From 1b8a4bc7f58b9f235aa8984be1923df8b4b709fa Mon Sep 17 00:00:00 2001 From: Janine Chan <64388808+janine-c@users.noreply.github.com> Date: Fri, 6 Mar 2026 15:52:17 -0700 Subject: [PATCH 1/5] Rename target file --- .../create_rule/{_index.md => _index.mdoc.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/{_index.md => _index.mdoc.md} (100%) diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md similarity index 100% rename from content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.md rename to content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md From 63e6caf3a9667d08e20a7d58b8b4682a77f47be7 Mon Sep 17 00:00:00 2001 From: Janine Chan <64388808+janine-c@users.noreply.github.com> Date: Fri, 13 Mar 2026 11:26:32 -0600 Subject: [PATCH 2/5] First work chunk: create rules and set conditions --- config/_default/menus/main.en.yaml | 4 +- content/.gitignore | 1 + .../create_rule/_index.mdoc.md | 843 +++++++++++++++++- .../cloud_siem_custom_detection_rules.yaml | 96 ++ customization_config/en/options/general.yaml | 38 +- customization_config/en/traits/general.yaml | 17 +- .../cloud_siem/add_calculated_fields.mdoc.md | 7 + .../cloud_siem/add_reference_tables.mdoc.md | 5 + .../mdoc/en/cloud_siem/anomaly_query.mdoc.md | 6 + .../content_anomaly_options.mdoc.md | 9 + .../cloud_siem/content_anomaly_query.mdoc.md | 9 + .../en/cloud_siem/create_suppression.en.md | 16 + .../enable_decrease_severity.mdoc.md | 3 + .../en/cloud_siem/enable_group_by.mdoc.md | 1 + .../enable_instantaneous_baseline.mdoc.md | 1 + .../mdoc/en/cloud_siem/forget_value.mdoc.md | 1 + .../impossible_travel_query.mdoc.md | 10 + .../cloud_siem/job_multi_triggering.mdoc.md | 7 + .../en/cloud_siem/new_value_query.mdoc.md | 16 + .../cloud_siem/rule_multi_triggering.mdoc.md | 7 + ...e_multi_triggering_content_anomaly.mdoc.md | 6 + .../cloud_siem/set_conditions_anomaly.mdoc.md | 8 + .../set_conditions_content_anomaly.mdoc.md | 17 + ...et_conditions_severity_notify_only.mdoc.md | 7 + .../set_conditions_then_operator.mdoc.md | 17 + .../set_conditions_third_party.mdoc.md | 11 + .../set_conditions_threshold.mdoc.md | 21 + .../en/cloud_siem/threshold_query.mdoc.md | 5 + .../mdoc/en/cloud_siem/unit_testing.mdoc.md | 10 + .../detection_rules/anomaly_notification.png | Bin 0 -> 70914 bytes 30 files changed, 1194 insertions(+), 5 deletions(-) create mode 100644 customization_config/en/option_groups/cloud_siem_custom_detection_rules.yaml create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/add_calculated_fields.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/add_reference_tables.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/anomaly_query.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_options.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_query.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/enable_decrease_severity.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/enable_group_by.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/enable_instantaneous_baseline.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/forget_value.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/impossible_travel_query.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/job_multi_triggering.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/new_value_query.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_anomaly.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_content_anomaly.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_severity_notify_only.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_then_operator.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_third_party.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_threshold.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/threshold_query.mdoc.md create mode 100644 layouts/shortcodes/mdoc/en/cloud_siem/unit_testing.mdoc.md create mode 100644 static/images/security/security_monitoring/detection_rules/anomaly_notification.png diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index eb083825f63..00f01b6389d 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7060,9 +7060,9 @@ menu: identifier: cloud_siem_custom_detection_rules weight: 202 - name: Create Rule - url: security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule + url: security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule parent: cloud_siem_custom_detection_rules - identifier: cloud_siem_real_time_rule + identifier: cloud_siem_create_custom_detection_rule weight: 2021 - name: Anomaly url: security/cloud_siem/detect_and_monitor/custom_detection_rules/anomaly diff --git a/content/.gitignore b/content/.gitignore index b5bf2e9ed95..89b0c0c57d7 100644 --- a/content/.gitignore +++ b/content/.gitignore @@ -31,3 +31,4 @@ /en/synthetics/notifications/template_variables/mobile.md /en/synthetics/notifications/template_variables/multistep.md /en/synthetics/notifications/template_variables/api.md +/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.md diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md index 139ec6d3919..17ceaa7e2f7 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md @@ -1,5 +1,846 @@ --- title: Create a Custom Rule -type: multi-code-lang +content_filters: + - trait_id: cloud_siem_detection_rule_type + option_group_id: cloud_siem_detection_rule_type_options + - trait_id: cloud_siem_detection_rule_search_query + option_group_id: cloud_siem_detection__search_query_options --- + + +## Overview + +Real-time detection rules continuously monitors and analyzes incoming logs for security threats. These rules trigger immediate alerts when specific patterns or anomalies are detected, enabling quicker response to potential incidents. + +## Create a rule + +1. To create a detection rule, navigate to the [Create a New Detection][2] page. +1. {% if equals($cloud_siem_detection_rule_type, "real_time_rule") %}Select **Real-Time Rule**.{% /if %} +{% if equals($cloud_siem_detection_rule_type, "scheduled_rule") %}Select **Scheduled Rule**.{% /if %} +{% if equals($cloud_siem_detection_rule_type, "historical_job") %}Select **Historical job**, then select the **Logs Index** and **Timerange** for the job.{% /if %} +1. Select the detection method you want to use for creating signals. + +## Define your search query + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} + +{% img src="security/security_monitoring/detection_rules/threshold_20250310.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/threshold_query.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} +{% img src="security/security_monitoring/detection_rules/new_value_20250310.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/new_value_query.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} +{% img src="security/security_monitoring/detection_rules/anomaly_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. +1. (Optional) In the **Count** dropdown menu, select attributes whose unique values you want to count during the specified time frame. + {% partial file="cloud_siem/anomaly_query.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} +{% img src="security/security_monitoring/detection_rules/content_anomaly_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/content_anomaly_query.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} +{% img src="security/security_monitoring/detection_rules/impossible_travel_query.png" alt="Define the search query" style="width:100%;" /%} +{% alert level="info" %} +All logs and events matching this query are analyzed for potential impossible travel. +{% /alert %} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/impossible_travel_query.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} +{% img src="security/security_monitoring/detection_rules/third_party_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a root query for your logs or events using the [Log Explorer search syntax][1]. +1. In the **Trigger for each new** dropdown menu, select the attributes where each attribute generates a signal for each new attribute value over a 24-hour roll-up period. +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Add Root Query** and repeat steps 2-4 to add and test additional queries. +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "sequence")) %} +{% img src="security/security_monitoring/detection_rules/sequence/sequence_queries.png" alt="Sequence editor page showing the sequence with two steps" style="width:100%;" /%} + +### Add step + +1. To search a different data type, click the down arrow next to **Logs** and select **Signals** or **Rules**. +1. Define the condition for the step. + - **Logs**: Construct a search query using the [Log Explorer search syntax][1]. + - **Signals**: Reference an existing rule or query on signal fields. + - **Rules**: Select a rule. +1. Set **group by** fields (for example, `@usr.email` or `@ip.address`) to link entities across steps. +1. Enter a threshold condition, such as `>10`. +1. If you want to use another query, connect this query with the next query using `AND` or `OR` and repeat steps 1-4. +1. In the **roll-up over** dropdown menu, select the time frame all queries in that step must occur to transition to the next step. + +### Define step transitions + +For the current step and the next step: + +1. In the **within** dropdown menu, select an evaluation window for the transition. + - **Note**: The total evaluation time across the sequence can be up to 24 hours. +1. Follow the instructions in [Add step](#add-step) to complete the step. + - **Note**: You can select different `group by` fields between steps. For example, link `@usr.email`from an earlier step to `@ip.address` in a later step. +1. Click **Add Step** if you want to add more steps. + +### Severity and notification + +1. In the **Trigger** dropdown menu, select the severity status. +1. (Optional) In the **Add notify** section, click **Add Recipient** to configure [notification targets][3]. + - You can create [notification rules][4] to manage notifications automatically, avoiding manual edits for each detection rule. + +### Review the sequence preview + +1. In the **Preview detection** section, check the steps, transitions, and time window in the visualization of the steps. Reorder the steps and adjust time windows as needed. +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "signal_correlation")) %} +{% img src="security/security_monitoring/detection_rules/signal_correlation_query.png" alt="Define the search query" style="width:100%;" /%} + +1. Select a rule for **Rule a**. +1. Click the pencil icon to rename the rule. +1. Use the **correlated by** dropdown to define the correlating attribute. + - You can select multiple attributes (maximum of 3) to correlate the selected rules. +1. Select a rule for **Rule b** in the second Rule editor's dropdown. + - The attributes and sliding window time frame is automatically set to what was selected for **Rule a**. +1. Click the pencil icon to rename the rule. +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} +Choose the query language you want to use. + +{% collapse-content title="Event Query" level="h4" expanded=false id="threshold-event-query" %} +{% img src="security/security_monitoring/detection_rules/threshold_20250310.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/threshold_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /collapse-content %} +{% collapse-content title="SQL" level="h4" expanded=false id="threshold-sql" %} +You can use SQL syntax to write detection rules for additional flexibility, consistency, and portability. For information on the available syntax, see [DDSQL Reference][5]. + +In Datadog, SQL queries are compatible with data stored in [datasets][6]. You can create datasets to format data already stored in tables for the following data types: +- Logs +- Audit Trail logs +- Events +- Security signals +- Spans +- RUM events +- Product Analytics events +- Cloud Network data +- NetFlow data +- Reference tables +- Infrastructure tables + +{% img src="security/security_monitoring/detection_rules/sql-query-example.png" alt="Example of a SQL dataset and query" style="width:100%;" /%} + +1. Under **Define Datasets**, choose one or more datasets to use in your query. In the dropdown, you can select an existing published dataset to either use or clone, or click the **New** icon to create a database from scratch. + - If you chose an existing dataset and made changes, click **Update** to apply those changes to that dataset, or **Clone With Changes** to create a dataset with your changes applied. + - If you created a dataset, click **Create** so you can use it in your rule. +2. Under **Write Queries**, enter one or more SQL queries. For more information, see [DDSQL Reference][5]. Click **Preview** to see a list of matching results. + +{% /collapse-content %} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} +{% img src="security/security_monitoring/detection_rules/new_value_20250310.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/new_value_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} +{% img src="security/security_monitoring/detection_rules/anomaly_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/anomaly_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} +{% img src="security/security_monitoring/detection_rules/content_anomaly_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/content_anomaly_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} +{% img src="security/security_monitoring/detection_rules/impossible_travel_query.png" alt="Define the search query" style="width:100%;" /%} +{% alert level="info" %} +All logs and events matching this query are analyzed for potential impossible travel. +{% /alert %} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/impossible_travel_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} +{% img src="security/security_monitoring/detection_rules/third_party_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. If you are using an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. Construct a root query for your logs or events using the [Log Explorer search syntax][1]. +1. In the **Trigger for each new** dropdown menu, select the attributes where each attribute generates a signal for each new attribute value over a 24-hour roll-up period. +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Add Root Query** and repeat steps 3-7 to add and test additional queries. +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "signal_correlation")) %} +{% img src="security/security_monitoring/detection_rules/signal_correlation_query.png" alt="Define the search query" style="width:100%;" /%} + +1. Select a rule for **Rule a**. +1. Click the pencil icon to rename the rule. +1. Use the **correlated by** dropdown to define the correlating attribute. + - You can select multiple attributes (maximum of 3) to correlate the selected rules. +1. Select a rule for **Rule b** in the second Rule editor's dropdown. + - The attributes and sliding window time frame is automatically set to what was selected for **Rule a**. +1. Click the pencil icon to rename the rule. +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} +{% img src="security/security_monitoring/detection_rules/threshold_20250310.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/threshold_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} +{% img src="security/security_monitoring/detection_rules/new_value_20250310.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/new_value_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} +{% img src="security/security_monitoring/detection_rules/anomaly_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/anomaly_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} +{% img src="security/security_monitoring/detection_rules/content_anomaly_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/content_anomaly_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} +{% img src="security/security_monitoring/detection_rules/impossible_travel_query.png" alt="Define the search query" style="width:100%;" /%} +{% alert level="info" %} +All logs and events matching this query are analyzed for potential impossible travel. +{% /alert %} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. + {% partial file="cloud_siem/impossible_travel_query.mdoc.md" /%} +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Save Rule**. +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} +{% img src="security/security_monitoring/detection_rules/third_party_query.png" alt="Define the search query" style="width:100%;" /%} + +1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. +1. Construct a root query for your logs or events using the [Log Explorer search syntax][1]. +1. In the **Trigger for each new** dropdown menu, select the attributes where each attribute generates a signal for each new attribute value over a 24-hour roll-up period. +1. (Optional) To create calculated fields that transform your logs during query time: + {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} +1. (Optional) Filter logs using reference tables: + {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} +1. (Optional) To test your rules against sample logs, click **Unit Test**. + {% partial file="cloud_siem/unit_testing.mdoc.md" /%} +1. Click **Add Root Query** and repeat steps 2-6 to add and test additional queries. +1. Click **Save Rule**. +{% /if %} + +## Set conditions + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} +{% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_threshold.