Security Notification Rules play a key role in Cloud SIEM by keeping your team informed of issues without you having to manually edit notification preferences for individual security detection rules.
Create and modify notification preferences within a notification rule to span across multiple security detection rules and signals based on parameters such as severities, rule types, rule tags, signal attributes, and signal tags.
View and search through all created Notification Rules on the Notification Rules page. Create, edit, clone, enable, disable, delete, or view Notification Rules created by users in your organization.
Create a notification rule
To create a new notification rule, follow the instructions below.
Click on the + New Notification Rule button in the top right corner of the page.
Input a name for your notification rule in the Name field.
Define the logic for when this notification rule is triggered by conditions matching to security detection rule and/or security signal.
For security detection rules, notification rules can be made with the following conditions: severity, rule type, or rule tags.
For security signals, notification rules can be made for any matching signal attribute and signal tag.
For example, severity set as Medium means a signal triggers an enabled notification rule as long as the security signal rule condition set in Step 4 is met at least once.
Select all relevant parties you want to notify in the Recipients field. For example, notify individuals, teams, lists, or handles.
A panel with a preview of rules matching the notification rule appears to the right, which helps indicate if the notification rule is too specific or broad.
Click Save and Activate to save the notification rule. This automatically activates the notification rule and navigates you back to the main Notification Rules page.
If the notification rule is associated with a Security Detection Rule, you can view the rule’s trigger conditions in the “Set severity and notifications” section in your rules.
If the notification rule matches set conditions, the resulting notification includes details about the matched notification rule in the notification footer.
Manage a notification rule
The free text search filters notification rules by text in the Notification Rule page. Select a tag within a rule type, rule tags, signal attributes, or signal tags to add the tag in the search, which displays notification rules matching the value.
When you edit the search query, search results update in real-time. There is no Search button.
Enable or disable
Use the toggle switch in the top right corner of the notification rule card to enable or disable a notification rule.
To edit a notification rule, hover over the notification rule card and click on it.
To clone a notification rule, click the kebab menu in the top right corner of the notification rule card and select the Clone Notification Rule option from the menu.
To delete a notification rule, click the kebab menu in the top right corner of the notification rule card and select the Delete Notification Rule option from the menu.
Additional helpful documentation, links, and articles: