Manage observable rules#

Manage observable rules from the List of observable rules.

To get to the list of observable rules:

  • From the left navigation, select Data configuration Data configuration icon > Rules > Observables.

    Go to Data configuration, Rules, Observables.

    Go to Data configuration Data configuration icon > Rules > Observables.#

Enable or disable a rule#

A rule must be enabled for it to take effect.

While a rule is enabled, it is only run against new objects on EclecticIQ Intelligence Center that:

  • match the rule’s criteria, and

  • are ingested or created on EclecticIQ Intelligence Center while the rule is enabled.

A rule is not run on existing objects on EclecticIQ Intelligence Center unless it is manually run.

Enable#

To enable a rule, do one of the following:

From the list of rules

  1. Locate the rule you want to enable.

  2. Select More More on the right of that rule.

  3. Select Enable.

    Enable a rule.

    Enable a rule.#

From an open rule

Select a rule to open it, then select Enable.

Enable a rule.

Enable a rule.#

Enable when creating rule

Select Enabled when creating a rule. See Create observable rules.

Disable#

To disable a rule, do one of the following:

From the list of rules

  1. Locate the rule you want to disable.

  2. Select More More on the right of that rule.

  3. Select Disable.

From an open rule

Select a rule to open it, then select Disable.

Manually run rules#

When a rule is enabled, it is not automatically run.

To manually run rules:

Enable and run

When you enable a rule, a dialog box pops up asking if you want to run the rule now. Select Run now to run the rule now.

  1. Select a rule to open it.

  2. Select Enable.

  3. In the dialog box that opens, select Run now.

    Enable and run a rule.

    Enable and run a rule.#

Run now

You can run a rule using the Run now option.

  1. Select a rule to open it.

  2. Select Run now.

Alternatively:

  1. Select a rule to open it.

  2. Select More More > Run now.

Edit rules#

To edit a rule, do one of the following:

From the list of rules

  1. Locate the rule you want to edit.

  2. Select More More on the right of that rule.

  3. Select Edit.

From an open rule

Do one of the following:

  • Select Edit Pencil from the top right.

  • Select More More > Edit from the top right.

Delete rules#

Caution

Deleting a rule is irreversible. You may want to disable a rule instead.

To delete a rule, do one of the following:

From the list of rules

  1. Locate the rule you want to delete.

  2. Select More More on the right of that rule.

  3. Select Delete.

From an open rule

Select a rule to open it, then select Delete.

Filter rules#

Filter by rule name

To filter by Rule name, enter an exact term (case-insensitive) to filter by in the Search icon Filter … field.

Enter an exact term to filter rule names.

Enter an exact term to filter rule names.#

Filter menu

Select Filter Filter to display the filter menu.

Filter menu.

Filter menu.#

Here, you can filter rules by:

Category

Description

Status

Filter rules by whether they are Enabled or Disabled.

Source

Filter rules by their Source criteria. See Create observable rules.

Classification

Filter rules by their Classification action. See Create observable rules.

View matching observables#

Observables that match a rule criteria are displayed as observable relationships.

If an observable rule returns matches, they are displayed in the Matches tab of the observable rule detail pane.

To view matches for a rule:

  1. Open the rule by selecting it.

  2. Select the Matches tab.

    Matches tab displays observables that this rule currently matches.

    Matches tab displays observables that this rule currently matches.#

    Note

    If the Action for an observable rule is Ignore, the Matches tab may still display observables. That’s because the Ignore action only prevents ingestion of observables after the rule is enabled.

    For more information on the Ignore action, see Create observable rules.