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-threshold %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-threshold %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-rt-threshold %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} +{% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} + +### Other parameters + +#### 1. Forget value {% #forget-value-rt-new-value%} + +{% partial file="cloud_siem/forget_value.mdoc.md" /%} + +#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-rt-new-value%} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 3. Decrease severity for non-production environments {% #decrease-severity-new-value%} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 4. Enable optional group by {% #enable-group-by-rt-new-value%} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} +{% img src="security/security_monitoring/detection_rules/anomaly_notification.png" alt="Set your severity, anomaly percentile, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_anomaly.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-anomaly %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-anomaly %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-rt-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} +{% img src="security/security_monitoring/detection_rules/condition_content_anomaly.png" alt="Set your condition, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_content_anomaly.mdoc.md" /%} + +### Other parameters + +#### 1. Content anomaly detection {% #content-anomaly-rt-content-anomaly %} + +{% partial file="cloud_siem/content_anomaly_options.mdoc.md" /%} + +#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-rt-content-anomaly %} + +{% partial file="cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} + +#### 3. Decrease severity for non-production environments {% #decrease-severity-rt-content-anomaly %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 4. Enable optional group by {% #enable-group-by-rt-content-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} +{% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-impossible-travel %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-impossible-travel %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-rt-impossible-travel %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} +{% img src="security/security_monitoring/detection_rules/condition_else.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_third_party.mdoc.md" /%} + +### Other parameters + +#### 1. Decrease severity for non-production environments {% #decrease-severity-rt-third-party %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 2. Enable optional group by {% #enable-group-by-rt-third-party %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "sequence")) %} +#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-sequence %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-sequence %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-rt-sequence %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "signal_correlation")) %} +{% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_then_operator.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-signal-correlation %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-signal-correlation %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} +{% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_threshold.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-schedule-threshold %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-schedule-threshold %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-schedule-threshold %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} +{% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} + +### Other parameters + +#### 1. Forget value {% #forget-value-scheduled-new-value %} + +{% partial file="cloud_siem/forget_value.mdoc.md" /%} + +#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-new-value %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 3. Decrease severity for non-production environments {% #decrease-severity-scheduled-new-value %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 4. Enable optional group by {% #enable-group-by-scheduled-new-value %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} + +#### 5. Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} + +{% partial file="cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} +{% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-anomaly %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-anomaly %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-scheduled-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} +{% img src="security/security_monitoring/detection_rules/condition_content_anomaly.png" alt="Set your condition, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_content_anomaly.mdoc.md" /%} + +### Other parameters + +#### 1. Content anomaly detection {% #content-anomaly-scheduled-content-anomaly %} + +{% partial file="cloud_siem/content_anomaly_options.mdoc.md" /%} + +#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-content-anomaly %} + +{% partial file="cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} + +#### 3. Decrease severity for non-production environments {% #decrease-severity-scheduled-content-anomaly %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 4. Enable optional group by {% #enable-group-by-scheduled-content-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} +{% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-impossible-travel %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-impossible-travel %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-scheduled-impossible-travel %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} +{% img src="security/security_monitoring/detection_rules/condition_else.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_third_party.mdoc.md" /%} + +### Other parameters + +#### 1. Decrease severity for non-production environments {% #decrease-severity-scheduled-third-party %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### 2. Enable optional group by {% #enable-group-by-scheduled-third-party %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "signal_correlation")) %} +{% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_then_operator.mdoc.md" /%} + +### Other parameters + +#### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-signal-correlation %} + +{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} + +#### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-signal-correlation %} + +{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} +{% img src="security/security_monitoring/detection_rules/threshold_historical_condition.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +{% partial file="cloud_siem/set_conditions_threshold.mdoc.md" /%} + +### Other parameters + +#### 1. Job multi-triggering {% #job-multi-triggering-threshold %} + +{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} + +#### 2. Enable optional group by {% #enable-group-by-historical-threshold %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} + +### Other parameters + +#### 1. Forget value {% #forget-value-historical-new-value %} + +{% partial file="cloud_siem/forget_value.mdoc.md" /%} + +#### 2. Job multi-triggering behavior {% #job-multi-triggering-historical-new-value %} + +{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-historical-new-value %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} + +#### 4. Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} + +{% partial file="cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} +### Other parameters + +#### 1. Job multi-triggering {% #job-multi-triggering-historical-anomaly %} + +{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} + +#### 2. Enable optional group by {% #enable-group-by-historical-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} +{% img src="security/security_monitoring/detection_rules/content_anomaly_historical_condition.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. +1. In the **Anomaly count** field, enter the condition for how many anomalous logs within the specified window are required to trigger a signal. + - For example, if the condition is `a >= 3` where `a` is the query, a signal is triggered if there are at least three anomalous logs within the evaluation window. + - All rule conditions are evaluated as condition statements. Thus, the order of the conditions affects which notifications are sent because the first condition to match generates the signal. Click and drag your rule conditions to change their ordering. + - A rule condition contains logical operations (`>`, `>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. + - The ASCII lowercase query labels are referenced in this section. An example rule condition for query `a` is `a > 3`. + {% alert level="info" %} + The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. + {% /alert %} +1. In the **within a window of** dropdown menu, select the time period during which a signal is triggered if the condition is met. + - An `evaluation window` is specified to match when at least one of the cases matches true. This is a sliding window and evaluates cases in real time. + +### Other parameters + +#### 1. Content anomaly detection {% #content-anomaly-historical-content-anomaly %} + +{% partial file="cloud_siem/content_anomaly_options.mdoc.md" /%} + +#### 2. Job multi-triggering behavior {% #job-multi-triggering-historical-content-anomaly %} + +{% partial file="cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} + +#### 3. Enable optional group by {% #enable-group-by-historical-content-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} +### Other parameters + +#### 1. Job multi-triggering {% #job-multi-triggering-historical-anomaly %} + +{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} + +#### 2. Enable optional group by {% #enable-group-by-historical-anomaly %} + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} +{% img src="security/security_monitoring/detection_rules/set_condition_root_query.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} + +1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. +1. In the **Query** field, enter the tags of a log that you want to trigger a signal. + - For example, if you want logs with the tag `dev:demo` to trigger signals with a severity of `INFO`, enter `dev:demo` in the query field. Similarly, if you want logs with the tag `dev:prod` to trigger signals with a severity of `MEDIUM`, enter `dev:prod` in the query field. + +### Other parameters + +{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + +[1]: /logs/search_syntax/ +[2]: https://app.datadoghq.com/security/siem/rules/new +[3]: /security_platform/notifications/#notification-channels +[4]: /security/notifications/rules/ +[5]: /ddsql_reference/ +[6]: https://app.datadoghq.com/security/configuration/datasets \ No newline at end of file diff --git a/customization_config/en/option_groups/cloud_siem_custom_detection_rules.yaml b/customization_config/en/option_groups/cloud_siem_custom_detection_rules.yaml new file mode 100644 index 00000000000..05f0b8f1f62 --- /dev/null +++ b/customization_config/en/option_groups/cloud_siem_custom_detection_rules.yaml @@ -0,0 +1,96 @@ +cloud_siem_detection_rule_type_options: + - id: real_time_rule + default: true + - id: scheduled_rule + - id: historical_job + +# cloud_siem_detection_threshold_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule +# - id: historical_job + +# cloud_siem_detection_new_value_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule +# - id: historical_job + +# cloud_siem_detection_anomaly_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule +# - id: historical_job + +# cloud_siem_detection_content_anomaly_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule +# - id: historical_job + +# cloud_siem_detection_impossible_travel_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule +# - id: historical_job + +# cloud_siem_detection_third_party_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule +# - id: historical_job + +# cloud_siem_detection_sequence_rule_type_options: +# - id: real_time_rule +# default: true + +# cloud_siem_detection_signal_correlation_rule_type_options: +# - id: real_time_rule +# default: true +# - id: scheduled_rule + +cloud_siem_detection_real_time_rule_search_query_options: + - id: threshold + default: true + - id: new_value + - id: anomaly + - id: content_anomaly + - id: impossible_travel + - id: third_party + - id: sequence + - id: signal_correlation + +cloud_siem_detection_scheduled_rule_search_query_options: + - id: threshold + default: true + - id: new_value + - id: anomaly + - id: content_anomaly + - id: impossible_travel + - id: third_party + - id: signal_correlation + +cloud_siem_detection_historical_job_search_query_options: + - id: threshold + default: true + - id: new_value + - id: anomaly + - id: content_anomaly + - id: impossible_travel + - id: third_party + +cloud_siem_detection_rule_query_language_options: + - id: event_query + default: true + - id: sql + +# cloud_siem_detection_rule_search_query_options: +# - id: threshold +# default: true +# - id: new_value +# - id: anomaly +# - id: content_anomaly +# - id: impossible_travel +# - id: third_party +# - id: signal_correlation +# - id: sequence \ No newline at end of file diff --git a/customization_config/en/options/general.yaml b/customization_config/en/options/general.yaml index c3685c0c95d..b1e1995972f 100644 --- a/customization_config/en/options/general.yaml +++ b/customization_config/en/options/general.yaml @@ -506,4 +506,40 @@ options: id: cpp - label: Elixir - id: elixir \ No newline at end of file + id: elixir + +- id: real_time_rule + label: Real-time rule + +- id: scheduled_rule + label: Scheduled rule + +- id: historical_job + label: Historical job + +- id: new_value + label: New value + +- id: anomaly + label: Anomaly + +- id: content_anomaly + label: Content anomaly + +- id: impossible_travel + label: Impossible travel + +- id: third_party + label: Third party + +- id: signal_correlation + label: Signal correlation + +- id: sequence + label: Sequence + +- id: event_query + label: Event Query + +- id: sql + label: SQL \ No newline at end of file diff --git a/customization_config/en/traits/general.yaml b/customization_config/en/traits/general.yaml index 6408fd9e077..93d788c9de7 100644 --- a/customization_config/en/traits/general.yaml +++ b/customization_config/en/traits/general.yaml @@ -51,4 +51,19 @@ traits: - id: protocol label: Protocol type: text - internal_notes: For example, HTTP, gRPC, or SOCKS. \ No newline at end of file + internal_notes: For example, HTTP, gRPC, or SOCKS. + +- id: cloud_siem_detection_rule_type + label: "Rule type" + type: text + internal_notes: The rule type a user wants to use when creating a custom detection rule for Cloud SIEM. + +- id: cloud_siem_detection_rule_search_query + label: "Search query" + type: text + internal_notes: The search query a user wants to use when creating a custom detection rule for Cloud SIEM. + +- id: cloud_siem_detection_rule_query_language + label: "Query language" + type: text + internal_notes: The search query language a user wants to use when creating a custom detection rule for Cloud SIEM. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/add_calculated_fields.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/add_calculated_fields.mdoc.md new file mode 100644 index 00000000000..64a26868371 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/add_calculated_fields.mdoc.md @@ -0,0 +1,7 @@ +1. Click **Add** and select **Calculated fields**. +1. In **Name your field**, enter a descriptive name that indicates the purpose of the calculated field. + - For example, if you want to combine users' first and last name into one field, you might name the calculated field `fullName`. +1. In the **Define your formula** field, enter a formula or expression, which determines the result to be computed and stored as the value of the calculated field for each log event. + - See [Calculated Fields Expressions Language][701] for information on syntax and language constructs. + +[701]: /logs/explorer/calculated_fields/expression_language/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/add_reference_tables.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/add_reference_tables.mdoc.md new file mode 100644 index 00000000000..456af4831c6 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/add_reference_tables.mdoc.md @@ -0,0 +1,5 @@ +1. Click the **Add** button next to the query editor and select **Join with Reference Table**. +1. In the **Inner join with reference table** dropdown menu, select your reference table. +1. In the **where field** dropdown menu, select the log field to join on. +1. Select the **IN** or **NOT IN** operator to filter in or filter out matching logs. +1. In the **column** dropdown menu, select the column of the reference table to join on. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/anomaly_query.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/anomaly_query.mdoc.md new file mode 100644 index 00000000000..3bcfe369467 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/anomaly_query.mdoc.md @@ -0,0 +1,6 @@ +1. (Optional) In the **Count** dropdown menu, select attributes whose unique values you want to count during the specified time frame. +1. (Optional) In the **group by** dropdown menu, select attributes you want to group by. + - The defined `group by` generates a signal for each `group by` value. + - Typically, the `group by` is an entity (like user or IP). The `group by` can also join the queries together. + - Joining logs that span a time frame can increase the confidence or severity of the security signal. For example, if you want to detect a successful brute force attack, both successful and unsuccessful authentication logs must be correlated for a user. + - Anomaly detection inspects how the `group by` attribute has behaved in the past. If a `group by` attribute is seen for the first time (for example, the first time an IP is communicating with your system) and is anomalous, it does not generate a security signal because the anomaly detection algorithm has no historical data to compare with. