In this post, we’re going to build a single event rule in Chronicle SIEM using string matching, which will serve as a foundation for future rule building concepts.

In previous videos, we have touched on the structure of the rule, operators, and variables, so this is an opportunity to put these pieces all together.

For a single event rule, we need a minimum of three sections; meta, events and condition. We need to identify the relevant fields in UDM to use in our rule logic and then we need to add values in the form of strings against those fields. Because we are using strings, these values will be enclosed in double quotes.

Follow along in the video below to see in action how to build a single event rule.

Remember when you start building rules, that the meta, events, and condition sections are always included. UDM search is often a good place to view events and their fields and value as you explore your data, and when building your criteria, use double quotes for string values.

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events