning-info-button.png differ