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_options.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_options.mdoc.md new file mode 100644 index 00000000000..e4f05ebc426 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_options.mdoc.md @@ -0,0 +1,9 @@ +In the **Content anomaly detection options** section, specify the parameters to assess whether a log is anomalous or not. +- Content anomaly detection balances precision and sensitivity using several rule parameters that you can set: + 1. Similarity threshold: Defines how dissimilar a field value must be to be considered anomalous (default: `70%`). + 1. Minimum similar items: Sets how many similar historical logs must exist for a value to be considered normal (default: `1`). + 1. Evaluation window: The time frame during which anomalies are counted toward a signal (for example, a 10-minute time frame). +- These parameters help to identify field content that is both unusual and rare, filtering out minor or common variations. +- See [Anomaly detection parameters][601] for more information. + +[601]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/content_anomaly/#anomaly-detection-parameters \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_query.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_query.mdoc.md new file mode 100644 index 00000000000..85b70cc1558 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_query.mdoc.md @@ -0,0 +1,9 @@ +1. In the **Detect anomaly** field, specify the fields whose values you want to analyze. +1. In the **group by** field, specify the fields you want to group by. + - The defined `group by` generates a signal for each `group by` value. + - Typically, the `group by` is an entity (like user or IP). The `group by` can also join the queries together. + - Joining logs that span a time frame can increase the confidence or severity of the security signal. For example, to detect a successful brute force attack, both successful and unsuccessful authentication logs must be correlated for a user. +1. In the **Learn for** dropdown menu, select the number of days for the learning period. During the learning period, the rule sets a baseline of normal field values and does not generate any signals. + {% alert level="info" %} + If the detection rule is modified, the learning period restarts at day `0`. + {% /alert %} \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md b/layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md new file mode 100644 index 00000000000..601b631d974 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md @@ -0,0 +1,16 @@ +(Optional) Create a suppression or add the rule to an existing suppression to prevent a signal from getting generated in specific cases. For example, if a user `john.doe` is triggering a signal, but their actions are benign and you do not want signals triggered from this user, add the following query into the **Add a suppression query** field: `@user.username:john.doe`. + +#### Create new suppression + +1. Enter a name for the suppression rule. +1. (Optional) Enter a description. +1. Enter a suppression query. +1. (Optional) Add a log exclusion query to exclude logs from being analyzed. These queries are based on **log attributes**. + - **Note**: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule's **Add a suppression query** step. + +#### Add to existing suppression + +1. Click **Add to Existing Suppression**. +1. Select an existing suppression in the dropdown menu. + + diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/enable_decrease_severity.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/enable_decrease_severity.mdoc.md new file mode 100644 index 00000000000..b1a74c12216 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/enable_decrease_severity.mdoc.md @@ -0,0 +1,3 @@ +Toggle **Decrease severity for non-production environments** if you want to prioritize production environment signals over non-production signals. +- The severity of signals in non-production environments are decreased by one level from what is defined by the rule case. +- The severity decrement is applied to signals with an environment tag starting with `staging`, `test`, or `dev`. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/enable_group_by.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/enable_group_by.mdoc.md new file mode 100644 index 00000000000..de2dc425349 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/enable_group_by.mdoc.md @@ -0,0 +1 @@ +Toggle the **Enable Optional Group By** section if you want to group events even when values are missing. If there is a missing value, a sample value is generated so that the log does not get excluded. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/enable_instantaneous_baseline.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/enable_instantaneous_baseline.mdoc.md new file mode 100644 index 00000000000..56053329805 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/enable_instantaneous_baseline.mdoc.md @@ -0,0 +1 @@ +Toggle **Enable instantaneous baseline** if you want to build the baseline based on past events for the first event received. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/forget_value.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/forget_value.mdoc.md new file mode 100644 index 00000000000..dce4300332b --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/forget_value.mdoc.md @@ -0,0 +1 @@ +In the **Forget Value** dropdown, select the number of days (**1**-**30 days**) after which the value is forgotten. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/impossible_travel_query.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/impossible_travel_query.mdoc.md new file mode 100644 index 00000000000..f0050f64696 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/impossible_travel_query.mdoc.md @@ -0,0 +1,10 @@ +1. In the **User attribute** dropdown menu, select the log attribute that contains the user ID. This can be an identifier like an email address, user name, or account identifier. +1. The **Location attribute** value is automatically set to `@network.client.geoip`. + - The `location attribute` specifies which field holds the geographic information for a log. + - The only supported value is `@network.client.geoip`, which is enriched by the [GeoIP parser][801] to give a log location information based on the client's IP address. +1. Click the **Baseline user locations** checkbox if you want Datadog to learn regular access locations before triggering a signal. + - When selected, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. + - See [How the impossible detection method works][802] for more information. + +[801]: /logs/log_configuration/processors/?tab=ui#geoip-parser +[802]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/impossible_travel/#how-the-impossible-travel-method-works \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/job_multi_triggering.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/job_multi_triggering.mdoc.md new file mode 100644 index 00000000000..d2e3674dab9 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/job_multi_triggering.mdoc.md @@ -0,0 +1,7 @@ +In the **Job multi-triggering behavior** section, configure how often to keep updating the same signal when new values are detected within a specified time frame. For example, the same signal updates when any new value is detected within 1 hour, for a maximum duration of 24 hours. +- An `evaluation window` defines a sliding period in which at least one case evaluates as true and assesses cases in real time. +- After a signal is generated, the signal remains "open" if a case is matched at least once within the `keep alive` window. Each time a new event matches any of the cases, the *last updated* timestamp is updated for the signal. +- A signal closes after the time exceeds the `maximum signal duration`, regardless of the query being matched. This time is calculated from the first seen timestamp. +{% alert level="info" %} +The `evaluation window` must be less than or equal to the `keep alive` and `maximum signal duration`. +{% /alert %} \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/new_value_query.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/new_value_query.mdoc.md new file mode 100644 index 00000000000..8769860afb4 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/new_value_query.mdoc.md @@ -0,0 +1,16 @@ +1. In the **Detect new value** dropdown menu, select the attributes you want to detect. + - For example, if you create a query for successful user authentication with the following settings: + - **Detect new value** is `country` + - **group by** is `user` + - Learning duration is `after 7 days` + {% br /%}Then, logs coming in over the next 7 days are evaluated with those configured values. If a log comes in with a new value after the learning duration (`7 days`), a signal is generated, and the new value is learned to prevent future signals with this value. + - You can also identify users and entities using multiple **Detect new value** attributes in a single query. + - For example, if you want to detect when a user signs in from a new device and from a country that they've never signed in from before, add `device_id` and `country_name` to the **Detect new value** field. +1. (Optional) Define a signal grouping in the **group by** dropdown menu. + - The defined `group by` generates a signal for each `group by` value. + - Typically, the `group by` is an entity (like user or IP address). +1. In the dropdown menu to the right of **group by**, select the learning duration. +1. (Optional) Define a signal grouping in the **group by** dropdown menu. + - The defined `group by` generates a signal for each `group by` value. + - Typically, the `group by` is an entity (like user or IP address). +1. In the dropdown menu to the right of **group by**, select the learning duration. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering.mdoc.md new file mode 100644 index 00000000000..02c4657162f --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering.mdoc.md @@ -0,0 +1,7 @@ +Configure how often you want to keep updating the same signal if new values are detected within a specified time frame. For example, the same signal updates if any new value is detected within 1 hour, for a maximum duration of 24 hours. +- An `evaluation window` is specified to match when at least one of the cases matches true. This is a sliding window and evaluates cases in real time. +- After a signal is generated, the signal remains "open" if a case is matched at least once within the `keep alive` window. Each time a new event matches any of the cases, the *last updated* timestamp is updated for the signal. +- A signal closes after the time exceeds the `maximum signal duration`, regardless of the query being matched. This time is calculated from the first seen timestamp. +{% alert level="info" %} +The `evaluation window` must be less than or equal to the `keep alive` and `maximum signal duration`. +{% /alert %} \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md new file mode 100644 index 00000000000..a21207effea --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md @@ -0,0 +1,6 @@ +Configure how often you want to keep updating the same signal if new values are detected within a specified time frame. For example, the same signal updates if any new value is detected within 1 hour, for a maximum duration of 24 hours. +- After a signal is generated, the signal remains "open" if a case is matched at least once within the `keep alive` window. Each time a new event matches any of the cases, the *last updated* timestamp is updated for the signal. +- A signal closes after the time exceeds the `maximum signal duration`, regardless of the query being matched. This time is calculated from the first seen timestamp. +{% alert level="info" %} +The `evaluation window` must be less than or equal to the `keep alive` and `maximum signal duration`. +{% /alert %} \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_anomaly.mdoc.md new file mode 100644 index 00000000000..e47b7519758 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_anomaly.mdoc.md @@ -0,0 +1,8 @@ +1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). +1. In the **Anomaly Percentile** dropdown menu, select a minimum percentage required for Cloud SIEM to generate a signal.{% br /%}The anomaly percentile refers to the log volume over the selected time period to your historical log volumes. If you select 99.5%, then Cloud SIEM only generates a signal if the number of logs is greater than 99.5% of all prior periods. +1. (Optional) In the **And notify** section, click **Add Recipient** to configure [notification targets][101]. + - You can create [notification rules][102] to manage notifications automatically, avoiding manual edits for each detection rule. + + +[101]: /security_platform/notifications/#notification-channels +[102]: /security/notifications/rules/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_content_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_content_anomaly.mdoc.md new file mode 100644 index 00000000000..e1d39dab285 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_content_anomaly.mdoc.md @@ -0,0 +1,17 @@ +1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. +1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). +1. In the **Anomaly count** field, enter the condition for how many anomalous logs within the specified window are required to trigger a signal. + - For example, if the condition is `a >= 3` where `a` is the query, a signal is triggered if there are at least three anomalous logs within the evaluation window. + - All rule conditions are evaluated as condition statements. Thus, the order of the conditions affects which notifications are sent because the first condition to match generates the signal. Click and drag your rule conditions to change their ordering. + - A rule condition contains logical operations (`>`, `>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. + - The ASCII lowercase query labels are referenced in this section. An example rule condition for query `a` is `a > 3`. + {% alert level="info" %} + The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. + {% /alert %} +1. In the **within a window of** dropdown menu, select the time period during which a signal is triggered if the condition is met. + - An `evaluation window` is specified to match when at least one of the cases matches true. This is a sliding window and evaluates cases in real time. +1. In the **Add notify** section, click **Add Recipient** to optionally configure [notification targets][101]. + - You can also create [notification rules][102] to avoid manual edits to notification preferences for individual detection rules. + +[101]: /security_platform/notifications/#notification-channels +[102]: /security/notifications/rules/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_severity_notify_only.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_severity_notify_only.mdoc.md new file mode 100644 index 00000000000..6aa498b0b70 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_severity_notify_only.mdoc.md @@ -0,0 +1,7 @@ +1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). +1. (Optional) In the **And notify** section, click **Add Recipient** to configure [notification targets][101]. + - You can create [notification rules][102] to manage notifications automatically, avoiding manual edits for each detection rule. + + +[101]: /security_platform/notifications/#notification-channels +[102]: /security/notifications/rules/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_then_operator.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_then_operator.mdoc.md new file mode 100644 index 00000000000..a80688ef932 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_then_operator.mdoc.md @@ -0,0 +1,17 @@ +1. If you want to create a simple condition, leave the selection as is. If you want to create a `then` condition, click **THEN condition**. + - Use the **Then condition** when you want to trigger a signal if query A occurs and then query B occurs. + - **Note**: The `then` operator can only be used on a single rule condition. +1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. +1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). +1. If you are creating a **Simple condition**, enter the condition when a signal should be created. If you are creating a **Then condition**, enter the conditions required for a signal to be generated. + - All rule conditions are evaluated as conditional statements. Thus, the order of the conditions affects which notifications are sent because the first condition to match generates the signal. Click and drag your rule conditions to change their order. + - A rule condition contains logical operations (`>`, `>=`, `<`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. + - The ASCII lowercase query labels are referenced in this section. An example rule condition for query `a` is `a > 3`. + {% alert level="info" %} + The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. + {% /alert %} +1. In the **Add notify** section, click **Add Recipient** to optionally configure [notification targets][101]. + - You can create [notification rules][102] to manage notifications automatically, avoiding manual edits for each detection rule. + +[101]: /security_platform/notifications/#notification-channels +[102]: /security/notifications/rules/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_third_party.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_third_party.mdoc.md new file mode 100644 index 00000000000..d6feb7f0f8c --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_third_party.mdoc.md @@ -0,0 +1,11 @@ +1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. +1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). +1. In the **Query** field, enter the tags of a log that you want to trigger a signal. + - For example, if you want logs with the tag `dev:demo` to trigger signals with a severity of `INFO`, enter `dev:demo` in the query field. Similarly, if you want logs with the tag `dev:prod` to trigger signals with a severity of `MEDIUM`, enter `dev:prod` in the query field. +1. (Optional) In the **Add notify** section, click **Add Recipient** to configure [notification targets][101]. + - You can also create [notification rules][102] to avoid manual edits to notification preferences for individual detection rules. +1. For the `else` condition, follow steps 3 and 4. + - The `else` condition is the default condition. If you don't add any other conditions, then all logs trigger a signal with the severity set in the default condition. + +[101]: /security_platform/notifications/#notification-channels +[102]: /security/notifications/rules/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_threshold.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_threshold.mdoc.md new file mode 100644 index 00000000000..02a5ca95a4b --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_threshold.mdoc.md @@ -0,0 +1,21 @@ +1. If you have a single query, skip to step 2. If you have multiple queries, you can create a **Simple condition** or **Then condition**. + - If you want to create a simple condition, leave the selection as is. + - If you want to create a `then` condition, click **THEN condition**. + - Use the **Then condition** when you want to trigger a signal if query A occurs and then query B occurs. + {% alert level="info" %} + The `then` operator can only be used on a single rule condition. + {% /alert %} +1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. +1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). +1. If you are creating a **Simple condition**, enter the condition when a signal should be created. If you are creating a **Then condition**, enter the conditions required for a signal to be generated. + - All rule conditions are evaluated as condition statements. Thus, the order of the conditions affects which notifications are sent because the first condition to match generates the signal. Click and drag your rule conditions to change their order. + - A rule condition contains logical operations (`>`, `>=`, `<`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. + - The ASCII lowercase query labels are referenced in this section. An example rule condition for query `a` is `a > 3`. + {% alert level="info" %} + The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. + {% /alert %} +1. (Optional) In the **Add notify** section, click **Add Recipient** to configure [notification targets][101]. + - You can also create [notification rules][102] to avoid manual edits to notification preferences for individual detection rules. + +[101]: /security_platform/notifications/#notification-channels +[102]: /security/notifications/rules/ \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/threshold_query.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/threshold_query.mdoc.md new file mode 100644 index 00000000000..443d9fddb6b --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/threshold_query.mdoc.md @@ -0,0 +1,5 @@ +1. (Optional) In the **Count** dropdown menu, select attributes whose unique values are counted over the specified time frame. +1. (Optional) In the **group by** dropdown menu, select attributes you want to group by. + - The defined `group by` generates a signal for each `group by` value. + - Typically, the `group by` is an entity (like user, or IP). The `group by` is also used to join the queries together. + - Joining logs that span a time frame can increase the confidence or severity of the security signal. For example, to detect a successful brute force attack, both successful and unsuccessful authentication logs must be correlated for a user. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/unit_testing.mdoc.md b/layouts/shortcodes/mdoc/en/cloud_siem/unit_testing.mdoc.md new file mode 100644 index 00000000000..6697e013363 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/cloud_siem/unit_testing.mdoc.md @@ -0,0 +1,10 @@ +1. To construct a sample log, you can: + 1. Navigate to [Log Explorer][601] in a new window. + 1. In the search bar, enter the query you are using for the detection rule. + 1. Select one of the logs. + 1. Click the export button at the top right side of the log side panel, and then select **Copy**. +1. Navigate back to the **Unit Test** modal, and then paste the log into the text box. Edit the sample as needed for your use case. +1. Toggle the switch for **Query is expected to match based on the example event** to fit your use case. +1. Click **Run Query Test**. + +[601]: https://app.datadoghq.com/logs \ No newline at end of file diff --git a/static/images/security/security_monitoring/detection_rules/anomaly_notification.png b/static/images/security/security_monitoring/detection_rules/anomaly_notification.png new file mode 100644 index 0000000000000000000000000000000000000000..63380a6cd81173a049e30334c4dfeef69c98eadf GIT binary patch literal 70914 zcmeFZcQ~72-#?5}T9j6`MU4)$6h&2Ss;x~+?OL^GTAPU3Qd*<-9<}$XEm1}7O@bh` zM@Y;V5q_8ZeeUPE?~eQT&-=%FyvO4>B3F`Yoac9)-|_jL!OvCYsLwN=Cn6%ER*-+9 zPDDh8BO)SRq&N$F!#|J82HuFB)a4!%mGoU-0Y12!>nK>Ls1R`h#}q`Q#Ee8_r>6if zNn)n|K7K}ghv>{dz9%6f3bH05{jYOWf%ntD2;g;k&HwX$CY|`d&IZ0qC;8{uWVrM* z|2!sMJiW|Vdl$GL(YZJBx=utySJ+Qq#0u)SH;9O&i4>m5ymTjCn<96={FLe2rnV=R zjd?{g#5eCw-sR6X{n=Dru7$joEAzd%f0v6(>*Zycm!ua-WiDIaO!p-j0%M_WFc0Ci zX+tI6x_L*1<8AR73pYzkOCRv~Mx&V6t;dgvh)HRs|M<`E@~t<)Af^6f5%A2$V3gzG zj;;sGeDlz7%As0e*T|uY%Tn|7|n+?>Aqy$+iE3is^X~5wQ;xo@10SW$rA$R57bB;EvsTH&AOJ0I0OFj z{L_Ic+pDpqBiIr(HFksEHwsQ!cD0QrIm_NnkntP|S_BVznbxQ`>?j zTe9n~bYb(AzI5J-+^c~OhMPuY>Z_C(dL1J15>zSOs~7&e#sc zd)E)=a5v@jSSUj-{h9v%7{HS>>1w-#;%C;%Qd29H7RD@5jtgBDkS&`3bWNP};f_V* ztEdM#X}lav2Gm(Xf9EpW&x>X46Nq@pw~%m3k-u~Ei=po~?-8S$j355WE?+s{Z?Ja% z>wh2G3qEOMsa3v<)KC5>sHb%Mc1zkAWh!&w?=;N2%2vj@8~5St-`V{0B3l`@oGs|D zLzNz(q#X-CRC;pe;-7T}c>D$h?bx19gzR63%C<^Iu_i}g|Kj&|^172!tby-!-1xgh z?vjw=GLJ6}O8=eq;=m~qSLXks-oQ{lcoLJ~U-$%DvHhL)EWjx&l#YKN>JuoDA0e;l z$phNI(w;b+$PW@u_P=8CFRb|gl9(`v>z*>$x9J;v9S_yI!k5@@n?Uww!TL}Hu)D+4 z>A|0WmL~FZKfgBBWTaK1dv(Y#rYkOn$?6QiGWiLt^>Py78$66x!O`lnUy##{|jJ(3t4wf&u;{$F~Opxvh zji-_BWuh4e8GmDeJd%VPQ4|%y*-jnB<#X)iXb<%=fk!qrgqS}wT&7Mrk5YFe+z|P`0j|4`) z+^FprCjEn5U}HZI7}B4b$a+YSI5M}XM}J@KTP9}8M|x+e^y$a>ZtSyBT(OOBU~?x;%o29fR(y|MY(EX#Nzu74;{Hja2&v>cI=~+YhG0P}Tbn z1j|>0`}uD@fB2LP$4NMBcskT*oq0P$q2RD8*E^{JLo>G6wa}%o5VBCTxvO2Q%l9#k z&#h}}G~XbRA!O-=;JY3n?a`Rfq?(Qx?U6`z_7IT^t`n_Uhs2Lvg+&tu7 zFG|;G$zybQ_6O7aI>IovCqdAo z81epJ`88i4#wFTy6p4bdv%ni zoVJ^LRAcwvZlXekw^UDe6<%Uu5m&ddW5FJ#I$GspuXIt+d@6lhQ2Ua za&3Qqd!_=??_k+ukw{a#xbyr6DzBw82aD}#Me_9dc*L zVcNSNI?;ueB~5A7Nh#DWvVt01 zw7N7$&#moIm09UQu@zf>jek+DR8-h*!cHYoe5eRy>W>HEzzRFX{?DT%X|GvK6zp1g zZuE)GkF(Hp&Or|Y^_~{+EisKCSPpr5b&+TnWr)~7={3d?ON!K&CsjX5fA?ekUfzx1 z%}$QN^&xy4#H{;0se3pdkWsF3!jp({)zUsIH1%)T7$RKlv#dxsTP3{qKRjq!5A&6Q zlm^7VAEe_{Xa_fR=WFCbggtm{(+^_BFq@RC4V2cjgy3nu?#(&Q$-?5JbQ-B$%2oW8 zdTg*IMEiZC_(|GRZy7>_TUh4LTWV6Q_w%p~NwAA=o$z8kNfi1J;R7DjP=1opb5zYh zcvQ}Z`gYERz61?Pux0vuN36>9iILRGu9+LU*;g`|&BK4sCPQL(ss&@UF`arH!Qvg1 zE{XbmwFG>X=z9@2J=c)mT)$1RgvcR~9^fQ{hb8@47go`mH4Z4u)o2HJD}Lt5t954( ztGHPn;?0Bl;>RmPIh+ucLIh#*;N$}?x+Y4sRcyIMEo)ChVolRK4X}zDp*jr%BVoS)?356=C=(nz{MZl9Xf@@E#_LrfI)Rw^~qp6!y3)$;1+FKXKD(k*`df zbGcH6P`L2PBhz^IFw{_%k)B6KJ`pdzTvzlYI3k?id_wuaW$|9=*6F%^RvSS_{e_QT zcKP0``jPRHD-&YgJ=(HGGoWN@Nd~0RnGNdF0?xJ&`dIdEZC&W@)Kfg{xZ0VY#$$Ha z)+lI8_W@eF6w;R}fi8KdvbfH2;JF2pfiOL3ALPsf*=_{?!C{LSB2#~9Y*fBZ1Y;gR zxVTPF=b&FJeWn0tHYMZKAkp^t8fcmqef-M&hd1kC@0~ra6?i$caieEWHC-D;yS&>) zG{`dJdg$C*v-QouP5$`kU`>-)$_R51Jvo{Wtz0iB$9#@u#_os)X`zl)KER+)EcdDVyI?)6*HnnTq)BQna9X*PSzlUVV%u zZM?Z@QINnhj-cU2T$vmBuFF(58D)orfv62!0WIv{x|Nu~j|8j#g!ejZonN(05EUv^ z+5=-o>_)Nx)*eC+Hat;FQ2)b;F)^{PQD=8cc5L?c6`DMG$n};%iw~bmxz(Rw#3ny# zd2hqlz0o=s>xpCt1I2g#$l`iZbu(ilKAFe<_|H_UwoGTJqar0uzZ*vCG+9S!tz`Ap zOs(#WxM?LS!;5qY{%Fc$gIV6$xTdN$6>qfj`wK?1s$krj6JJ+Il`S+DS>-TOWykkU z@F>DS?zQ(}Sd0;{+z*;KkYwX(R(A?h9}EjMms%Ec=F+^fK@`mBzU9x2x~9#m-DgW^ zmJMo*)uk}-P4`~bivCjuKpsMJ_hDIS+)c@5f;_O`Lp-+T;WVXReVTmuyh}-Bt^i9o zhR3M>WhWc^Q^mL~7F%ybs)S7UYM=l+v>W-}X$c2vf~s(C?W&mbQcmW~KK;0VMFqZ~ zVzK7q#${Cf6+FmoRPf|&sX4Rl39!Z+q9-XAdhUy_43QmIab0VFBaiXyAiv6%$2u9v z^QS=BT9)k%sQ_6D_)arno??~T5j~~c$9V66Wp5y( zr8z_oy?xfovPdjGRBR8k%dO64^z-eJpjpRHVetr5-^EwuF31a|nF}4Cr)_gha#oF|9BrPaDy6STfsRP z%2SGT_VNa^8mJb$%!}}ea2p(2aP%1M+LSaaSrcjGNSAPW=w7;MnxkDOw$Syt1-cy9 zpDOebRbQ($PqASv!Sl=jA9iG zF8fm$7~x8${uB_oH0C^-E0Z;RZ?pUlJ;j+pP|voI3bRoz{Ki)2z|2sc!OzXjl*hyZ zPd{G4C2qLvIh?R;;~W}X!AzRLcAtMQ zm42svd22>_7_X5ShmOSf#**2oFufmmw>sS)G4XeWH?)Ye>olRKd68DIJzZ8RyT zTzpeQd6l=L6_w**&%G|F+KBi;%A2K@W*Bni-h9k z^aJ)4QBz+sdr&wFbuIF1LM0R)$L*AW5TI1xyT2KSGTWWlh5P9V+1}$x6515Yi%r<* zerXFK6I|II4wqck4y6B+B;GZW4%o+}!ywO^;Yg$g(z4+E8oKS=l}WWQz*H?&>+3BC zX?s?Kd=6f>)_jrKH@03s40T-oVCg?$q4GMAsiOO&%Ib4ZO4ER$vm~cl3J23ed)HVY zCyy#F!|vd!=XI|=N(&@ekBj%imVDql>L)vepvEqCvl~iRus0kQdyLrR!kCrhHHS9p zZI5tF4;`aX^(y++U1cv!8{voo!(Q8j_gPnUT=?@!iNQcx6x)08_W;OmJL#4x6uEpKi>hHHsL+Ww+ zzyaMRkB`b}2f0FPePRTBS20hbF5bXk@BCeZf-LO;*!G$5E+w_y2tA>~ZVx)?H2fZk z2R>5`8aDjZRXL5W zmb0nSlp?{)LgyB0Q7JoE_rRh2oK7CGt|2d$&u8BzB_^X_>zTuRzM1XJe`HKt10} zgbu$QPV>WMEyflu`jljM%k5##H{}AVHMC1v03LQQU;AutdQjoYaYHLNMajBOt#ke^ zonn&na#C|C^k#9r^EOur4aI9EKJnpO)x9S6g+`?%Bl#~3uG}-69mxbyitjk{S&Ebk zXmV-Nrj+gF*}ndXGO& zhWdBzhx5F-uFX`anSa}e%3H~EXLXML=Y_9nVLnpJK72}@vuz~ys$X3|jYo}>dr#C# zh0l3$HMjn{eiItW4fUBhWZ!9sKFq`< z4<(Xao_u2fN!TG!9BiSnW;<$9c(Q$=bX4O?=vHgXo)T_t+^g_HZSq|WAo3MVn(>>w z>tu1_XwJ*cJ_lprDs4QjJ`#n*YJ&^3i|*7^+i^@`mha5S;)ib(c(xnbOl#dX3(R9JbSlw*wy+Rj~5V&%YW zFP%nSz%saD$~6VHlttrpNzD8{s&XWG%@_s=^YcH%-L7{{sFl?Jq3OH+Cj-=ZGo9Fj zFy7$f;~$1w7)BZGR ziYymmF|9b>V%ayxfBgL)In1ovK&t)jip`+bA0GLSHOcS6X(6Q7hYY9-{=P{4<2!i; zAnC6$H2S6ZuMe_5Ey*OFoG1D<1NPspenccte#p%#e5(H^ui+mCd8ko3@BtqYa7ioI z^F}L}PEF;-KM(09w{-Y_Oc)cBe!m2iX0EV`{lTpL*DPpt0or`tU9|e^tSH{G1GKp( z>H6$%q>*N;0BCay-8=aElJd`?Qz!wn(eYaQ^xw4jl}OTNr_~#HQs!S%(`>Y{K#II< ze~jUucm0i9ejTUj&mv*D|4=2m2h7-Hvt00ZJNeHceWnMafEl;Unp*x% zqKHWW_83c5Okbz|`(VoeX$Wd-@B2ILpJ)MOGlPmS{(Z0}=V-@hK8C0KRibGBua$-W z6_h`THrxLS%I{?Pf61amG*5%kID%`e+TRt3_JcZ5Ig(p>pP~DA1tGok#&hi|Un1Xt zEBx<(EfT`4Z-m@ydS&jeJP_~zVZOBl3@gJ()cW43IKz7xS<8S3L3O3pT zz)U^QzVjc--Isw{cDVmXX}bSlF*O0z&r^^750>maU_a!VpQfMtJAK}90aobc-LAjW zhL#L4Wtl&34v_wx6^~C1V!`EwzmN6<2|&3QZ!TK>A$jvpvzh_eW*W_q|5Wn!11NW= zmf`{Nf3xIQ5%hZwEE7RoPybWRTN0F zB0d0otvkZ7!lEy^r+8-LSB1O%ifuKMVM&F^0y_u=$Hat_?^!7CxVr7DhgBs@N`zwcbnWQ6 zH&Vy%7j8%^Ui#3*f)BdD92?$r?Z(I0dofK{cpSx@%(^+~yQ4pIgfc2tK0_$wUusLS zH;dFx-|H^z9Fek6^7HaApDv}l4LRKDM6!j2NpoFZ9$Pojt@f;%?~l^ zlFbH2@gbi9yf>MnMJE@K7>%{ji(sMfEG2M`#1;VnBsRnTt@L_y7fRF`*{TsUjod!;x%DIiB3 zDQxK7T&nz7`%~J3r;bZq>lGio%RY&WXgt<}xcY%Gu8(Yl$$(KNu8&fQ`y zP}-T|6Z1)>wk+)A?M*)j-{)l`_jFs%yP6g6k|n@euGndAAp09@l+$0vSVB__-obFA zs0km0`DbgR`}cfWJavY44$nrOW-*7>LH6uO*R`)K%kV;jZjc!Fuj`yVHOUM5v6FTx zs44kwgIj|}>dIzW+Gfk%6c5r3Q{i9b%|uuG7z~U2PM2pe=Qx-qeOJWG#UU`*;*Ao9f~KK#y-pfB&(iQEb(5*!NPqv7ni#sykF3`PX5VB~jO1qFyX0_s&i@BE| zppbojA$eg;;IO*+d)rB;s|L#3=_onps!0Y3SrMVC-MuU;>WDz-Z>lgyx^^auRE`vB zX?DHRQU@Tgmn`GxI8{3eT$qX$BHKPH!o)q2?O_S0DM(^LIlmm67%urhs_8hLpj=&; zW7V3Jv%F$bYNk-3c2x3sC0@&vM<1jRzdg8)yVh3UBgGyc%C{4OWYE&E?f9H zb1Sm*dTEGANy_XNPrOu`9e?}4OQ0&%X+!1DZog+eJUqI04YshWcXZz*a(PdB*i$eA z1oJvbejP{8X8|RfExOMDp-m^Qu0jiU{7})qE!TJb%R)(>Zpw6}!=0_poA+IQu=dIJ zBMxz~4XltMn;_LA&+rv8mU}z~F!jDftZQ3Eb}!ae%l6XNs4b#XaocIJhvBq{|FZZM zKO7ulP%}*fk5{lnl%T9IYBxPuVOt@3-k{~Ng9J)XYz5b<+lWq1)}DRWo*P+$q^<(Yz1C!)SLS%&xCpZ4uuOX{xLJOoO7%DQG9sR2 z`UR@BNQBtMyeqP8+;#~gp&=WU2d#I(zoXc7Kb_#Zbs8n;?ncVguJ}`EY+&oPKD2sO(|#O*;QYcE~3tk(XZfE&`@vWhXfDv_zII zjp7WN#S_WS0*=clu&7%^-0@zHruRT0BugcNT=X#Z*+*43-35o*MVo`!78y*As0T!P zXxESB3t~tWfX#gC(@SHezRo5rTsNqjOCy`=v7$LRT>(=7%QX#RpVr|D>S0Mb&)8m* zpuz~9qFVW1+OkXth4YE^E@pj4WLvv5b6G%U9Lhpk&osJnjDZstD&5W|N;`lii`K**50ukuXFP6e z!7Y=}HHFB|Jgp$Z18VUs;2(@Oy)^@-iz>yOEHD(valF^Uy;`kzf2VmOXK%yp><&G? z*&hVOEYwW1-jq@c_2{RIf)h88Fxt*-r$FV`F7;|lFh@m~l`sg_?p_MbAy+MuWYdYKpC(d?L zipP6f+a*FbGmfd9u+an9`5md_Xcp+9I{~_O_=d)9bPEBZDF^d#t@tDK`ntWJWYyKWvr227-a_dmeoN=GmBiYr+M%H5 zCs>~=owp>6-uPc;6i2YCObj=kAOjZgA7w#S&lS(SO#Bg_x(q-(%C}%AIv}c7$z z^BIe+%-17OL(|-Or3e|or!v&0X5kS4-Ho6HpqY@3EEz8qX5^2?8^f5`MR>(DVrNgX zv68E6py_*MR#eR0aoIZndtJVbELJ9W0mX7q@IlT~%GHD99-!~W4zEtLsF z(C1FQzaU%+RNH(iIafzLp6fZ+4g=Fe(d@ZpS%liCG6~V8HJKQS8NT{}byGh{jlQEd zQmAq$QGs3eM8Rv+zbgcrF!ybaU;QP_^xFrP&~V6lZ~?I$^$#nyLIVVTAs<5{KZh=L z@*indb?Cwh&hPF?etlTO-yEx*hFzh$n9+iE7LtK5H=UGV)Z$sZq;#5%8kQQ)R#^ft zD0;T|2cA#LWJzD0Omn8PoJc_k?_U{KRcNS!k9(5^wa?cF`VEFM<~8h<#~bc3M(?{1 zpjENYnG0rN?O;9Pk|jfrUdGgCXYd9SQ#NGy-RsBk__%~DxR1ctISV@rvAQ4u#tk@l z3%@2+timTbC0n0hxV19WCO*utJ>0)#hdQqCY&q+3*yg=8{xg1h+g0K)zgeOI(SR!e z__da?n&8h z2HY^(S7ABEw5N&C@HBk2=i%G&8e-s83M%oO?=(EETd&}Mu-QIJi!C8{!SU~Cgrk10 z7Mg7^5t4(F56gO3ye&F5N{eTwM62Tr7pZ-f69n|SMM(zw(nH&7Qrjd0gr+vUnuWy11JbeIL72MT z(uU76coyVdj?E4&DaP)_Mj7zJ(wt7hJlSI-Tl=AO`t!ly24t_(X}!s(GQ7{z2=$T>CwE7R~KR z;Kw)#@Iz~dANNc28)A7yt)m%+zNg-H-(V^gm4Wc2)0yDh%aSx)`zD);y|}f%^-P(L z@aD~3KXKVKdYyRMII(%FkQT%zifY{@V2*&n;UJ-q;6z+i+ko zkVVsWfmOn0!4$tVg)rO%KtAIa>>bLd?++b)&z=TlFY6p)O!s{9;}F=?Flwoz%Dt2t z{bS+fGqxq?i@Bd4F830vJ~ygCAF02L2K)_`*V9dD;GG*DYZ>^WbQnvwE4+N(vNy$&+3>{GYX@fwj6i$w;WouGihobv z^4tNF1@pJ1w0&<*h^yL2TkBWVk-!%W|CXx(@?SEfU%1Lj?MFIoa*sAbogWf&idjcw z_oG3bF`@ch5uJ9O`n7iDZ&Y?E-Tv^q@!CDrVlZbIG{>V_j6s@FA z?)8y6NKXqjc>K6=1|_EJzgzLKaaU1xQ~y*OMsNzoIZzQng3> za$%LfiSr1#+BTwc|SIpk(bAathSjzf-3S$P*h*TmQ&(SM7_HS+mcqDZS z6O38T+6;MuJ}va#KoQm!_!p^zn=K5lt}`6BIzi@tXw~S;LdN$n+C8!%0wp(AE}@T$ zX&PDUg)PD^HSpk;cE+97ip1U35Wa|Sci-?w0qPEOxjiqoqA&NFmowJob#-w4ufgXB z6}E!F*>a{tJ~bAGf!vy%`%&y+N5|v`TS?gB^s2K`)5psig3|{A9w)`bs@TCQCgF*O zt{$nyuEk#c6mv1B*;WNHZl&0E((V*`6Elapy8O{XO%&<1hc=&fok|&2bDZ!G4T%}? zv=g#UofQl4*&H5Z7LXSiPa^T2FttTLqh2G3I>la#2R)#xNzHXhh|1yp*s ztqQ4nk9A%EuVx10)$H*7qte($~HpUrJ!h!KA@;r7#48w5ATm$CS@ z((WI($KS~N%1iB!9jij-YXubz{mh%b+Qck4y$ZqF?R35@etu*5jfIB+iZE;`L8DR= zA8fsTc{$Y>RQRG-@F-q&Y&Dev&a06VZFzhdoZ`LMw~+9>@yXy#jEbru_!F{oFQWu% z7~bGD$~bNkNIrDKALyy%;Ox;?cKtTVdliuj;~%Y1Ftxq;26AR~VJX!$&~q?#{bOAF zWCJouIAsz<(W+SrHDJAPRw=CspM#>c4R$#xG3pmQio|ZZt&J@dZ9&jI<3GFJZ438k zhMsbLTB>|I*gR!y{fp$U$#?&APt1)`4r>7BES?|78ZD=+)^biGN3qEdtK-MWJh$(Y z({9>y)l=`OcD!#`igU6nA()3*-2G8?@8(1fl)F9rXz2U^`Vk>9&|9$U(AsONYKY+H z0Dms+nyp{G{>EP=sTvfeGAGe2*zgHI%p7lH^`pAxjE5EVGSAD2LRjYTT5I#gsg{m4Y}`2dQ4DpmiZj+03qjc1kEVd!QLac^YO}c71>iC zO_n|;rjKivdYOv!))1#Co$$0?A+Psg z!IR^p36jj4#XuiV_^6;}dtK@go+>x&VGd`$Sc>SviXZ-HZi+qN+?}@ARU^7#jp-WY zSmgvSZT8iQ3o98dd=S&Xf@>$;mp!r(8d^j>5;w}gseVr++^@&fH5oAo{=i(7)3kfW zX6BdXjca^Q*QIL8d2|n&wtBJ53P^99DG9eXucu1=JkggT!p$H+4kNDx4_ekfS}6uW z69S6d;u_v`vSZpFZ6DIkq+--WqVR_1f%k1+bI|j>#yAS!0UH- z-PS|XBq4|C<}R|2d|D>yIsb2pla+TTJ4_A*G)eRg2shx?=+{S$?)!Kz9hKy3Yda_z zgA{WkNi7QE4c9?CV1-nHsE0PbCvzr7`a%*1v)qm?RR|rw)yE~NrS#o~rwE^GrI}UM znrFSR?sJ}gYwUr&a{%HA)HT8Cz|IZugVqn) z#A~gQTNZTlC%rbQeSGQ7^{vY0iqU0(V}mB*uaz(vTst!7&-rCt8IayWpxTua3uP8- zjL=Lw5&gJzkO~Q*mu9Y)NtK4(>O;JAjFAn7({-qZT=6ou4WB0j<4jHSvcjFe)Lx-( z;H1|rCH)wGg62Gghl{a0OH!r0ItoJ~JAB=w$^xecZ@4?(5vJa;9WsI6jJf&tgjZ+4 z$!N5WVz$2hJzn^py6dKd>g}RABuCe;P!ZZB-&`dNyX-Gk`k3TY6ART;aqFt09&`4T zE64nt7LTr5J{1?>G=Q$ml_wd!fQ$_c?}YhG_0SpT`otbtn!8*JBstj9I~d=-(s5Vt zg0okoDzBZ|qNvFhsKRNF#d7%u^&{)&T`65LJahN@1Wgf~mLc6W@CD7MK?MU3`gXKZ zYksm?j(x$^crMa?z=|x-cloJTaq)v(m$T9^!E{sRRl*f8mkfn7MQ@>-Kd0lwNzT#7 zg96hl&UB_spt!1RU$N{gg&`fPE@Za2swB~G8>lS5ox*DtJcsKZkzHe*`R85$rWhmD zY2j^rk5r20XR0+dVY)!uArS$ufWvxkG>-Z3bNYPh6Sqi)Fv}2+0ju0A!a~)R3dan= zcsB(>?SK@E{*QR9Wvx%knkoB_T)ch38}!F_F17Y%KEGP_Ngy?5yccWMk@o2AO?W0o z%KiBdgXG&wJM$SGTus^yaqC+!bLusjfwiLLcGUoO^f7{HFez5!e(O>gN8#e z>ovgf=08S$wOedRFeixM9X~soAcPOWAlvezJ)vVdmr7&gN1}+p)fR={7<6)2Y++!?NxJ zy7(?+KS}5AC3x_t)~d`erDAC^!1YC~z~r($@FiQp=Q@;6=G1gyo}tTc#3qtFclLva zs=Fb51C&#uC|5`+NhrS|@6|3v8FRQ?f33|Or(HZd@3McL zIahZW$qM0;F!I!l;d?)9M&;;)i9QHATf9U3Imfo7=#~MpjjAxC-E%S9`-@*! zrDeaKq--FB2YT4#5Hnhj5k`c*lUAo(CUmCe%5wgM3;VuS5`CiikqJ~5(vv9Gf0z;lA0K1vM#La={N8JEjEm+@>eHNs}ey9k9LD9K({fdL*GUy z!>me_;Zn5$wh|Ku?ky8PtkEbv&<~Kh0u7(IJK1F7Dsk?hu~CuTvc}|AQ_W)aApOL& zG>v=m_qS#@O_=5A#(qVdNjH)Tv=%yFx(YKUDdmQj#L%-Ah3?8TuB~qVgc_RL#D6>Z z5RQs^=+;J>coue2zO0shTH@?v7fDgswLv&;iFy^M1}jnW5T&m0`U1F+gWNkUrgl4PM(%#4uMW47m$P7 z-Wg&vWOIc@y~?r87a3`@KyY(=8`ycc(LM7;3X=t*T_&xsJPrZ7GwgZ08e;VUkZQdu z_6&7NFe*vb)nLZ!+3Yc4)=90aKnPtVBDVvI#Cu!U5Q53YeVkedOcscQi2iQH*s?&Q zA>p;13?(3iE;4#_w66VHYU8cek6U!-(C!a{zWiEZY~`ZWl)yE(I`9E4UN@}*Y_$tH zPT|Uu5Rmb=@;=+d)V))rUAXsbI7{2%L~d1GsnfxI&!XzqW8+z3 z>s7lS!j47vESkI!7ix5&p!FLcy(q0{*JRRIRxq3MQy{s0OksC|K%4ljuGBWvJs50V z5A2^XVVI)Lb|XK0MaB!Xbiup9qBFWvH?FxyVZ-%Aa)^-HkSr{@7P>l7KdvG$mpiD1 z^#)6%QQXe{7EUK2`+Ow}nURGqfem@cE(C2xB^y+jb=ob=9THqzDI)4BWyL(UW3Cn( z7ho4Xg>1W8L4lo6H|MRX+dyBh8{E8ycAudF&k{Ahdp5Q*Q|*U=A?NuM=K&_IjVS|V zY_TWy`erA1X#Pha5DZOEJw$mZtUa!uCKy+t*X_?7PnCC* zUw|6f=J|r>z^~_!WBziiLm=jH-3paZj0G*@n+892s-B+eMjr1fF+L9&lIT* z^ujOkmQSArdU~kRUJQsj*x|>JJ6>*U6FlS>u16Hg^=rj3(F7fTL zDQo>5NtdSGW6rIatNfIc7O@=>yETIwcU?Tx=QbSA;rrJM!Gg3EvK4MP~#yr8tbQ_84W&{6wYmQI}-|0_-b$S4JK z8I$8OZSJH#k&xw5`b;8d(eL7aD4P824oEkvgD!gz0Kkos1oS>x73D9@0b@5?KIg1sIT`~f5PoeqGkrLuy9?%p4zsvCwbee|ws z970>y6`7rD+ATW807gFk8R{k#ZIbz8Uz5|EYuhg>Q!Y<9A-qzEM8pLgD`wF*qYSk$DbJ6@H)nKhKIZ0FZeVMkI{?0hzaaip;C|a{J#!`Cmud z$qOL!#`%b;{{xWI`4q^h|Kidw1)l%;=x27dBVvt*V#pVOz;xpbf&hpCo#WO#g9vNZ z^}>tNY!1W_|2TG~XPr^pg_ofZ;>@~Z?_yH!T%;$Nq|BTZ7@#1%bo(1rSjKMcm!>;f z|8ML-hNU5WA>?ZB)yJD1m&eOIn(W5k-WMRByF-yB<9F%lmi$WO;I>%WSw0#0+#cxt z+Z^X_M7$=g-OGtrdMf*GP;S3G`cowyt`QoU79ZHWdImM8p!V3YR(@3W+j*Cr{4 zCu@A^RH;cO!5S@^^Vk1PJN=gFPKyby*b%R~3i*Ze@7W=q)YhK?Dds2ZOA+Ja*1|>; zg4E7K<>)jXZm!N6#=FOkyp#S)@dg_j%Pk}J?>CF)G2R;sPwc3}Sq;y)6;0=xQ(hcV z8%Oc!v9^&Mep6;mUcn|F_pMyRWG!DDKsQ70dzO&%$gq_IZGJ=@C*K z0yJT1@Og-RODRYBh45oq)D=?o7~iw;&UxG_q6$KHJxSNl8HgaT$hH5vi_fd)NvB>O#mPT-nD4!Ja}YP;PE{gj(^!y9M{-PZRDw?`JNrNK zetN{_d^+Kv>G=UA)ue;cBM~2uWwGZ1n&+3#FcWlZ-9tx8^`AP}>2PbNa&o@^SC#u8 z!vM700-b>hb{Ji!SlSUayOEdA(;tB~aLmZc@~URd(~Gx>l!`<4Qmb{Soa{o@_}A)y~$ z`%%4^e3%IIpWK!H`TafR)|ygj*XPXkA~@`Dwi4hwacS&nzttg?`>^g_pDmwKwVf{D zcG)4zH4dShVO5wR|ATB4rNqMiCf(NjHlIG)aj}CJw2L)efSercHJP8b{K8iYS4Scp z+?<_5J|#WU(u z-85Hzq>OQpMchAn@0s=K-ug)S~Nvj8q!sl@3F?F~m!tX})f$FKnn$Av0Zt+7e|P zqnhwgWBS_Bi?ZInLz=U=I4=4wvF^n2MwcXU!fPqrGWXyr7yww@(nC$FSL)H1I^w>+ z>ul;0lMPhtyQgcu){(L49dCkY;rxB>v?`~F`xTofZ}lIzCkeY<=#1lwOMdiL5r>hu zliT+M#3mSWSHpamOZ(2!`87}k5VFs?q;_kS;Pea~Vj*Yng$VmMT`wQ(vOne0ZOn_l zF9pkgnSTjZ*cjVH@Gjc%z})SOxUn!LP!$JhI)Sp^`f;@EqFP_}W<_0hZ2RfTkSnZl z>!{LO2KxrLD;96t246>-x8(Ge2>Dg!s(MIeiFj;fO}ZioeF5jDY}+QPPSIGW5sCU~ zuYL&7^L>Lb?TO$znard)NJ-N+x$-yRML#!L49OoLE)nop?SX1icFz%?bby%q$F~@w{^v4+A z-Y2QJ4pyfVC+)kM+%b`XyM;=}jdiC?1zHy8n--YNyLR5^ENzK2try9Qkt}q_zEy<_ ze<($TK2?epK?+rxjXSOk!9pul&vbBW7r%|2+7;oZyP>fck~p;UBXG0C8j%Xw!uO0j zYGk74pdd%=M$QTY2mq%99h=fj*#^#ZvQu8+jl{OAM4txp9p!Vq(9Gz`;i@QYrYbTxQB-v-RVpa%yq6`x~SXeRp%vU z(YWJT(V%@`a!XEk0SGd<-P~4wR)zjyZ#Xt~%2t*Yl}^i8l8F-N&pE{vUWFyi+chgf zMy0Ck2e!?MrMvY%S$M?)K(tZ@6zz&jkRo_*>E~5VMLcu6;b)+^H{YPL@ny;L$C6Bv zxQZdd`aIA%I|X?D_=u-uP*f}@2mqfa+IQMo2&QZWJmR~xG$g+-Dsmzvs!?}Z0J?AJ8_ zSlxlcvYcw^E~93lJYHYFvv(a6u?}|aE(|!UgpL(X3Uc=-+L~Eo(!ND={nNQM?Ry%} z>QO#!ui8@9hb{Zdx7I<{GyjLZ|BQ#LUE6?hQ4L2KqlM+$S}=&sn!`m$s@3AL>k1-5NE?M+m#55RET7{+k?N7^bN zmGkX&Y$V(RwMOOLI&w$F0xnWe=pp53E$O7I%B??AKPA<=JMlLC@{6PrC8b|zrD>Bg zV#A|K_lUv}SZ7j3Xo7-4O)rantF%^Mkr#73Lj9LK**oRnNIHOe3#S37g$jBgM^RRZ zW{_S#;Qld&=dV|7KZ!lq{}mEe(O z?B4dStyMSmCml6OH5xuZ1+BI%iOKv%G6PF@9;_#wHhbr0GKe|U;3d$O9q9o3Ded4r z1xTn^w3*f`F5=GP2CR`*AT}woqszet;8FHm%HbR4(>g5LN?!)s2W+X_Cv1ZpU&oWp z*JH8BF^efsll@R@{I>?}AL)R4j&NpooEp_MyQ|yam6v2GT$5rHm+}sLym5bKgQfRL zzIQmN{N^|2ai_&>h&l(Lykl^SG_gfPnyT?Y!irU!-q%n)Pa=Sjw!qE`IQsX&I#Z=y z8)(g37P8L?f^5#6r-Hy-3<_`!uu-do`Pyr=kQ z+V+~P?|$Ap-8qU2K7Vk=c|<^b#q!Sfn{354AUX%YEpkJMgm+YJ+Zys?kQ`8nTg%Qq zY(1BDLxu|>e^0uCTeP^LL{u2{eY5pQS_C?CfpE6id4YbBls*y?pczT*w{CFFfBM6c zKhH0=%X&cC3W=}lkqlq*92~_d^x(U7kV2~{grtql;hR*RdO%Fad(IElUaj)vRX9-9 zong4T1!U1zXFYm$qNvDr8z0nuTjExI^;Dr?^}dZ&>T7z+IJr{n&MLa$z@@e?t}#o3>}Ok{AB*0 zpywY!HILh=8y9rx>!-Vn-Oe-IoG1oiFj&`*U}Guf#R+x(b`X3}N-L^ynrvC=8j+b~ zSy!nkK%l*)koQX~`tGt*wqZgy-~8YOAw5;!GojiF0c-Do{MbyX5Lf@nP{hMtynL0- z+3}#YXY|>={9;pq=IO`p{GF^36BrM-_uc;fWm?HNecc6`<0@V%AYoogTOD2MKh z-w0gTs#yT4rPE%sl9~LWU-uInsP!isWqT}d>0J2hUNvimagnSp4>aZ|rSog0^1E4B zxkwwnM%EEmoh5_ae=SyJ|1!~^ZLBhR95kNtk}?sYTp1V zIZ<`EK9Fl{by#fP!n_$^TrbJpc#!7OkpQaQQDKwcx9E%Fshf0n64Ul@y=3RIKC)M! zmf~NNR%3YI>?NQDrCkOE8AzthbUf9u*R)=|>9JFjo8RZ7E7z4)cceME-Qj43!M^-+ zcQ*sSYE`)Mhvonsh!v<6#~9b~yzPWojU|7#sgiul)IrIu*zt|+eaJ#@46f9Tuqa-w z>?ab+X^T8e$D4J5x|>MdRAIeLimOI#ZQt&K%i1kgK zzsch^>+;m+>VtcLA9`$MA>md=f`&I7PDZ~nu@(dLltlS;vl!V54@w#KJDtPI z4<`Yl4b4p8QVJR@hX%J~DP?6<)hp{}Wl$5*s$TQV>^4!YIZav4EgK6N&E)%1)O~3% z3EQQmjs(r>2gm|I*3qnSMmLqBoLHc|Lch66{+z$LGDJ6Z*)_EJ>nY1X`%H65pI$|m zOIJ#NBDh<-7Q7Vyc=+SPdAFJgnDeb~*pOZH(~{}Q$*CvPWgUWDCS}RL62M83NNvBE zlu2o;&|4&V7TR_@Nv1pXK zJ@Yo5S82_|ZNU$Xb9k6Fn+uk0^e8oYe3+|7)?>bde<8%uU>QQCH2@q!sbQbbLjWs~ z@e5mGQu?GE-s+2NaK2}@-gjR3A$V=d%+aDwGDU9pY1eW<| zIsGL?<#~Jh``xIaTeme74vykom1x_beCJ8cBmt3>BoWu=ZzSfz+x(Ot#AL>ygPDR3 zT&Gu4?Ffl3mk%$?Rem=Ig;NGLz`5-%af!$3v0^CSD?0_l9?8d)!8^ID!wo5`Cra zpbP~#2|w;-rpvhUgl2&)Up0_ku~|UM{pe{3O9c5OAT{_T@SP^~eLqk~u~EC?=26H} zVmt}xFsWuwZ$zaw)c*2AX;4Y6{4!vg7M=lpxbu8Abnl

eb2g_59t8T)LIZWwE6UzB~dZqxgNiH7u`oZCThbC%dpeu zRX#c}6k8~KbyMmKaX)>qc|V(R$M%c085!>0qqyWVX_!yXGT*6o;A0{BGzG&m<*#Qg zEVoNa)d9g2(lhkcHWm%bmL#R&2F}iFbFV`@E3-pGuRgXxDjSc^&%gPl_VufzJ9uIt zsr>yTc;i%7pG(I@0Y=nxd?@vJ@Lx_`&is)g#;k1<;5Nr$3e)2e^emlnLo}(T@FxkE zRkFtW$jwcSd5@ldUcz zx-0#?ZcY9P@w`c5N%qM#Y!gwFI$3kdiC$(7lhVrw1|2HWX0Wzg;i@}RF zQ;YHJ@y13AhF;~|-0m#IUB=W=d{ds60YvuT5z|=+EsKHv(0uGm;e`w<&QhVLo<3vJ ztes!Jsh{VDv{yHk37nHINu@A%=$Dd^Fk2KgU(if4Yoj~Cz!$pH8m$av3n?)yHE&t1 zQL0H}kch}xwboI$aChNeugljdtnTw~3{SDTy0_#a-!k<_yIcBRAmZ?lyyWsut!{cY z?|L2S1AnHNOWEZ(!e>wPDeDdQ*lEG&l+w60kPb6vdb1AcC)2~8)u4m+2EnJ|L#R8i z8M`>}kk#(hsm~EoIJci$+miJ^R?t$!>-RkcB$j6FmjatJ);`cf)W${tBpI&8g^?Obp$ zD{ci>tItf9yHu>p=40lR1)!xUs1WC*JzS#<=-OD$c9i$Ne((O9tOdFBZGh;arfdUB zIeI1o-WR%Gy_fAe=338b?naw;fGruQe2g(Jc~vv*nR({c_{+C0NrZG0ilbuI)$`Lm?WcwYhjmuOhKP!xnFpBj!W7m`Ar2;rWxG&6m`i2?gI#PY zc{fyj$bl@F4*&i>nUo3TK{{qtSNocM4l3y;yG1^whyxgqFZ>li**@E|Ini-rY?%f5 z+V-^a6lP<8@oh|`U*}NsUXT=pJDpTfWoGpV*&;jU>;TerFrU?mr)I|2Rz|bM`Q_mT z2N3m@bB@hSoqg+VVbbPTyE0K?_q}Frp#Z_1=%CHsW$Y7iXGq%N%?o<5gB^tZJi~9m zHA(hW>}yFXay9;` z`7(YyKsAO-yGx9N0B}F;G`-8CMz0vzctXV$Rr;iRL_ILcqIWG?T=bC1E0}3NoB3$* zTPWvDmB)KbquzaQ16KOg)(()fgI(2&eS!yjZIou8!Huv^P=P(NX0yVn1u3qqR?w4% zqu!!Rb<{pX~ztv$l*^=&dZ@gf(RP_wGbYK9` zI%h66mvaetvMZA8dUD>Pc_y0>V)Ek6f1=|6k#~i^LP}=(lawg&&RYMY$AB$v4mc4y zaUT%Y<7^&9P0@5%pwGkw_ogaUp%arqx%d4r;*&}H)vBZw{BTodwnpxyzu50T$-BMnmt4Q0Ye!i`2c9fqdT1GDr#RViaRy$(;C86YXO;mPDH8fY5v_<7K9> zJX&v()w3W9je>{NQLj}$hr06LWzx+ldwHc(4R%fdPH7n&jr(BV_80RLe*4_Xv_li) zqO%UTbwIG1-o9=8BqcAXnG7AzZj4_$CqnYzW+LrSYc>|qQJ&m+&`frn%=SA>)DZli zUHd1i!mG{ml#(R<$*3AT#~iOYAz=eKCvg4*smcLDjLJLjdNVpKR1rIuU{B)!;A0O@ zk7c`&s<;Lf?kxPp8=Rny(mGn`onMLBNsP=|ylorhfS~R>wyMX}&vjH)Z1>ED>>$MF zW%0b#w~4=gn48|#rSM0Xo_^{QTGrUIcecvsFBhiz;S{yD4N^bfd$0)1P?CKB<2bp- zI>FZbN+TnTc56$jpr&tAsxVtgfBmGV=$R~AHSM$Og<)2~C}`~51V-1e^RHv0G%8e! zm){>47ZMq+eT#Vh7}tuflvP&WjJcDZymh_d{yjlZy`kRlTMeGGos<*$hKR8K(U0uI z<(yV#6L2U;C&Cbl>4jC8a$EVAQJ-3d$WL{>CH!$3kZ*fC`2as`(FpZ*z_=hVn?5Pp>jD`mbB|pF2YVuxxY` zNx)P5pAw9}Z_od2%5Qe&|2F0SHU&7}s{fxmKH-%o1gh>{2%LXd2@uY=J5$8@?Yok- zS`!m5M5199LPnpi!>)bJ2b!gMe~wip9Ao2DAJHdv|545Ty{`#NKh6qKEo<1<58O&^ zJJ5ULdBJP*>8I{p+pJ;eqdP(Vn4d8HE@NoCqgALya=F}L4E&I@We#0<-*)wa^%<-n~v{sUpX=0PA#7q&U|CFx-DRKh}?>t*o;ZJUPnqc0O}=+N_VQ5}Dcyr#`A z?U^j`cOj~O+2pgA!gD-6t2pf2)hMA<4;f4t{L|YwW@xyAXN|^zDNUBXIv&NwrOwH3 z?$BEDNq8ahjGt+*OfOW6bRB}=U(-+kauB$@rjW7V=RD$Fkb1l&&rsE)Bc_y^U*mwg z!-&e2{+y9$#Dkmtx;82h{_k+k0b@Ot!l^CHXor7y*yg4$=F(HL!34as_)_xk<6z(( zs2}naQIVJndn)`98u=OlOY4%det*&KG)DSc(A&`c<=@*wqJ{cx2YD?|C zo`E@*L#+^2PyBK5o>Bs?Re=6e=;Wvs0nw}IecepPbwb2N#x*gDMd)E6BQCGF!=m1o z9CTyD5j{9Kc$aF6qsBF<79E_YbN5BH>wx7%b(A-n#!+5y<&O|KXD9*OlIEx1a%sHy zPP(x^Q1|i~Q$(1Azlq;i=o&9+2c*O@oJ4g!8phNcnRxls^ zBPFS8!R!t-LO`DP8zXo0Zw)7@-E6EQR&DuoK7R@coQYnTlIrvPq~f&t#+8ax1tEdB zAit!YI9Pa@kz}nk@Vwxz{d5R_xzYzvN5jUZ?KtuDA;AOE9;&P8vW4?l8Zg0qTqM+3 zCwww0>1^7eDvS2cB$}WX#rGbph3-3*PvVEmGDG%TqxF$sr9x$7j|EQv8y#m!vkq#; zKSjx@(OG48A~Oc`Aaj?r&7AM`jaD*%d^>RMZNQW{38G+Mznq;ZCWp7&{e_x=*7y|a zc7NFls3Qy%Lbtf2K)X{<_Ez|heZV_nama$Drj%^FG$bS8-1SjP+D*(g7GdK=VR7WJ zkVoRF9e#fPB~#*rcDmjA+i#gU;1Y+PJX=h+@m_TDzVNmR@y+FJ$v?0)1^ctxN?7Wz z((h+r1`h`K>2AJPS#PzNdOjs*{Jrbz^I=?cdD|bf3%GQ8b6JMPNvGX3X~|7EB6C4r zMR_*oX4IQ%ca1Sj@$2dRewCi`rg2`*yEV5>6|38gW;AdaSSMYeV`Gy07G5Qgz*4u< zP*u9kuaglc!CcUuAdXxU>BHXzuflB|-!$y#+(+NcIqa|~mzP;tq;08T=Ia_NZ*W5U z)~*nP?Wat*El8m+CHj%N_d`U>!RwJm3#YEBY{@?>t2wB1wt)<&z*c-mUycfG&nR1x z@yUm`N-#v6*V$IxG_jg=dwZpNkwJGbp!RRGAa~eprC+Y&#;?MBtchznMQtB_z)&!= z)6!*P8tl21)0JmftUv0D>MbMmv+EnTW|w;5mJxgM1`*5h zMHRGD(xs+ID+hA??r?;(RM_D%@ij={`^0lb?|qbtW~FNnOxa`;pKdQF_4iQpUysk5 z^<-x=c^K~~FCBm@yBE=B!r0JlPDEAOA1RMHDtR!YK+^4#u1+)ZKAxz|0+t3B^QNFo z0x^nwkl}HyQcLK39y3$m1YmLugd+V_%m4E46YUMr0pVZapp zWN`D%+$RuwCJGo4AalI82t0eTz8UQ7oc3nVy%Ki1C+%kPAm4lLn&4OhYN1-EcTHQF zO~Bvbnbu8@iSM>Ltw49wS15U73uJCyKPf*T@p&{D4fhY26TK%LfOnaml&|aQazXoQ zoj_P0^cFh!YR|iIoRfC>V-z&B$f?j!dcGnM=6tUm0LW~TRO}aB<$RYbsze)4<)XQr z*q^w+PZYQAHEX3lE|UqvQ>vlb$R314-}QgTZj`5%+R7-JFU9 z#*YefOV-dH@(!WgdxV9p4gWfO@s<&r-5%+9D>JXlvuuuyRgrsICXUDr-GU6| zxPd=$=qmM|hD9i`&*^hjH)<>63>R}?Y5J0CHCIbrqf%PNlSc8UoM`&3U)p`{pu2R6 zqc{CGd@)9JoLM(Tb2+k%d(zZj`@2DR_y4;R=%42zE+D+&K@*{gA=~GBs__c)pswHC z8sW<(v#C)Y$i%IacsP|RL9uqr=h~0`sslh+ap?YAsF=r-CqEn9EgTC93l-2m?GW+V zti$w70UB?jCvjTA=@kfO=aG*uYg$fZ7J~Re0Sl^uzcQJiWdYTvv+R6w9|ya(n$n^e zJ1$f4fc{@5Q4+Znfjvn}aJraW>h<8JjC#efLQ zlF)9@Ozq=55v!)J^mj3DU+ryS>;)ZxPCBzinxOkIXCvN!IQ+JWrKQ2a>mni|T@JuJ zvnQpwr$44SY{Ihbd8MvNOOH&tBD;swe5EVOoeEZB+WagI#G0DLCv(moca3@U)Y>MB zD{Zk|HOvL3ZEAE7oUaDya%=}MeLg*P03$*j>6cBtILJ@MPd81f9G~(7t=O))GAM()gXv z;m*)z-C>C|dTGk1k~3~Bd$LgExGTGL8bDhh12dW#$%}XBnBw&FH5Qh^0MM8Zges%* zKwDeV++u5(%3w1%G(-8P%7H_5!@+>#N6~GdgO+bHH=whsyg|^GPnXbEuwmKSBWo#~ zIRUHMP}-R4+SqL$sFafFU1fhdw%(6+?`HsKhE&q|~=TNFKk7eJ& z(JlR9IlXk%Q66y$_iFJ~Nm<23mqXm42q+8vDKO0%2z3I_eW2I7D*MpfUqMrhU2*u-stY}qqNLXgL=@jV%Kr_wXQvy)Pcq>r(TBhq7OX2ZYt+KP>Z@Q zeyp82cQUFO?Co8tm7X*(IJH`qZ~Q`+&avM|{{}rkXIh3{BL+`FR zX!o(kQ58;^|IwD1-JcJjYE_`(>*5c!wG-SF0yK6jyaxedFy~|cn$MG;{+d7EU3VHS zdbdo0Xe#)ou3p(wJ%~!@-ol`gR*gdYFc_KXXNSzY>s{rgBaXV4u9bdFBc&y69qZQ= zsr_49Eqs6p)XnRoDwIJ(A0~GXy0u?l8?B`rsF2zfTiw8ELTZk1f+k`ULL}_)J&3n& z>%F9|tDDl^9(3L+_x@U{Db;ZyU$f(h;C0LTpTAPyu=t!WGA#aB?ZlEaBqZ`1lI0)w zwjMzN`n7Z7-PNNX&!AuX{*M;G@9#(8Xdu8#-X8yd@66x716B+VRpHS;_T8hPd1pDv3RnAZl1HzWQVC;}IGy>` zez}Dq&wfthCBh5-+p!s{66XY1II9j{tZ4$gR?c|7?0vU){DruaX?uF-fZ^`QWdJLLnyAXCq`|7~cTRytSoRXP8$&t|2Ni;rhG$*ME|2j_k+)1Sq z4C|OB%LMS+7U9^xq&}ims1}?D*8-M<+G--&%ul|k3!|1dI7(EBk47d z$P0)_-}0t4X&8vUR6EXAsNji9NIR@_@bAVChN*rz`Y@!YNhOTGdQ^Pu1g|XRhwFf9 zFs=_GFp^pSTR>XR@W?}n3sJ!T7pPg_2-42ay$3oruhwV)Ubpj*|7AYTSq3)@(*ohv|q>`dvNYuQ8iJ#_n}wj z*xfkWUPvKIB%Cs_tTYk{a#VX8%^c4Rf!oP)WaY$+ji?(MD=ml>DlZWlZpaye?z|UL=DBaVgVZ2~zNmnB2BXsL6Y&HN5!)F81N>3A?vKk0m{agOG0E zVGt+pN9XsJ)463@$bfLH3`yshqeSg}UcmIaY+=0FVn8^Zn9FM7c#%KNfGVV@fIaEk zb*NUc2xOr%Ia#Q{D5Q%vX};d)n*ETA(n9Z$Gs}wmsPeecJL9X89~-PO`pVEmBP&6| zVE=n+%~k!zh7gD?N8M8O#20(_-{Y5Qc4;>AU~w-0o9^x%uM2&+h4is$^&z;^9b?{k;fM-uhcWPfcDLN?A){8;Go1tTGXJ3PxPEwq{K=#%{kc<-bNQ zk4Vb*v&(m_f=hlmwCMXJE_zM4>(LPRp>Dy}p$UfZVf{+^Op31`VRf*^$1U=VxcKK^ z5A1t-@9zH0MpxoZ@00xtqBFV_>=Z?RZ4qd(r7`!aJiL^es@nq%^@07-|n_o;6LkKwi{i<#plxP z#o-vUtJ2zTQHd!Tsp)&0b&h3zBL+5q!Dl}qwjf! z+M_YaqO00J+lwSPSnB6j(;^ER?x%hh+c9J-Ti3H4V$i>zwXm>o@J#C2+8+sQUrPe< z5OPU)&%!GLM=gs&k%`jo7&Q!H%_6=8sh@C5J>cuyoKyJ~!#Mbbx*i4z?%Tw|9_jC{ z(Tw(lPxGxGe%&gC8dY~?$l1!um&|y1*{+~q@Vr!kz2ua`BtfPup`@-9ujK6&ea*F| zhT?t1ZrtXfP5x611hqNXpR8Zw5I7KgcAAnjfjWqd&2V6-a9KjMzmfCQJuHZ~i6u zPXJfGc^Ap2^T>9wwIk}gVF_}()nR?gVM|z}O=tlc*sCGNES$CCKof&AD_&_^sErgg z5il_qN~73x`DQ*D-OzOLCK7c!G-G^(ItiC|&>vi|6fEm`dbKc*tID`ouj~yA6jc_* zXN}UJeLMXl8CDiJIGeqslj58tNwr@8Rf0JK6R*hm8(1DU@dPm{L_Vy@d5euLN)<2_B# zwENIiOI>EK3t7I2F~un2z6$nCnfA|>sdv=|*cj~kff~BsbUgdW1J!aWS@W;atyla)WD^A39n)+EbhT8FnaPL){uT1}^uBp(}ue4Hce zsjnZ~1yQ!-opI}3zFnxDe?r%B6$&g0*vX8B24@=(Dbw2h`G_ODZy9Cf@wDNP zpi}dNt5$>{_zKZvx7UK`G++m6+xD-HPVpXW+Dgeu(wMbe#k_qzFk7gh8AymKe{uK9|s8WR+e3= z`Xc9luHYWhUo;WKZbwNt!gb98u4~gaHhwj0d|dj50x1=7>h}@YNoODjQVV@{*Bw99 zUObB^h~`#UX)f~@CJONtl|+;T6|fsgK5v}(c(D5tp~z|>dkSpr$I}%O48$gr3-iRi z9V5~CF*-*xh>JEiUf!mR7+S8LeY3Vh(P^DzwJm1Dj_NoW#4V||+Sf=ui@X^+J1O`H zY#*#oo~(-*DkKLQV!!Grq2c=Tz!uhAWoJ zr;^8O$YBYxYFK+BW{v8By}#w64U!mw>s3c=4H&{IgH!Gj<&QJup7c8x?a%bqvy#l6 zgk2SyOF^x9>Bw+xNy_PZ0tBka1Ja41TZcI8hn;iz$(i6T4OAE_5c6&gWie~Ya>k$5 z?KyLGvg>r(j94L0xx5}`0S~P(e~(Dc1+|PF%$bN;8^e`HM*O^zSIotz@bEX?wO4Y4 zMP;Za_M}Q9b-LlTnI!$|tMhO_)hQrsa6puaEsqNMWW2WM>B)S|MMaH~_j9(3QR^=O zX$RVNaAo3>Klb=nX+F@8(PSB7HW2j4rE^S)+&#uB%v16TRUn@k+~=OFD|SSsG?nlA z2+yDvn5;9#&8Mr?oh4lVOa8fQ$Z;gbD6=?LlQLitUygvGGbbu0?K$5>+;D$O6pRRTfk^C zwkdhetx;62nvAkN%gZLqA}{+X-o*y#_D!gl&k}>}-h5wVCTAN4iXA`CkxgKr?%N7H zruOHHxZV>=Qm*XvKghfB>W5MxLIIK+FC$} zx}Z~ALz!{^zSZd-heZ$Jp9?_v)H{glDN(<}`~zjYo7>%7hI-S7&9yT5q_13sxr9T3 zXX`UO#xDEU$>|B%V$EDE9^3CvG8<`2DXaPyM+H_k>-e+YA_jYu14O#FL!ULL`1oZ$ z$IMd@2Y;pc?wiaL49v%{R8c9a4%MHZ;Y`}`JwNzHzOT($k<<@;jjK_ipUil*))eL9 zus^J}fSw~@!ok-PW9 zl|X~BG@rmLz2{>Mfln-He`nKFkS@gpYeE!sb;^UJt|AQk&b)Fdq!DXt&05+`i+eA& zrK=2DPh~s#>G+ z{!mZX8RlD735gC2iY4em*)jvQYU{oEIkBD*U5B-)k7=MclP+om1WR(8>Y$*A_i9p0|&X@%ulzim@C>YypG-4^1Gw;vDz(BVi|9wgt=&DgS0d|R37f*Fg3G<>1Jc@ccx)b9g_y zwKpXABiPhQuH0ZW+y}Qn)8mnnkd2zXhU$>0!l(K6kH4-T@rzQIeRMFwPqk^^!w_BW z;e-+Ca{Jl1K+5pmDrn}+bY4hqSz6%KX1y(cqs)G>;y|` z*g+!3qAMKL8&@ONeffoH7m18l^8dV%RVR3ZoR;jZZRjWb4BY1gTPU2x*{@KIGZ|v- zi0}LPPcEuV8fD$Iz2^JLSmzb2Sdg%`{9`I_V1%2i@yoT8?HVLrJDJ;ZRgUyaOw!?D zqNNipoqW-5Kg;h?am7jlT;W7$2v#8}L`vHW2P6e6jI2n)7e^(w*(C5nLxONT28D}xd z{|7Be8Z?Ax+FCO2osKBhM+C{C%zAy*2nsX{K0mpJN_$`h=~r;A1-I)4H}X#nZ8CR=RnE?J6^AO zTcS`-ob5HwPk~jWs`C}+>iQcFj}p%Y(JEmc@siq}RS$Qo?wcfkuO)Ni=);npzz>it z_3YL4fWZ@Q%N1k?g^X*;A!$TTjfCP@(aHj#W%swPJnDYfMbf>wES#}|u^|6DemZls z2kom&mh?niec5ScUnex!sJ#1!NBOo%C!G{r0o^wic=J+&-H_VK`tXdg>O>ZP*Ze3~ z8OO&KaMtkqgfv3tgB%01#b8tQ^{JczcWIm8B5iAK@HL&}Y~!_n&I$u52n=qNR*DeFZUPm~gnIZjs-|>Vh@vEkQ5zc!|$(FKdJ% zErsX6u~KaURg5|gQXgb_z?KatzvLZr>l!UC5BH2}GrsOv!h7LfgY#w=ZyW;?(`)}( zT`#OZenYaMUuMD*C4&-gv&d6WLD*BpGCuam@OvmP z`<-2U?wUJQb_O#axpX1#(#CJIQ#~xr5&b}VXrkCc)^l9@@$rSBS@m$EU%=wvR3Uwu z%C_h{gaMZT8EU0|_cl=cPTP%3FtX~jRM5P@!p45IvePVP=pt8(9m&79?Ak}j%T!+; zw8XBjXm?Ph=x<*!jrcH4fy(PR8Pc)bR~S(9-v4B#%PV*$9~mSboqCMy5O9oD-vJ2Y z_HC7k&FEu+BS7Qm63ucH|D{-ZKYI0W=C(VP6NblB(%;qs4!{-v<|22`Qz4rM)%$f~ zYBAgjSLWcC&y;mO;`r??ofSw1%xv_+WBWpSO&ep^_+{>6y!%;zE&yzdh!gx+W;!g4 z8-Vdi|0E!e`Mm#sNC(w^YGUwc$y1z8YBe)>OcY=a!u9?E1*=?G)#Cgu2r1wko^uMj zy>`LfEK%c1h4nB$&Ex}sSitrn4tB+%xJu67UeRr{BhdMdxVw#9vX1-}f8lApSNUrv zdE%=6g;+0TMCAY8?&cf;$sXgi@rsZ@TTD@+CQohON~EgS#eQJeP_OjLl9kHgG3^KI zf0q24qXCLQtY!-er~{-nlgV@X#C0!oJjwsE+3E1Ov;ARBTXizo9tRniC6LPYaZ7=6 zp!kxDy=flk8J(*SjN$+uqJ6pG4q{O-L%WIv@TGT8xE1T_A4t?-XW`G5QHfBW#C$K?N&_aR4w`p6;Ppg$_&28w3q$3EM7 z@9#v~K(G4IKMEhr*HllHv*O`M`;`(sDhbE-L)05wqYR=O0>9UeoPn>pEOX%|0@6i%y&<;X_GaO=v- z#ti0L*4+?p&dwHc3^-bOe>h3;&y~$+YONfl9|PR>1&w>{5*E=dcJ-_fMQHxhXOc#L=1rmEy5b(N}>xfUG(tXI>|vc7P6(>@bR9nyj6k{?g%3;ENv9-iFs z7A4wq9uB|KKjJoy%h#el+g=r>OsjD_M}Q_ojxN-U9}&9F zTP}{VGg1CW4fFoBA6>Aq6u*4~4vnLF07~&@Y0>po*CR2;lP`drUA0IbAUEgDe(e03 zLa254e6UmHVWMoxh-iW)p!q`oe_WHN_UQ%*izEL-c?IwqXFnzWmRbJu5U7SxchVMF zM*Y*RgrC0}=Y3NfQ7oP6D}(uxtdcKP#VCuN+V0Z*=*CM| zJ2y}Jdm)_Hqi#mRSqQ) zyT}K>;?vR=W3LKQgRzR2<14K+m?0cHW^#Q} zyz}k-HqQ22uX`MKgME|}&bCK4CvqS9m4zz=@Xqs=z}){NZNa^Ii8CtT>7*P{_W`8E zLR($QZYFE>gFm9K{NN6+w&l0$D!W!08c-QoC&8EvF^nio9NwJsz9k1bZ?L0+K*rDm zT(aOUP?Om?`~A9HZm>z+ue2+>A}?L1skuT{?+yF_mvey@UX^^_a+t?7z&K>p^#{+% z!R{yw1xaJtl&;L?yvg2c+()?PTf9rLd{%a58P(=ybpxrcqn^Mk9MIkXk?9=GB-!hR ze7r0n8o)7HECzHtcC!VT(8rjH^o{=R6780d zHd4lS(5H0I9Z^;@Tx2ZB&HLIRdFRD-vmN|JjJW@{+IZDr1?<|}Ra7GFmUFwDlDTGI zZx1wiD}3yZn-|*|br0i<_8O}O=9d&_BkjsDM=faMS>6HUmbid2gIzJEo!ZVf+S=y2%ws~toR31NWu9xln)9XS`?a<_ zW7rMC;nq*|8gbjG;L7Z*?-8Yz$kbI|4$#8$vyV9JumutBI=b7R#F-eK`BX%vg&ACo z;!1(pS`=POO2IeR7Q-_MvG17{ph#o z?cQ$EjB|17XvDW=2akL*TGHXP8-tn98ZitFMjt}Fqv@wM3si-|nu*Jq8@;cyEqE;h zMp(R!`-adOLv8sp&kk+J5r<)uA)y8}Iye!+bH7%P)3WVUh0ZO==lpq8Ds)Ib7HwbBcf*0 zoZAhy^<7~mSczz{%@rSjwBX5YI(z`$!O8$dbIB;ls4guWt>gCqNT)$|FR@-Tx&~Xh z2)W_(fu$m3tqeTaNB#EU7x6gX`JxaN$9!LBl->lqh;^TZ@fSOnj@Dzxw}UspY*n@rXqft4cWHBy>5W4z*SUc2tqSny`9Wni!1#wI#6Vlh}w^JQwd>XlR1 zc{%;y)xjS3b7>r3r3!S;e7;xbW7SC^?s(T5;+*z{;4XlMI;-OmlMK1`DP4Dxa){VAt#P%yFc zmA1wFa11WrJP8^;mYCSh-Au<+KeIK;c}T#w=;$F6oCap_KM8;=@X7JdQpRaFozHH{ zyiU-cw;w{crbwlj`i+bxp{z%>&C{Dx;GQL>pBpaU2v0TQn6t|`g~dRUt=Xha7RgoW z$`G%j;h1*ki<=6Z&Ga#8`zawe?ccqTE~V+ijSGcYY?Ll5kr=zyS@|EL7PlH`iAOWoQRiX998hc6a#k6xpq&pCYk#M2Mt<_rIGOD8Nw8G>V8LQ3w!}5LrCn55ZA6G zn)r=iqm&EHF8Vo}Bn=kyZ8wsb7s~T37BKijxciH#&8YxMEWT&sXT(8tX|#u<`FgqZ zjAhkYpikOV@Rk`h@${^x(#`$b#Y$f9G9dR|p6|W<0g9LTAXj7w*qI^Z_&2kHMV^<}S%rujCDSWP8l~|2i=6T@r=v_ryq3$s znpv_(Y>fZn!O~ty{*&D|?#|{luCv`tqo;6GyMwdb(eO@2*$BfXcdm}c+8Te^L>Mo) zPpoGlxg@xwZDwDr54;;aa(nGCi;F*Zn#?4+t;=P@dBbbMLpWm9^YC%KQK#St)XMCB z!wo}aHU-_R`l|Bkr}4Xq9fEG`?foav^P_D@SpD#hi!IbOHZo=LZM1dC0kX&7;sKuR z@gtarspj-EI~(|yY@cq1bObp#Yig_e*)Dh>h)vEVa`=;(8CUJr*Nh@FPak;$!lBy5fC67N2o(%)`jK&=(nQmJ{zsrzWBx#KBO>)tSc1Z(4nC)Z=5dqw#t{ z@v|`=GN!UVd;TS&vqoPlGjx-8On%Xe;hqnD3P z>RFHG=xF-x>-4zZZDp$AXM8QnLaA|GZH64?VLIWGw9&Lp!#Y{FS8lfZP#)(5fg)N?Lj(v zDw9bOu3s?O&+7AU5acjX|wfvj*1+7s^7Vy(lq>shehXg|k{0U;?7aOhp zQ^|h9Ny09p<$T)guMjk!l!OC^H+>HJHgM;eS;ZH+UaPmk8Q!YBNR$+eAZuyRIe$O?q>D!W93=C>$VDGddg4BoS^>Lm#_Ef z$+$DSwU8O_-6EIX^?AnAXU|WN@gLl5Rrg3rs`f@e9y~y?pk(f6NJ^I=bB!(cbo71=1uBItLAmGoae6jJf}7P z>J4#bK=K3TGh4;_9*;7gm)uf8uSbD6j|%$zlb_#<`kl4he2;84gMp`;-wb*U>0qv{ zzI^AZu`l1d`dctP{g~9LT|L_|A+!bgE^`j(c0JEC`})wr99R78?QCr&vC|4&+l5{RjhHu^myt`4?Fq#8`@sKFkXANsv&pvZ(10e3i@q4 zd3BV8nSS)I?HwsC8)W`}ODo>X1o>~dsG&4{Hsk+5Q%#URR08{(Vvpqdghp7IQu5r; zmf0So&3iMtLhMq#yc5)SUAcL^O7g`W?OkUT$+R!~s@(*A^uKmRQa?6YG6iz}wkl$i zKmY#6szG_vl6c5~%jENsW2`{`wjI&Zv~eS^wL5$`(fnuWfC=DLka~48T5ujP-H=2_ z$Cw|N2~wp>W%J{{mNagd^)8`jfjWR|Ox$kS85?T`_b4Y#nl!TV<|lZjWqa05zu5Qg z-!FOtL%U7UIyH=}FJWPsheaRTjoZD)bdM4v+9!IgTHz*$)=(-{a{tetXWb7aCd%Hu z`>pbi9!<5@Z`2^tF|pU*y?37+Ig)JsAjru?x4knq<3A9UD_1oC0raiqtJYt;jM*0- zF9(dj+SRL5M;e)~UhEd)c3pgZJ(7|lTeogEKQ<4VA9*QKt!h>CADU|BoM>o*oY@B! z)jw|cZp%}ol+>(QU0Swip09d%9!srze$O*K58}-^8)NFW#~hD}6->avbcxfVSyK~G z$^4;a`>5%{f0kH-H|sn-KdQKN#iMyESFR+fX5hP+xQu?aYe$4z=e}Kr)?bf@o%9^E zlb&08PH57ge^^-7{|MUa>UpU@YV`+YPUnxkzCT_Uuh?O=G}f{{fALx;sINbA*KCTD ze@qMJKh5BwhfEMif6Uj@|J0kncb~J{nbvVVtsldWef*<*^4)y7b?8}Heza?sCC|S< z(+YZetM7mNc9EAJ8sIFNH1l8iYT`n%`!IJFoSe98NH2Nhwu`bHOZ^Y`1Fv}RV^_0k z>+824zrqUIyOufo_tkQ*$!B*#V=vRLi0&MEwzZG;yxd-6%#Da^?;9!W%?$!OJ@N4@ zd(wLS`q``H;Nc&?{)yXdx0opse^&gi?H_r6Yqiu~gX^8AhByIk?H7ER z31a@ee5))p-S32zDI>K^K%|N3rs#~$Eu`D2P2}w-2V0-rNhWCgmFaii^9G6Maq!%4 z`*?ZI_x4_IdVOl1toXu=ci=7QF@5KW!A`)_bDe2FEtmJcnQL{Y<+)7XFZlYd9B+i# zc@{3&A_MRL%6hA26W+hsUgXp3K@;qK?6qm4W}eCJPQ!D){a%A`BgXwHBd0EMZlc-C z^i`icdimb|a`{D_oY_O~`AX)PE;#J;?Jvtk|LmmQPd#;aKkIFN%D2nW*E#do$(^R_ zD{t485ibpu8m3jTw{cADGBjZI(94spo2K?W`&9?Be(RAdvYcb~a{Uhc^xOIJ%;%<4 zagTJ-X)WaaXRnld&5bDSkNn*SE;n5;boE#(=eIx4TPsh!H^aIa>}}0+J2sV1U%J+5 zIsNvCIWpcn!KByJB~u^Ck|jUaK)vB>U&mHYd00Lg^}BpHc~O?K_50$nJNj6`(3?!_ zZf||C>sT>&{pUQNZ@9Q_M1MbgJbIoyZ=PQBOlP%gBv0RSspsr0@ALB=bmiS6taIzz z7q1gNS8sm)yDa7E_s7ULZnU1Hd-BccPB(k5D_(I{d#n2}Z$WJR4KQZv-}0b2*51-} z7oBG1E${Lh+uM49n5Q=rpL{o?UOMQfYj<}VNc?;GHZ$P)R@q^0V$?L}op#Hk!B73& z(zRn_nf1|d>2v#M*5^xupc=^2o7Mg9{KBg4^TRKeTdqCRt?K%@y56+**C!h_jd<$H zEaR%^4VDZ4_ldP!ecpI%kTtFU-xTI+w(VcevXNLP9J-1s`b6(x_x_E>-zki{p56U$xcxn&?DpGhL#pTd(^LrJ3umO4@$I^muc+arMnup zm0jMbLG-?4sb(6@*f$K~OpEblrW>0b`%KGmV-{t)wdvHt{U*9g5zb_4`f=GDmn>^{ zCQ7U+qi&6I(zc;#h}G14H@1h(7y%#rn0c*VzU8n~tCaZ^eW#{X&9$aC`V0~ zM|EqKmo^P5XWJdl*4;j6D&E6AE09u=yz3H^CV2A3T3PYg=?adWX+C5(PP)d zJkij}_~3_SJ)-BpDdsrjmN%zzgMFF%)hdW; zt3mZY7W`$^sC(B_O{=^%PVE-_wK&_r{?e7JWXyL{tbpW0ci%1}zWG*`uU_ZmwI^Cd zHIo~!9%2IJ5%w&%*X1i$%ZSnAo&Nppg;mXsf!l8$CY8*MgTskQ_H3VCUF&xL|NT!s z`1~u`Yy#AtY50GxlP;Z3u>$^YfAo2lI%x3vhHC~(*Hb%sW|fVbx5!U(=E{mS-XGm> z-?o+f=h~}GYqg9E^VA<^$-m1oy5M;6iHEZF(7KQKW~{ZnEBg19i_SYc%eGx-q^73I zPrv>ybLTJg>ZJQHbnpP_-mSB1wp^!Y%=%frpOy7Lq;|&My?V&dAp`BV)@zCh{!f_p zgUny}x7&RC&0sTb!-eO1{~>Cxv^D0soZD=i*DB{^Un7E z{qgelN1r);<7>SpO`qvjy<3M3mCoke(3>f*y#0Z-?7u^=vaI)-{3FMVmrYx?IeB)* z?sC@CnP;8RUFQ9n@!7NUIV-zN#3v-ki*LMV&C&Dfu3K+%SsIv0Z4vaC>1$fkGq+r1 zT7K2FruE18Gw;lh&!&4n#=6q_?;o>Ti47fiy1Zcm%o@O&yKuc*&{|s*U2^k>ZUHO} z?r5@uTAkaw-&CAEf2|YL*LB-8tt;!c?RM6GZ^8m|GcH`NHGyk89ZF1=n;sqQ{KrLq zly__2SPq(-5gW{azgjmP6F^%exhB1-aii%*$WA>>D@#op{L%X9(+Jv1R)5_4lJq|d zRn4|F$Y}@nH3%0`wUU#)PDE8_T5sZLfA!jpiza)2cbZmJnqU6|f5ZJFWrAr@=-Tph z?DT)cHK^awwAyQET4`=JEo1HNR;g6MDpOmBX&>>fH%j!qo!UgzwP zTYH^Qdevb0b0dDXs;oDF>{jcE=1GX5_k1bZ{gAiR)ts+0zP!V_8F!oc54Z-Yr~kQ5 zUNGmr-EuiE$III`Jm)2t7Nf2~eLbE!AgLYj(Q|$Hli$iO-`wr?2lX^9+KD0H1e&%m|X`-|;PovlajeRZCz@pk~aPm|W zJoZc)#I*-F*JWy>tt2%VrG1R|zx7i$chCGez1Nnc*PC<8PI~N5ZQVekO-pz?*mcC% zd+QFx&g1%;-)o?288@21k$rvBYoR8)F8Y0;H_Cr9pHn@rG<7#EtrJZh?e{uXOv`3< zO^~*OwLCBX-241Qx8RU&zoN0$>xGUn|@Wyd2e6O^m=vd?+f^HkTLX}ao5G7SvIzIT&bfLNCmHfa_@PI6a{`%h4F;FxmOA)GPx*CuybK)W9@FUE zKHLfHA3BmIPmI|lA1=@MzVxi;I~O;WJ1=YEIoky2Gqm< z{_B&SW!U?xWXkr#Syt7X2A|yARL!zv{_%*0L{IfOk>+Xyov6ivq;8Ev1 z(D!ry*Fm&9p7HbIt|LgTK*5#&v=C{-EQ^MurTie@jWz?^+ z^8TEi*7ls4E)#nEU%I}PbB)Z)zS_q_i`(>M7ing0s<Yb;RL`%l|& z`EYn!)3`WmBhPc+U151oAJ)eD&D8I!tT({5jQ1{SVxIVDtdl+^*W;7h=kLv_Tjh0g z&S^UO-kDO?OJqMjF-=Z?JLB{G+WC#-{(()c^?m*4*|D4Cxdm}qR&Q51Og^~2rJUU% z>;M0z|FuW%{%(`iomG~MX2yASE6T+CPPJ|nd0QUJ^MW?8|L=-bj_c`NJDV@Ca&kuZ zuJWe|>i@A|kqj}xSe=($(qQFl?|x)jneVbzsaLPIlq(x%4GgL?Hf-7|BSwvthwix} z%Z2!lKNndy2kf#nm|v%MEvqaI=D+&RhxVd;y=t9aeeXl3o1vzS8%V;T!&X;ATHt42 zjh2Cz_K_(wW?AKH5WGRXIwqJKZw1NqriVVg(DbQB<}p0?A3NL4lL>ZEU-M~;>qOIf zf46D9uW9w#4f5@zsdDSE>#X-0#I*zai9={#O^MnO=8;KL*Yz7SS|92@d}#vAk>&}7Mh$!m)ctObyK7Kik7;;~8s^D_eNLde zLIw9bc>3hRi*LN^*j5?LP5=Nv07*naRBC{v$M0a-_F*F@2G17tAL4; zqJ;|>iv7(yb~!b^=u|+ZN)%I@hv^hb8l?bfR=bF?ukYxiSt<45NnD9OfYYZq6h=*|6%><~?3N*|x;J`%qBT(pe0T7rR=JL<1v zlQJR)eK0kwSxAc>0PVvi!<+8MdE4w1`-@i{GCm$g_o^-V;8i3LKB)H|z96Z2RG2aL z1rM~={btDB;v;$Dm(68zR21N2p~I(hrGljUH;bjgL(x6R4V?VJFajm-{-YN~%^p)^ zt>Jy@+IbV|n~s>c%21qq-Myx0-7v^_*;%;ifap$<1UNsRkmv4CuwSLL_O_jfS|47> z5Gef$TN5gR9;4f5ze*(-6h2*OY?dpLjg;lF$YXx1fMP2_eA~-7ygrqZ{1kbA0wZtF zmnZn-BSoquxp78OrA#g(N(P>OxOSoRhw=f2wpx|)8BHFbaj6VKIG(Ws8j8xL=_QsF zpDIEJR2%M;bf7P2K?WxX+F3xJ`i>Mfa;1yExr=uj*DSoqas4Uksp~X`JCmVKDId+6 ziA|JQpORPY3-Us(S2aK7MzI(SK`pRk?ID>Q7u)^1WRDoyr?zZj$&{}0IMY`8TrRh% zTSD~fQccb~{`t~A+5p|s5G_h)*02_$YT4Yfd5i@ZdHRf5>bN^&8OGNBqyI3L;f>sg zD6pbMv$*a+$<}7TOsPo1IaoTmi(PaD?&(UY52gE@Z`&DETQE|6F>bjWx5f^)*fcV9=A{-ZA*QWkxidtmN<)h-VO< z54a!C8r7COa8t-V;2H3K-DCV^S33`HW|G?+#V$o+B$Z z95tRzP=Lt4{0RnPj(yG|QQ{aPh* zh&omB6D3kQaXaL(VJOon>grZ0AQk&Z{UMRKdl>-Fg5m}KTzt!t9wG0I- z#!9EpEblrn1R){39&P6D{U|KPk-yI$U)~on=J8I5=PI6g$Va4b0?p0P@0ZKx?u^y@ zMJ}QMYuBhGAeR!T=dNnco2hbEXi_1c=+Ly3r0Al@5M49QTk-Tgwq<>CTB7?bWc8Ng zqTxG*LN&TAq3j*K>krlNF-w9Cr9O_WaMIZFx&uDAJ}ONyt2Dg0dt6qhB77ZEMUGh7(~ z?%#hPCjLBK1Yf)&&Jq2{iN8;aJh^fh&4A`*!IBlma@Y4;iGukpUQzhSh0=fS@3xOv zqoS8H$Q@9lYDH0}hK-_Q!li9dogK}ruthw^Ip~#1~HI(AHvSk%2f58?~;?}H+@NWB?FKAno zu^@k*oTQL&t~gdOfW8IBiGTn5SCpXhlpvl(i2-_;on$1KGk=k+x_SE!^0059Hgh@! z_H%z|YEoK^o4-ve1pgsAE2W?TO^}kB74zEd2OsMt3T0NSjp^^p_8H!9;|4b|l=`TU zJZS>at4&3*bHFTFf9u|}PH9by2ECkt*VuTXY=IzTAGAig;3Mgm`P&WU%n#P%efE## zSI&iHw;%FcdTM~^Pi_&6S~a#)AGDW z*-t}T2=GlSf#Mj333r0)x*-{@pk#uAW8wIYh5^pqwrV{-$j8juAQ#cbUCI&DeOLXHB?>t?l!irI^I$!q5{Q78B+zO?_Fc3&CVxw@g$M<1Yo z#I+fG`Hp}mxtT1Y{2a=w7W5iTDB-6rxHr!Dy0xg?%i_H|<=1WE>;CnODwF4IG3KX! z*}_ojqY#FZQ3L9W!=%Vm23@1FhckDqT*>hK)|L9$98n`?_jG4X`+5&FYww34P3>|j zz$3di8REteMH~di+s}H|w0kyGDxFin;0&*IS4JeW{h@69EX#8e^PpGK^Toj6J)&P- zarD#`!^0i*bP3cm==*_945dEW$1|W0De7B%I@{RY4_`Eq&oxzmzV@bMvmcLJDvOYp zKt+YY82&jaDj~Q&LFa>Ws|42=#@tnkEW`Z~P5>R6m9~3^s=8q@MVZXF zh7eE?!4R$tl&OiQT#3$!pFT}uS$vMDdz6$dp3N}U9652-?p%2ny@p5^>%uQm-*A_=3yNa}c zKI!)gtVbV*5dBznD?J~08LPhgtf5niAaB~z>sBk9M_z+?7no1aJx9epj6$=Q?U9?{d4b$j zffQfQ$wP8pP*Rh=LG*7Klq2Vq$~&d%MU|;i>VH{2ooG@fjmVlNj-*vl9?W0 z8vz1mnxEHP7G0JFOQmWZQtq!CSVXqnqI??ZdH?O=V9|G-rSIzp7B)?uD;sn8E0{Tf z*!`8|{kY_y-SV6vs$k7$_V1Gpn}u5JLSFw$q1`x3LNTsgE`v(vE=53WAmdEs{I=so z1HH(bJ`RK`@I|rj?)p>v z3X3Vc?p0()+gwS+*!H;$S}jmCRsP|KH1gG?YxLxZ5+Z(Vi%NU=BAX#_PwxVvutqxt z%A>z1Id#g!w)exZ==-Z|(_Vx7Dtn^s`|9-@1~o}(QpPIpmTXxvOC>a_D#gFHS*Tff zA-5$e6Q$Hgg+z%Gie?RMAC*ve>#~(7NZ`#4X;8a{q14AR`cb}gNm02%87%rGP^Q+a z^^Tnqy<*u?cAnE!DwZ{r`q&wig>}gg07WVUeC&<_1$vw2jY(N+9}3C_Bo&Lr09Fl2#*wQQ%?*$5W+zSwpFhst6q{M^OUGL;UJB%fr$| zGjbI;{*@FWLyKdM0i0Kyn`B8W4M zK_#{>S-h|vuBuL0Ou;h>DN0InC5MTI27-^~9_=csVmW>M)N(Cjoi0hO$zktWlgeQo zy!(}OAp?QB@2E0graDE)y?alLCW_{>d5-k_V!rgoH&!~CL5MP>deLll9+@#F zL)jPnVT>Tc00IS%W2B5+;o=Y1?+x-+Y(yN?_>hOp{kE+^bK_#uP^-Y}tJ-K)yO^C) zUsXmJJe01!3KU+DtJLSP5NGY{bX5)CDQLQDSDuUek66YWHf&O>u<7>2=-!0L5(wxY z^y~kxU4P4RtS@AZJdp*~Kb*%7O-kuSUd@-bCfA1XVJLb3BSOJf@%0|)xIY+1b;Yw< z56@X8&1jsNJ%jY5lgRntjqEraEUV*sGNVMo{;*$X5{PFIA_a;NXS|~*T0NBGI)bs< zQF0RfkdhnZxvd0>a}{aVwq6NSY*DwJHjY3`6JB!eg5_O3h@OMWxQ~Reit^*Lo;3`m zKKk^Oau6tqtG&A$o3ZmWNRu6;BiUdec7MZCbu-xxXRW14b8J z5Rt2%^DXN*zYpr$cr)+oImwsH^6bRE2LG^J?4*81Mmc%yi2&EOvmcbHW&-+-0gbar zr9RdxrTX8*M?U_b<(sf3ai@RZF}I=AM?LV=uj)^Zg{1U^d_oF8I0-tFIlXL3ebgyN z9OwOu+nzb_9v?-DVzqzNsZ}(EfC3q!yy4}7hksYdGdy3vo$~i)k1Zngz+Hw?zkbF9 z;s`0W!Q=0XpuazM&0{F_(FPR9<67D7^=Igu=rWWHB}x`_u_^UY24|X%@1z%BSG0U{ z;CTNaSG^qV!bKPU3JPU0KqsvM^P5e(#8-Sn34I~Z|%6=&CSO-TqlCr7z zrhJ)_+LCP+No19P-bR-T7i}M@C5igSOb{usZsS(7RUVfGkw?9mWTXVJiXtVbXy`i8 zqemAR)2EeGLP|Mr){a@3o=*VOKT2>sil=?Y?!6*cj%;d`obK4YM^0f-$d}iqxU;L| zt8BOLz55RuyF_$Ic*zN(Fo2{YuPr49txD_yq!>~k&1&7P zJC=uh3aj!`mEXSiSk5MhXM16~Lf(8z@=`dwHv(_`!^f_Oi&sNLFnv(pfAEwHgfGS4 zL_45Ff1fP$c6#|yg^vp)$1L&Q7}2QQ+cGS@c)?6+6Jv@O-n}O+_om=0cVrSRW2MQ= zCgR&wa*B9t?^?Z9RT-uUiH<;VdF$oQ=1-il8R4cc+$nxvu|HH*{ln!1eOQ767}A~; zDmYdMXn96YTPM0SD@$C%g^b7xxiSEMpcQKL$#mHglo><&)CoYV5vvJ&d@F@a3Q{O5 z*+br#ko+3mh+22!wnbs==&^t6uH{(}Kd#OA6;|g9N|@tku9N5NeM%O7Pk=-I8Bu_! zk7?CcOz#o(l@cg6%#@sJz1j2yVbqB@x0MoX$(Z*|m6`a^!$Ag zU$xFmA*$BphQf)wsa*+<>+lKOD=1+);qmavGfF1*QtY-~AFj6bWSzI|U$831;Gw8E zdL8$Z)k>M-SdQhh7cKWVY_I5r%<2^(rM()ncgV;IiZf8*sB@3?&Lk^&YnurSH^G#r z!%;9+)O{36trJi{px(zU>CKNP5hW;A;w&ks@=`}V zc$h*w8N;A8Qdk!+kV$T5_Ln2GL1f{C)1K_I#bTNSL0CcUd{ad0dyNs0K((`B6&fBrlU}ngrT|sE^}RR zs4C<~qS)P*Z=d#M)6jiWt+7oDW=J4@KWBNr22D#+O48}6ynOjTgL21lo3!Lr9P;QT z87Lgrc(&Z7f=$<@Z;?-IRmObVD(OW34HoCIMT8AJ*dv0h z*776tt(DRATzT71Q1B?ZP05m7C9_raJegjm{0=Izpl7jErehE7d_abj)xVsSO|IN` zi@5SLhH4&$fvSbg-zkH#BofQ4iKy>T0&2&E)1ex3C~$TCIaCekB8(`?P}ZST8q=i1 zRSG6IB5C%YeJBkv=tN~Q$ZVo$9Z>c3A?yY>$rj3(6VT2^u*M>sV*lmKm!wGCDPc;L zBAHYs-n(a0{$|aR$$)StDWU7VTf*{=Arg*4urngD`vrf79SBu*Img+!|!(Ai35%SieoWo2I1<#(XJ1xc@DE~8Q_yx2BCXJo3Qt{{t`H(x7kKn`!Y)TQe=}zKbg&={RF3QU* z9VKv8qI(OcNMgGV)q1ljuC*WMZWZ6p-e@RI%<4Iofd_ZSw{65Xlh;T^6V@--d{qA6 zP1&_&c{~2(%bLe9y!@1>pJTgfSt)R^-1YN$233Yyk14{PorS>b_0+unQKER7)jG53 zJ&kUtTDd%8>9`J}|END?U!Y_gGIfow_PoQnEM*JVWP=ZExgA zFzaJvExV;DeiY9;j^*+#%d=9yK2Q#&+*)hG<9OCw6DWtMYbvEi{}AZ&1>@4_seeg+ zXv<#R|0^XHYNpcq=6*{{4Lw;eN_2&V-o|aZf7Bwcelr=-t%mgSy?WF34w8}-($2)y zeFHf&p?U(0=M9|>+D>0Dr}E7BbMckI07qc>$z=eS^-G+O(h`ha3zr$S4a z-1+ry=Dm$Jf1JC;xPM|j%})FHpg;*ouC`5<#P*(e&&y~BeShB0U$*v7H{67fx4aUa7awJNkJ#Ri<5_ars`wr&;2Nn<0z2NA8+3mfy2%t!I(&yM#*B`iK6@Q_qpqC zKkn9-$d}1o6~ESJC&MKo6<}1FMY(-?wyh|mWng4h5rTLwsN7nf+*>{Ekgw+i?GNbo zj>woUsrYj8YWb~!gyTEE`dy@(5KnY&T1K>@`~f;`m#2M-==CaRH&-sB-{-E|l+uN= zI5!3rCGTEgrP8@T$yv=5`#I9so((!CiQ?J59Wzn{fSDxG6!}opdn4(R#S*_Y&n}+R zb`MAqd4s5URvo`1m6}KfjNdQyvj})!dn?(9SKUkyaR6m7auxieMNdC@_OGFAE@@)? zP;I416jORbLvi}IAD-Z_2Rnr?(OKQ8Q zIQ33T8x9B@J$}-l!a>50$E zpDfV+bi;sF?A2^SO33R@9O-7<)yMh+M~;alsuyx~h= zR_r@)NKWzRjc4|wCr`u@$_JpRaEwO$m?=yYJRkS$EN0DHAZcu%a7Ls7eih1=6g4VW zv^#G%h#OvsGb0Vw>&a#xQ*v2v#g}n*<+??glEBRvO`?s%r%#`St75-6CDB!R4YpGh zjmkxVXc=G+QRBp0%zUk%1fl4p*j697Xa`AhA!i*tH(`KK%FL(a6|Ce5g}MK>`hZ+4 zn%`#q);)s%B}J%{+lp#NPG>IMCBB%lM$W^73}L=G>B9kv$OQ3YiRF}tOL+&`ZAc6F zSOf2Pm-os^dYT`J!x{>CgwMAh`kUxRANK=$SVHulQz9rO;H|A|5?Za+W9n$g(AW7o z|BUiuC>cha_0gk8Q;Vk4vP2oA3+Oo3&ip_iVc?YCw#i5ZtcMrv5=#CzYg8Md(@f~w zdNPj$b&Y%dEHT8n_-*X_@(L|3vK{@#Nm9a*CSjF>*j`k1 z>K2DeE*F(oCn~iWJWuSJ)7z&pp^x?d{m<4f$DO~ayk_HtD|OPCTvWtQ~#aDVha4TwQ#0#H8f*{z&SS z3B?TJT}Ki^+_OOk1VN%!{C*tRNYt%b!0j&ly$7ltz)<2&^yiVgx}L1J!`g-JL7f}N zHUsqxib-7l?!?S1($zNlM=h=eXQF@D#v})y@REeqNQ_HbWWighYziwR5!aRA+xDI_ zy7rIu>|aC)>LFzdXED}erVM%8tM`n9$1jWA*;0uOhl6FE8e~+5lqi%*PVu*C*D0yk zUuUJ|fg%$*7L){PoWHO}l&E&~sU9H}!^!m>(}U|oZ_}H3)BBO890|lY3e@ul$K}oY zBI-Y-M9L8K;gj}N-wjU_Z-AQbs%L!|FkMhPqv5$A9ZTrrN za+IfH!;VwNZkv!-e^`j`=fu(*=MG z;<@a|`#+c(-A(-N)hKByl<(jUdrF?vG$GY~y8#wc0+cr^scX#FZDlKCYdO-M5l> zH!jqEJ(;??{yf><*E&Zo+8mMBlQ9lIS8|)iq7ozu-tlP>(QWE+vEqtFSM}}Qn*u-3 zTMek6S%AtXs*3GRE`l84W=i1dslem@*onVI{-CwO*|U;|LK1N+ zL*B%x_C$5zJ zgTlL9@$8~P$sD8rwHX3)WlCk2=*(HWs(ks+-RN3YOSWk=EAOPO#Pys`e^k9(Zl4kl zg0~RIgCCS^KTO{slltM~WWYCnh$U0Hy6%LNwI|Qs2$di;n*+UplT9OKvChwZ@k)r1 zIITp1Oj4l(B@dK6Wr}4JFX`R~oRw^%WQm|Y0F?#2=pk+2DPsCT7>M&VeEcdyssHom zO(+s2pX!R7I#V9#p2OFzkqCAhx>>;WJ@>nI6diU;v>G&5*6u#&SFvDHC#fV+o8#I# zzv^?fXg5_!>e8jODd7~QkzGaW!YwkgmfWkTlU%b>MX5Ua^yVFNT>Fz3<0qY~ z=~Z3M!*GaXoP9b}CI$aaBM(RCuNH_3lxP|W(p^a)?t!k__jR2oV>p!-5pnajEds@H zpSMD6A5{7}f1W{lJ7F=eM|50wF^=?Ob4K?Q7X4GvD2hrD`^ZT=^Gb$KTrK)`swxx1 z?mc`_M((L~oA;a+jcODYYqy*bORZ5?jU2e^i)cA}_K`!teJytop0$v;6se_>=pxB_ zT}ryHjJg>6x&&&R-_|0_^!71-LmPvEh}Ki>`*S}EyOCY!VpqcyB<8bw|d%N zU(bo&KE7?5)h;UY*=*i*Mhqtpeti4DQ1R2RTSZ?lo`-t7;W3|(Xmz~hi;rzhglpD6 z{Tt>vQ7JmB`%L3T*ZJ}FHg&_dUarsEzp?3S0zZ$0wPR{$79IYu7Y9F(``H6R?wXh-f-b81TKChG2b+IriBk^=Fk9|tU{o~av`}W@wF~6f-N0TSR5wq{Rt~C$t1*BzxcvKv3TrZF`MXlnwN_h z6jFM>12JztN&?Zc4{e0py+?|Ai`5*|FnxP z{%d$F2Xf#3wDp4eG-;YesSlc=F9v)hI<#soDwHWH4IkjAcSiq%{lYt}93`KHfO-cM zJeRIqm5P3pl`mykhk18`90^LPU%pI`81`8|@ox1h0$lzuAb`3hc5Isk-CcW*>(STz zd2)-7dUO#3KmI@zuo`yYMGk|4l7y5{SIL71wlE!4rlxl^s;3lWdI;uqa1P3nd2+9~Bs9d-hwRIDk87oWfJo$M`7kK!PIivbEuru}`%vH$_D`kUPHk&GLf2`|H z)H%AcRn=DsWYw~(DL%aM!oGBJ7o*zl!@+VMyvm@Kfo$4$TKuC$Ajm=&fAI9e$AII{ znb+tGCvE4@6y-bi+dK+g?AqljDA^`{*<2uzBm~Mqvt*EZw1ruNpm}M~<0okh!AIGm z@twTN9bndGWGGX~NY7XkGosIJ8<#W^(KaD3`C<)5$}tb6^7}Q5h$a>CNh+kQHHL{? zbw)^P5{#>!?JBxGWKYkRV?!!ADtMqBmHMcQgoS33IAI*)Sk{q;scz&ntM6D=oxD&% z!-9|a9>hfpK{U+p39Ia?;(6kDZK!2sOohj{l3iMYN>!$&Cul61$?gNeMsbfe6+$WX zvGU;GSByH&W}a(NGkP6=+J~_d0wv!yE7gbIHs^^Pm zT2E|m6o%1^%9j8K1NH1i^3u=RRhD}M1xWrz--ztUV~MQzGug+bq`u%Jp|+PwuUb$K-6^zMd1u_OT2{ zH5ly{lcNIOtsvX>o|RL_KX>oYj`btUGC1g!+_-D=)>dU|dW{m)D#@HG?7W-RJ_0q( zm(ixI)Tvtn)xKjpx_9`+J5L=~+by5DXTdvv@;G+ouW}((;+V$nZ%|@icY@^0AFR9} zt0AYrrLTj;*KKl&R+Z9<$_0{%qLe&2jW)*Iwdc+Hlv=x&@7TttV;k4BN(}52rJ2) zF@tz3t>tF8Ywvz>n$E3?Xekv`EUb3xwB2f?q=T$Ea8?|kgqKRDjA$v^R4*(SK{t_?q6(aN z@ao&Ro5yjb(73suJ+nP%(^FDF2$Uh<;5Cyo!8b*{?lz_Vl8K!S?{%~KQK{{HWmH_t z)-CSAorK2SA;G=T1a}V(AxIOfp&LnX*O1`u0h$mT8g~z_!2-b>g4-kaocqRmV|?S> z`{(_8{ijBc+PiAa+H=iX)q7R-D`syRY40RU!k`+5t*OIAdGfxmwDdK z6LHC(j~8^czZ!bMeuUw>1{4YprSgEBY@N4~{lu9tfG>$R%9dr@xG%r0e0qsPrQ z#P^fJ*pY3Y1KfaA?Bp?&nxes&eAl#5!pz zcb}vBh#FLE4oQWu< z6Z>*L_x-fWlhWy%jh6`VEY;(wGVS(ki*RUqiavPHep)9+j%g!mq@8YgjnKIO04zZS zc>O^>bILvIC~4G_Y3C zRY`}Lw!1cXOWf?bltn)Vq74JutR=y zW0}zRySvDCpvtptnuYC@xO>12PDm!!WXE~%a{fd*V}>;^1Fy%mUc8mI1>#PzS^Lq7 z&YarLKmM9-7{eHlEnVrx=Vt-D^X6=GetS+f(IOfZEy!VH4*?%`_UA;0?){>5u?x0P z5d};Mwu7>RjL$bE^$*JVMa9^tUN*WWPnEkoK(x0Gi?a3?XWy;AS&EgDY zwaDk2+oV8%<+(P?YlP2f-Zb3?I-B(-SLUC{Ip5;o@;GH6z=Cthx0cg|-H7}sJbkf( zLQ?ubHY`C=ueF3%z-Uj=@7?_63`6n4bP@_09?fgV&+3~WCBIFpSeiX%B#{*We?wdP z=B+~};@t4mu3BW*@-zkWaU-KWSCzN}O|y}Xc;CVtU55R7ccjZcf`xhec@nDq2z+&9 zx2)!=qw{5jq*a&9mkY177mi%~zgzbOEJ7B%X4x073~aS5-`p%fdX!KJV$~M8d0UR{ zMl<+ZhiFq^?(O-L>e?b0s_yYhjfqc8hEwcm>fRdYF$@c(DT=>KXY+oFp5;^!dqEE!*G6g4ijmD4s+CmOTOF-?Oafdu>4 zW&y+|7a4^mkzwmB;NR`>$IGOuNU9#9@fB1$l<68q)oOHTv;YlF^U5WkSGBi3O|TV^ z9S-}?X8a6JLgIkCpQtBUwJkCsOHd}lk5xbesajWk)y;aA5gLI5-U-)kD^PM`kK9#U zch2$0OgJRlVcD-~zy3{E61$Ycbl5z~$?HzghG7m~qm$YRW+9>>Zg22sjzh`9IVM#b zUOqPaEGEW>T);Gs3LAn+p;@_*N0?+r+&#hjRHTSdr>73xX=7~1y$sBSr zmxU}nJV)1B=9bCEI2gj|4a}^RruKMwu!l*Mdi!LaHCQkGE;$!?z$l>MWRmhigktr< zs=1!=WV0UejHz`vcU77w-T#2Q>nrG40VDcZL6vbh{NX9x=of0HqL??&R7*GZuG~Xy zr34BdkF!$w`eMKddmF*PoP3+SlUmfQyg%C{8$a>3YT{+MwnM&5Fb0G8s1}1W+m7Fp z&#p_D(S!JcKjQB1qly$A!z@p?&J}~wseC?N>}gJyOqcYLf?K5-Q5h0v7+leM^8^RV z6q+F#waR?TvTn-^$ZxmTa5J1ahF((Cw50xM6WWejPE^GnB=Mn^yLE)qvJzaRV-_;w6%+c<2FP77KLuQeIg$NF67eQnvR)A8aUyhtxl7%`oLF7;M|lb&zEGY=5}*`fpa z$XbBM?!h*kpI6cLOlEj_>LzZ6WsU1U9BwHK9KBMV@GL3&5WPoS3CHLt$v!AmwK7G?lIXHjZAmV}R?1CB%M^&-ic%Y2go7kp?#QZ| zv9cgQEg8G47S6h7@I6l&JDP&2Jh9K!>ju}AvT zjKe}k#EWVV#|U^2t*Y=4VxCwIFwAIv-T3+O4=#y& zmYnVCrPSUm#`s^AearLDG-lvVk@UX>zNOzS=o!+VpT4j`hK$R%(Q-FlpC)xmp=+`9 zwYacTgTf>Q}=)jBN66lkO>-kz?9h(OO< zK1tcP!Tj9%n`yiiZKdsHRCFsn2$?BXR60&sdK2|1gVY5xR ze~aAOKmR1;NUSDP7YDbRD- zC!oX~F&SLcl|jYqR|e(L>~d@LV74hL+ObQA&M=QJSvoOdZ+`ws$S!I82rC`rgUaE& z3%)Nqwn#1wM;Vq+OJuE3H%nyFl0fXudF5S&!Ta0jsoRZ!NGEtcoSqyl+$;(9Jfzjv zpt$QFW)o$y*z=~}y`vI452XY>y|E4SNp~ivN_E&xe{ag8ufn_&!1Hce9r&q}@cGUihZQ9i zn1yRWWkV{$VYxb3_Ay3jXf^GCv#Mb$ zDF)+7Xphf}=9P54LEfKV>M8GkpU3a}-tMcNq#1+6@G`vK2{2hJv-BW?sz`=ekHw{JN<7R>^RaeK~I%j%S zQBM9SYk;v`vyz#Px!;}_X?YL9WHne3UC#=+sIFuH>rqPu%0!x4qFv<9vAG*#uM3&n z>j^9lgANz)s?Kt>}0w7?E z;O)D9|FZ&j=%Gc}rfAiyeHwf4azDEqg+*2~z_Y??GXZq&Vl2*PUt*u#wkk91cS2i! z{(-59V?byyZ5DCgYV<9nv>AHitDbdts_mb&e?4PG*Vp!RHPLF277$e=dMZ&0M0pZndoa2xDW)jsij zk-n@rg4H-#l^ci9tly-7Fis=mu$~Qhf9;f@yPA2s$A$CBOJ?mXmKXq|>Gk4QFAUi2 zjx+3ZR9e9CXjzFDxSUwpZL*1gTrcSGr(HkKB>fT}`k5pW=W0J?B&3E#==w^Mz3^Q@ z6st^_duE9raS#12FbQp-7sG!v(4ZBS9iAKA=ffuMk$qWb^dcdZLHyY4-PO4c%zf24 zA^mbLJz0(0-JxZF)wxA(N*w!Fs-gczNDKFl&f!>Gno`wBoXU9gj)`;`j3b>O)}u8A4q?uR)ya8Pw$0nOPJd| zW|o-U!iLum#65eLG@CJ3??xptUrEmD*}g7G+{wf1O?uqDQ!-7f_92qAXeaQA_Afj} z)W?SC%}UxA3#L{IDVj6FPyoM`Um8@VNbBl{K7)3}I-95*%Ibx}&^~mwguL9mdhfpa zih9;>R=LTkPHNm%#A0M1{&*8%O~sEC(x{!bchkvV=lWfaw%k1Ssxvvv>ibOQ38V}W zc~bObH(YgVzm-Aju)JMHyT}G4{(&6tb(Lx)#V`{_(#3v!sZ$|}BRactXn>)K_TCPp zW(UxszBV1pq(dn`+Br83V+yA*8O|Qpdc`XC-g)yI{vg2Y_#|U>cRqsP@Cf5MvExA0 z>O?-7Ip|JIpX_lf3%Rrov8fqy%=w^pO=VYi=@aH$Vm(aWeM#eFiZ5RVJ-*R?w^3P- zYP4R6JYw_kNsA~JtaH{Z4D=CKGKLDq{gmD_(%}dRFnkS2ApK4cp7uM7OrmFw{oNgc z+^v;U;%u59uZ5?9h)Yi;fmbfs2V0d}D==#kctEQlY#Qtktg7ruwb}=dx&#Q>87MlQ zvZ*%)&b+L> z5%(o4KINlUr$S_1f>*rw!T0*sT-KR2n7tzLGZ@F~@faSH(XSTO$ZkaZO$}Bx zgLN?|HOLREn^)I-p<#H0sMz*P@L{w@`W#If375~AeIn-sI5l=QC0q;pCSTQ-KR#!) zeIh|K5=|T)xT|PB?paP&?W7cwc?lYBy=iI1%mbxVA)k&CpOr45mgL7da-~P8W7^lP zR8*LhyZ?qLGh)P;*?Dt!_~_KT`%mPnfkBOnlHyxcE3s8$be?9tQXI!`>8+-23#%fJGrCW@EkW%%CJ@T>{-~{-nPp}yn&uwmCRpM z^$f{Gz zq$;E@A&X+g*06rXDG9K0qu(t87Zy_zj1wc}Fg34qKt4s<(Hn_03XzA3-Jbb7l8T-j zH$Efyohj>UrvgQSY-_~4|0%~}HX3D++c>Y=;Ty~i~#HY(4Ab-}u9J{yxM zgg6z2@BO@xkVsBdfU>$o-TBV0p15NlP(4-0+CFUZ$lgqz-ObP*++%>21Ee}nV3 z8r{Qt3ql9l)1l+&;E!5Gy{!E+Le*p9VfMC+P-%C|{*PY?|gt zdT-#ZoDJzeFweNIxOk7|jE_BdxlGiWJ0nLj2_mz=b(ngu)fV^l>)$TOBp0%gM6Y#p zDGhmso4QG?^0_~r8We;lJg-p2^K5^?%~XT}q80sAT$bG4hm)I``*6#!=g5}wbqmq> zGDOHdVHualeDdA65@XBD4+G`;51)d)B}Ujt&p=y zx?-fDR5uN2W!SP_UbzoYwe?d0rJ6z(_&73nqCN9gUW*IM8>1CXL_LWmma~3Z8nX1w zvX0iWtpn?#&{{)f5X(L*c#iz0jp{@>a2NMZJ&nnnEza~Cf#I?13K)pdggN=+{WW_M z^Krj5wTE)fS>W0h_lX?P!Ou{o#itT*z7ng`=a10@jn*1}3YB!qU#`p{9Z88`D0GO< zWMHnlr^hn4*OX}>4j4^+d>`LRQ-2s$%TDsWb@jH*uI`IDhQFVWWnVGu$FIwYdV(p5 zokqFvT~xqW!@UIA_)!TA@6cbP(sTL+Ukl`pN5NAvcaOXBaZ$2!aOViP>40ucrZl5q zNNTjs={@lE_;f>mk!wj66rJuz)Wg~&OPWR}?pXC|f_qyrlO=2y@94@q+L7-;uILSP zaOC8d*z0{oh*TLm`U?2^h~)Sx6y5hGEG~Nh_DR4IQmjZ}aD!KFA72jjZNjhRHE?_? zC!kY+vf~CxkXfzL$Y|y9#k(IF4Gi&@ozG0msyEoV4~LL6(a9a?MZq_oUL5SzAH8H2 zOuP$Cz4VjDnG(V2MqHn^g&(0`?H72LI&2yyN3Yl?F-16~vd!oLTEU0wwEhY1qcX=* z`w_XL(``_r?Eyb7hko}NTAp;J;QfYB7~GN6?-iLK`8;UClD>lJ4P3X2Nl)*U_cJ-{X#*hm^hgr9TD;HJ5PcKFf4 z7LMLFvDSCI&jI?k?wwictWUP0cBzw%A(MQ9{KlWeRhQ{2&pt{&CE_#Paj&(oM7FIH zU*dc+&-r56mm}pc;JjWmqO^{M3ofJL$~)L2&iFDhwc+mK$JgzLNbDhY*;|Bo?sfbJ zJPPYHTZ$u66_@#}>+2p@`|e=*^RXqmNX^SK(2K$4Bp}n3TY5K#j~jnb36j~;vvSsL zYfJ?hJaaeoie{H8)Sw_6x6D`SeGewB_1Ky$XKbJ3qW1`|pXO!j7+4TzreX~7SUl4= z-BEG0%^k>YKHX>-_#SXiX8q7YC$;F&<3iRuc%z^bDNFi%;zv5FRZmLawB z3fw3}#Nyiri)-VtVDU9k4%Xbi@g-b?JtM6Wb`4Wj&DtDD3hCpyTj_%*dyp-iD>I~v z+2Z7hR>O%J7drq2GGP-aCt&yr>FC~l?rwz|TZfD#DJ#BILDFXqg-mBBeSD1~KLXlt zOafZft=G4gpaDM-B6j+vM=jy5YxaAPI%CB@V=etHB($jEle(6%-0Yow=>nJ-@?y|l zU^;2QRj%<%O1`8lk04_yWE{PHS`XkwQ)- zwOOtP1QfF)TDc5WtmWkgvZ%hGUPfhQ&kr)-I}J`A_hw&5!dbTmzDpBv!Ap>^#EXkY zU7IjtbI#oiQ1;OLtkd&+M_pq6;sYyhH&xzIgi3ZZx!|sMzJuL|yF#6uZtV(ObRP*&tvA|t~)(rbf z$+UQn7kVPHSwd)tD#h34wcXe*1Zw%@Qbl5_lX@gU!uOjg=LY%2iB8r-mrQ?OXwlz7BGOh}uOWGmv6Hl|vJ$QZ6xb>P$cGY*#Mq7%`~*c62Jlp)u>4?>?CSYz_ZtTDt1XG zW$u*sD(=PeoOS}VZ|`p;K~EIv))|oAP#nJ&-w=#zklfB{jm27OIMbZk719za)mPSK zPk%Wn#7tkvB2lcK4X0OpW$es$wy4WHta>*KiU+P)D<;0vG{2JbBMY%yleb1gi9~uz zdk?-(bWa76EM8<&kl48h?O@;3mUpY(1?G*!@c(6U3l5qg?14iwPUa>!Oe#@g`EeiW zzNnjWg;BlAIX<>W6!|b9$al~Tn-@*y7wVD9rmP6$ckm{{;HFZ)v?Xne{So%R(Ekud zQQj2^B_`h3eibj6=bBnJs{c;(-?gtJ+npoB2Ud5|HTTkV`&oB&w_KMs+ue}=xD!t_wGnhk~YlA8Xp7ua0~E13f86l~RXn-qL3QsCvl<=b7qC<&@4uHm+LM4q_tD?0T^{t-dT(seAPRI^ogyd$83a#T*f~$ZF*5t%j}@f9d60lYiGJLi?fD&E_2)~WKvy|=o9Z~mbTjdb7m{wWx>#EJ{{r`z zQt`USA58?Cs1&zUrQx6mzg4G>K_OfNRB#TX}!tK-f`iSrS**g4r{w+6Mo}mWa(ByGy2yAt z*z+&)@u5@^1_|?+VJGm^xDxd-4(){@?dZFNED=52-&8552}LLq@~-S*q5xpeP$+RJ zNyf4yNw7&+2vvxgaVX-***vo(z;9+L%wMB*k_0t?mRXI@?K65KNEV%$lBEyASoK?Y z6$6Q0qvZ*pSl&s556&TAk0g@W1hyw#O!b3pmYn{oWGUr;TwsGe5 zxGq;fTA?o0DZ;uyg>1wK1BXBHqn$`q^P#N8AobGr=7=LaGxDIDm2RwUbw`zE=3{@e zit0~a#}yQ&QI9=S1|7>IiC##6HJ-p}5m}VT|LRaep}qBE$M=s7wErTLKLa77A|6hh zZ783#<>p8$5XltEny$SPR@I^MQ{D!Rfd*xe@wz99Lg1k* z;9)?QF5!T$0Zv33-icBMdXtmC@{@s@@ck6?lR zXj4!EBGp%LlB+RRz+cW(F}KbC$0v!1k#T1mF0!VGPF^?YXpsk1(>^xkpDf7_dHt7K z38FyY`1b8!@4xx;ck#Z|$A|E5Mf>L>0Soz2)bo;h%xwR_|3i*{Dhy#`*8l06f88Gr z#HzNECeGwK|BfAb&| z>4@ncy;0etrlI^l+VBSo=Q$YfpCSF-%>SqG-<Ms3WakvBO|{0@N;cWjmipeOy*O9IeSmi3ff@oW?s*Ey>b b-q!(7GO7?5F8J|Cj~^8Ubzr63>-YZ)k)dE- literal 0 HcmV?d00001 From e39b30888375e2aa6abe22d26c26fa16f54f6fe1 Mon Sep 17 00:00:00 2001 From: Janine Chan <64388808+janine-c@users.noreply.github.com> Date: Fri, 13 Mar 2026 12:16:45 -0600 Subject: [PATCH 3/5] Add more content; move shortcode folder --- .../create_rule/_index.mdoc.md | 346 +++++++++++------- .../cloud_siem/add_calculated_fields.mdoc.md | 0 .../cloud_siem/add_reference_tables.mdoc.md | 0 .../cloud_siem/anomaly_query.mdoc.md | 0 .../content_anomaly_options.mdoc.md | 0 .../cloud_siem/content_anomaly_query.mdoc.md | 0 .../cloud_siem/create_suppression.mdoc.md} | 8 +- .../enable_decrease_severity.mdoc.md | 0 .../cloud_siem/enable_group_by.mdoc.md | 0 .../enable_instantaneous_baseline.mdoc.md | 0 .../cloud_siem/forget_value.mdoc.md | 0 .../impossible_travel_query.mdoc.md | 0 .../cloud_siem/job_multi_triggering.mdoc.md | 0 .../cloud_siem/new_value_query.mdoc.md | 0 .../cloud_siem/rule_multi_triggering.mdoc.md | 0 ...e_multi_triggering_content_anomaly.mdoc.md | 0 .../cloud_siem/set_conditions_anomaly.mdoc.md | 0 .../set_conditions_content_anomaly.mdoc.md | 0 ...et_conditions_severity_notify_only.mdoc.md | 0 .../set_conditions_then_operator.mdoc.md | 0 .../set_conditions_third_party.mdoc.md | 0 .../set_conditions_threshold.mdoc.md | 0 .../cloud_siem/threshold_query.mdoc.md | 0 .../cloud_siem/unit_testing.mdoc.md | 0 .../security-rule-say-whats-happening.mdoc.md | 11 + 25 files changed, 222 insertions(+), 143 deletions(-) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/add_calculated_fields.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/add_reference_tables.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/anomaly_query.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/content_anomaly_options.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/content_anomaly_query.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{cloud_siem/create_suppression.en.md => security/cloud_siem/create_suppression.mdoc.md} (87%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/enable_decrease_severity.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/enable_group_by.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/enable_instantaneous_baseline.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/forget_value.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/impossible_travel_query.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/job_multi_triggering.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/new_value_query.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/rule_multi_triggering.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/set_conditions_anomaly.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/set_conditions_content_anomaly.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/set_conditions_severity_notify_only.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/set_conditions_then_operator.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/set_conditions_third_party.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/set_conditions_threshold.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/threshold_query.mdoc.md (100%) rename layouts/shortcodes/mdoc/en/{ => security}/cloud_siem/unit_testing.mdoc.md (100%) create mode 100644 layouts/shortcodes/mdoc/en/security/security-rule-say-whats-happening.mdoc.md diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md index 17ceaa7e2f7..1679c5db39c 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md @@ -14,7 +14,17 @@ content_filters: ## Overview +{% if equals($cloud_siem_detection_rule_type, "real_time_rule") %} Real-time detection rules continuously monitors and analyzes incoming logs for security threats. These rules trigger immediate alerts when specific patterns or anomalies are detected, enabling quicker response to potential incidents. +{% /if %} +{% if equals($cloud_siem_detection_rule_type, "scheduled_rule") %} +Scheduled detection rules run at predefined intervals to analyze indexed log data and detect security threats. These rules can identify patterns, anomalies, or specific conditions within a defined time frame, and trigger alerts or reports if the criteria are met. + +Scheduled rules complement real-time monitoring by ensuring periodic, in-depth analysis of logs using [calculated fields][7]. +{% /if %} +{% if equals($cloud_siem_detection_rule_type, "historical_job") %} +Historical jobs are one-time executable queries on historical logs used to backtest detection rules and assess their effectiveness on past data. The generated job results are lightweight versions of signals providing information on potential threats and anomalies on historical logs. After reviewing the results, you can convert results needing immediate action into signals. +{% /if %} ## Create a rule @@ -33,11 +43,11 @@ Real-time detection rules continuously monitors and analyzes incoming logs for s 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/threshold_query.mdoc.md" /%} + {% partial file="security/cloud_siem/threshold_query.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -47,11 +57,11 @@ Real-time detection rules continuously monitors and analyzes incoming logs for s 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/new_value_query.mdoc.md" /%} + {% partial file="security/cloud_siem/new_value_query.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -62,11 +72,11 @@ Real-time detection rules continuously monitors and analyzes incoming logs for s 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. 1. (Optional) In the **Count** dropdown menu, select attributes whose unique values you want to count during the specified time frame. - {% partial file="cloud_siem/anomaly_query.mdoc.md" /%} + {% partial file="security/cloud_siem/anomaly_query.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -76,11 +86,11 @@ Real-time detection rules continuously monitors and analyzes incoming logs for s 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/content_anomaly_query.mdoc.md" /%} + {% partial file="security/cloud_siem/content_anomaly_query.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -93,11 +103,11 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/impossible_travel_query.mdoc.md" /%} + {% partial file="security/cloud_siem/impossible_travel_query.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -109,7 +119,7 @@ All logs and events matching this query are analyzed for potential impossible tr 1. Construct a root query for your logs or events using the [Log Explorer search syntax][1]. 1. In the **Trigger for each new** dropdown menu, select the attributes where each attribute generates a signal for each new attribute value over a 24-hour roll-up period. 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Add Root Query** and repeat steps 2-4 to add and test additional queries. 1. Click **Save Rule**. {% /if %} @@ -176,13 +186,13 @@ Choose the query language you want to use. 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/threshold_query.mdoc.md" /%} + {% partial file="security/cloud_siem/threshold_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /collapse-content %} {% collapse-content title="SQL" level="h4" expanded=false id="threshold-sql" %} @@ -218,13 +228,13 @@ In Datadog, SQL queries are compatible with data stored in [datasets][6]. You ca 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/new_value_query.mdoc.md" /%} + {% partial file="security/cloud_siem/new_value_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -235,13 +245,13 @@ In Datadog, SQL queries are compatible with data stored in [datasets][6]. You ca 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/anomaly_query.mdoc.md" /%} + {% partial file="security/cloud_siem/anomaly_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -252,13 +262,13 @@ In Datadog, SQL queries are compatible with data stored in [datasets][6]. You ca 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/content_anomaly_query.mdoc.md" /%} + {% partial file="security/cloud_siem/content_anomaly_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -272,13 +282,13 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/impossible_travel_query.mdoc.md" /%} + {% partial file="security/cloud_siem/impossible_travel_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -291,11 +301,11 @@ All logs and events matching this query are analyzed for potential impossible tr 1. Construct a root query for your logs or events using the [Log Explorer search syntax][1]. 1. In the **Trigger for each new** dropdown menu, select the attributes where each attribute generates a signal for each new attribute value over a 24-hour roll-up period. 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Add Root Query** and repeat steps 3-7 to add and test additional queries. 1. Click **Save Rule**. {% /if %} @@ -320,13 +330,13 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/threshold_query.mdoc.md" /%} + {% partial file="security/cloud_siem/threshold_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -336,13 +346,13 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/new_value_query.mdoc.md" /%} + {% partial file="security/cloud_siem/new_value_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -352,13 +362,13 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/anomaly_query.mdoc.md" /%} + {% partial file="security/cloud_siem/anomaly_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -368,13 +378,13 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/content_anomaly_query.mdoc.md" /%} + {% partial file="security/cloud_siem/content_anomaly_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -387,13 +397,13 @@ All logs and events matching this query are analyzed for potential impossible tr 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. - {% partial file="cloud_siem/impossible_travel_query.mdoc.md" /%} + {% partial file="security/cloud_siem/impossible_travel_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Save Rule**. {% /if %} @@ -405,11 +415,11 @@ All logs and events matching this query are analyzed for potential impossible tr 1. Construct a root query for your logs or events using the [Log Explorer search syntax][1]. 1. In the **Trigger for each new** dropdown menu, select the attributes where each attribute generates a signal for each new attribute value over a 24-hour roll-up period. 1. (Optional) To create calculated fields that transform your logs during query time: - {% partial file="cloud_siem/add_calculated_fields.mdoc.md" /%} + {% partial file="security/cloud_siem/add_calculated_fields.mdoc.md" /%} 1. (Optional) Filter logs using reference tables: - {% partial file="cloud_siem/add_reference_tables.mdoc.md" /%} + {% partial file="security/cloud_siem/add_reference_tables.mdoc.md" /%} 1. (Optional) To test your rules against sample logs, click **Unit Test**. - {% partial file="cloud_siem/unit_testing.mdoc.md" /%} + {% partial file="security/cloud_siem/unit_testing.mdoc.md" /%} 1. Click **Add Root Query** and repeat steps 2-6 to add and test additional queries. 1. Click **Save Rule**. {% /if %} @@ -420,330 +430,330 @@ All logs and events matching this query are analyzed for potential impossible tr {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} {% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_threshold.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_threshold.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-rt-threshold %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-rt-threshold %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-rt-threshold %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} {% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} ### Other parameters #### 1. Forget value {% #forget-value-rt-new-value%} -{% partial file="cloud_siem/forget_value.mdoc.md" /%} +{% partial file="security/cloud_siem/forget_value.mdoc.md" /%} #### 2. Rule multi-triggering behavior {% #rule-multi-triggering-rt-new-value%} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 3. Decrease severity for non-production environments {% #decrease-severity-new-value%} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 4. Enable optional group by {% #enable-group-by-rt-new-value%} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} {% img src="security/security_monitoring/detection_rules/anomaly_notification.png" alt="Set your severity, anomaly percentile, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_anomaly.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_anomaly.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-rt-anomaly %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-rt-anomaly %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-rt-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} {% img src="security/security_monitoring/detection_rules/condition_content_anomaly.png" alt="Set your condition, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_content_anomaly.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_content_anomaly.mdoc.md" /%} ### Other parameters #### 1. Content anomaly detection {% #content-anomaly-rt-content-anomaly %} -{% partial file="cloud_siem/content_anomaly_options.mdoc.md" /%} +{% partial file="security/cloud_siem/content_anomaly_options.mdoc.md" /%} #### 2. Rule multi-triggering behavior {% #rule-multi-triggering-rt-content-anomaly %} -{% partial file="cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} #### 3. Decrease severity for non-production environments {% #decrease-severity-rt-content-anomaly %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 4. Enable optional group by {% #enable-group-by-rt-content-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} {% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-rt-impossible-travel %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-rt-impossible-travel %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-rt-impossible-travel %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} {% img src="security/security_monitoring/detection_rules/condition_else.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_third_party.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_third_party.mdoc.md" /%} ### Other parameters #### 1. Decrease severity for non-production environments {% #decrease-severity-rt-third-party %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 2. Enable optional group by {% #enable-group-by-rt-third-party %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "sequence")) %} #### 1. Rule multi-triggering {% #rule-multi-triggering-rt-sequence %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-rt-sequence %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-rt-sequence %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "signal_correlation")) %} {% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_then_operator.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_then_operator.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-rt-signal-correlation %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-rt-signal-correlation %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} {% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_threshold.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_threshold.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-schedule-threshold %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-schedule-threshold %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-schedule-threshold %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} {% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} ### Other parameters #### 1. Forget value {% #forget-value-scheduled-new-value %} -{% partial file="cloud_siem/forget_value.mdoc.md" /%} +{% partial file="security/cloud_siem/forget_value.mdoc.md" /%} #### 2. Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-new-value %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 3. Decrease severity for non-production environments {% #decrease-severity-scheduled-new-value %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 4. Enable optional group by {% #enable-group-by-scheduled-new-value %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} #### 5. Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} -{% partial file="cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} {% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-anomaly %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-anomaly %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-scheduled-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "content_anomaly")) %} {% img src="security/security_monitoring/detection_rules/condition_content_anomaly.png" alt="Set your condition, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_content_anomaly.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_content_anomaly.mdoc.md" /%} ### Other parameters #### 1. Content anomaly detection {% #content-anomaly-scheduled-content-anomaly %} -{% partial file="cloud_siem/content_anomaly_options.mdoc.md" /%} +{% partial file="security/cloud_siem/content_anomaly_options.mdoc.md" /%} #### 2. Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-content-anomaly %} -{% partial file="cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} #### 3. Decrease severity for non-production environments {% #decrease-severity-scheduled-content-anomaly %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 4. Enable optional group by {% #enable-group-by-scheduled-content-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} {% img src="security/security_monitoring/detection_rules/severity_notification.png" alt="Set your severity and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_severity_notify_only.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-impossible-travel %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-impossible-travel %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-scheduled-impossible-travel %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "third_party")) %} {% img src="security/security_monitoring/detection_rules/condition_else.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_third_party.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_third_party.mdoc.md" /%} ### Other parameters #### 1. Decrease severity for non-production environments {% #decrease-severity-scheduled-third-party %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} #### 2. Enable optional group by {% #enable-group-by-scheduled-third-party %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "scheduled_rule"),equals($cloud_siem_detection_rule_search_query, "signal_correlation")) %} {% img src="security/security_monitoring/detection_rules/condition_simple_then.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_then_operator.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_then_operator.mdoc.md" /%} ### Other parameters #### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-signal-correlation %} -{% partial file="cloud_siem/rule_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} #### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-signal-correlation %} -{% partial file="cloud_siem/enable_decrease_severity.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "threshold")) %} {% img src="security/security_monitoring/detection_rules/threshold_historical_condition.png" alt="Set your conditions, severity, and notification recipients" style="width:100%;" /%} -{% partial file="cloud_siem/set_conditions_threshold.mdoc.md" /%} +{% partial file="security/cloud_siem/set_conditions_threshold.mdoc.md" /%} ### Other parameters #### 1. Job multi-triggering {% #job-multi-triggering-threshold %} -{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} #### 2. Enable optional group by {% #enable-group-by-historical-threshold %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} @@ -753,19 +763,19 @@ All logs and events matching this query are analyzed for potential impossible tr #### 1. Forget value {% #forget-value-historical-new-value %} -{% partial file="cloud_siem/forget_value.mdoc.md" /%} +{% partial file="security/cloud_siem/forget_value.mdoc.md" /%} #### 2. Job multi-triggering behavior {% #job-multi-triggering-historical-new-value %} -{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-historical-new-value %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} #### 4. Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} -{% partial file="cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} {% /if %} @@ -774,11 +784,11 @@ All logs and events matching this query are analyzed for potential impossible tr #### 1. Job multi-triggering {% #job-multi-triggering-historical-anomaly %} -{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} #### 2. Enable optional group by {% #enable-group-by-historical-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} @@ -801,15 +811,15 @@ All logs and events matching this query are analyzed for potential impossible tr #### 1. Content anomaly detection {% #content-anomaly-historical-content-anomaly %} -{% partial file="cloud_siem/content_anomaly_options.mdoc.md" /%} +{% partial file="security/cloud_siem/content_anomaly_options.mdoc.md" /%} #### 2. Job multi-triggering behavior {% #job-multi-triggering-historical-content-anomaly %} -{% partial file="cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} +{% partial file="security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} #### 3. Enable optional group by {% #enable-group-by-historical-content-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} @@ -818,11 +828,11 @@ All logs and events matching this query are analyzed for potential impossible tr #### 1. Job multi-triggering {% #job-multi-triggering-historical-anomaly %} -{% partial file="cloud_siem/job_multi_triggering.mdoc.md" /%} +{% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} #### 2. Enable optional group by {% #enable-group-by-historical-anomaly %} -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} {% /if %} @@ -835,7 +845,64 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -{% partial file="cloud_siem/enable_group_by.mdoc.md" /%} +{% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} +{% /if %} + + +{% if equals($cloud_siem_detection_rule_type, "scheduled_rule") %} +## Add custom schedule + +You can set specific evaluation time and how often it runs by creating a [custom schedule](#create-custom-schedule) or using a [recurrence rule (RRULE)](#use-rrule). + +### Create custom schedule + +{% img src="security/security_monitoring/detection_rules/custom_schedule.png" alt="The Use custom schedule section with an example" style="width:100%;" /%} + +1. Select **Create Custom Schedules**. +1. Set how often and at what time you want the rule to run. + +### Use RRULE + +{% img src="security/security_monitoring/detection_rules/rrule_example.png" alt="The Use RRULE section with an example" style="width:100%;" /%} + +Recurrence rule (RRULE) is a property name from the [iCalendar RFC][8], which is the standard for defining recurring events. Use the [official RRULE generator][9] to generate recurring rules. Leverage RRULEs to cover more advanced scheduling use cases. + +For example, if the RRULE is: + +```text +FREQ=DAILY;INTERVAL=1;BYHOUR=6;BYMINUTE=0 +``` + +The example RRULE runs the scheduled rule once a day at 6:00 AM. + +{% alert level="info" %} +- Attributes specifying the duration in RRULE are not supported (for example, `DTSTART`, `DTEND`, `DURATION`). +- Evaluation frequencies must be a day or longer. For shorter evaluation frequencies, use the default monitor schedules. +{% /alert %} + +To write a custom RRULE for your detection rule: + +1. Select ** Use RRULE**. +1. Set the date and time for when you want the rule to start. +1. Input a [RRULE string][9] to set how often you want the rule to run. +{% /if %} + + +{% if equals($cloud_siem_detection_rule_type, "historical_job") %} +## Notify when job is complete + +(Optional) Click **Add Recipient** to send notifications upon the completion of job analysis. See [Notification channels][3] for more information. +{% /if %} + +## Describe your playbook + +{% partial file="security/security-rule-say-whats-happening.mdoc.md" /%} + + +{% if or(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_type, "scheduled_rule")) %} +## Create a suppression + +{% partial file="security/cloud_siem/create_suppression.mdoc.md" /%} {% /if %} [1]: /logs/search_syntax/ @@ -843,4 +910,7 @@ All logs and events matching this query are analyzed for potential impossible tr [3]: /security_platform/notifications/#notification-channels [4]: /security/notifications/rules/ [5]: /ddsql_reference/ -[6]: https://app.datadoghq.com/security/configuration/datasets \ No newline at end of file +[6]: https://app.datadoghq.com/security/configuration/datasets +[7]: /logs/explorer/calculated_fields/ +[8]: https://icalendar.org/rrule-tool.html +[9]: https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/add_calculated_fields.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/add_calculated_fields.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/add_calculated_fields.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/add_calculated_fields.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/add_reference_tables.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/add_reference_tables.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/add_reference_tables.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/add_reference_tables.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/anomaly_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/anomaly_query.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/anomaly_query.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/anomaly_query.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_options.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/content_anomaly_options.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_options.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/content_anomaly_options.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/content_anomaly_query.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/content_anomaly_query.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/content_anomaly_query.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md similarity index 87% rename from layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md index 601b631d974..06a6dc82e3e 100644 --- a/layouts/shortcodes/mdoc/en/cloud_siem/create_suppression.en.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md @@ -1,6 +1,6 @@ (Optional) Create a suppression or add the rule to an existing suppression to prevent a signal from getting generated in specific cases. For example, if a user `john.doe` is triggering a signal, but their actions are benign and you do not want signals triggered from this user, add the following query into the **Add a suppression query** field: `@user.username:john.doe`. -#### Create new suppression +### Create new suppression 1. Enter a name for the suppression rule. 1. (Optional) Enter a description. @@ -8,9 +8,7 @@ 1. (Optional) Add a log exclusion query to exclude logs from being analyzed. These queries are based on **log attributes**. - **Note**: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule's **Add a suppression query** step. -#### Add to existing suppression +### Add to existing suppression 1. Click **Add to Existing Suppression**. -1. Select an existing suppression in the dropdown menu. - - +1. Select an existing suppression in the dropdown menu. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/enable_decrease_severity.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/enable_decrease_severity.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/enable_decrease_severity.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/enable_decrease_severity.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/enable_group_by.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/enable_group_by.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/enable_group_by.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/enable_group_by.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/enable_instantaneous_baseline.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/enable_instantaneous_baseline.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/enable_instantaneous_baseline.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/enable_instantaneous_baseline.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/forget_value.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/forget_value.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/forget_value.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/forget_value.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/impossible_travel_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/impossible_travel_query.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/impossible_travel_query.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/impossible_travel_query.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/job_multi_triggering.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/job_multi_triggering.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/job_multi_triggering.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/job_multi_triggering.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/new_value_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/new_value_query.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/new_value_query.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/new_value_query.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/rule_multi_triggering.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/rule_multi_triggering.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_anomaly.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_anomaly.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_anomaly.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_content_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_content_anomaly.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_content_anomaly.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_content_anomaly.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_severity_notify_only.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_severity_notify_only.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_severity_notify_only.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_severity_notify_only.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_then_operator.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_then_operator.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_third_party.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_third_party.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_third_party.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_third_party.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_threshold.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_threshold.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/set_conditions_threshold.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_threshold.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/threshold_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/threshold_query.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/threshold_query.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/threshold_query.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/cloud_siem/unit_testing.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/unit_testing.mdoc.md similarity index 100% rename from layouts/shortcodes/mdoc/en/cloud_siem/unit_testing.mdoc.md rename to layouts/shortcodes/mdoc/en/security/cloud_siem/unit_testing.mdoc.md diff --git a/layouts/shortcodes/mdoc/en/security/security-rule-say-whats-happening.mdoc.md b/layouts/shortcodes/mdoc/en/security/security-rule-say-whats-happening.mdoc.md new file mode 100644 index 00000000000..55204b52872 --- /dev/null +++ b/layouts/shortcodes/mdoc/en/security/security-rule-say-whats-happening.mdoc.md @@ -0,0 +1,11 @@ +1. Enter a **Rule name**. The name appears in the detection rules list view and the title of the security signal. +1. In the **Rule message** section, use [notification variables][201] and Markdown to customize the notifications sent when a signal is generated. + - You can use [template variables][202] in the notification to inject dynamic context from triggered logs directly into a security signal and its associated notifications. + - See the [Notification Variables documentation][201] for more information and examples. +1. Use the **Tag resulting signals** dropdown menu to add tags to your signals. For example, `security:attack` or `technique:T1110-brute-force`. + {% alert level="info" %} + The tag `security` is special. This tag is used to classify the security signal. The recommended options are `attack`, `threat-intel`, `compliance`, `anomaly`, and `data-leak`. + {% /alert %} + +[201]: /security_platform/notifications/variables/ +[202]: /security_platform/notifications/variables/#template-variables \ No newline at end of file From 76906992f559967a19ab40bfcbdd701cd6aba6c4 Mon Sep 17 00:00:00 2001 From: Janine Chan <64388808+janine-c@users.noreply.github.com> Date: Fri, 13 Mar 2026 12:31:09 -0600 Subject: [PATCH 4/5] Replace inline notes with note tags --- .../custom_detection_rules/create_rule/_index.mdoc.md | 8 ++++++-- .../en/security/cloud_siem/create_suppression.mdoc.md | 4 +++- .../cloud_siem/set_conditions_then_operator.mdoc.md | 4 +++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md index 1679c5db39c..06256ace695 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md @@ -145,9 +145,13 @@ All logs and events matching this query are analyzed for potential impossible tr For the current step and the next step: 1. In the **within** dropdown menu, select an evaluation window for the transition. - - **Note**: The total evaluation time across the sequence can be up to 24 hours. + {% alert level="info" %} + The total evaluation time across the sequence can be up to 24 hours. + {% /alert %} 1. Follow the instructions in [Add step](#add-step) to complete the step. - - **Note**: You can select different `group by` fields between steps. For example, link `@usr.email`from an earlier step to `@ip.address` in a later step. + {% alert level="info" %} + You can select different `group by` fields between steps. For example, link `@usr.email`from an earlier step to `@ip.address` in a later step. + {% /alert %} 1. Click **Add Step** if you want to add more steps. ### Severity and notification diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md index 06a6dc82e3e..6730344c98b 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/create_suppression.mdoc.md @@ -6,7 +6,9 @@ 1. (Optional) Enter a description. 1. Enter a suppression query. 1. (Optional) Add a log exclusion query to exclude logs from being analyzed. These queries are based on **log attributes**. - - **Note**: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule's **Add a suppression query** step. + {% alert level="info" %} + The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule's **Add a suppression query** step. + {% /alert %} ### Add to existing suppression diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md index a80688ef932..6ca8f4498a1 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md @@ -1,6 +1,8 @@ 1. If you want to create a simple condition, leave the selection as is. If you want to create a `then` condition, click **THEN condition**. - Use the **Then condition** when you want to trigger a signal if query A occurs and then query B occurs. - - **Note**: The `then` operator can only be used on a single rule condition. + {% alert level="info" %} + The `then` operator can only be used on a single rule condition. + {% /alert %} 1. (Optional) Click the pencil icon next to **Condition 1** if you want to rename the condition. This name is appended to the rule name when a signal is generated. 1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). 1. If you are creating a **Simple condition**, enter the condition when a signal should be created. If you are creating a **Then condition**, enter the conditions required for a signal to be generated. From 43de641f0ec5c49eace7ff7c76fda73fa15a7f6c Mon Sep 17 00:00:00 2001 From: Janine Chan <64388808+janine-c@users.noreply.github.com> Date: Fri, 13 Mar 2026 17:21:31 -0600 Subject: [PATCH 5/5] Some content refreshing --- .../create_rule/_index.mdoc.md | 235 +++++++++++++----- .../security/cloud_siem/group_signals.mdoc.md | 1 + .../impossible_travel_query.mdoc.md | 2 +- .../cloud_siem/new_value_query.mdoc.md | 4 +- .../set_conditions_content_anomaly.mdoc.md | 2 +- .../set_conditions_then_operator.mdoc.md | 2 +- .../set_conditions_third_party.mdoc.md | 2 +- .../set_conditions_threshold.mdoc.md | 6 +- 8 files changed, 176 insertions(+), 78 deletions(-) create mode 100644 layouts/shortcodes/mdoc/en/security/cloud_siem/group_signals.mdoc.md diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md index 06256ace695..9bc6abdca95 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/_index.mdoc.md @@ -32,7 +32,14 @@ Historical jobs are one-time executable queries on historical logs used to backt 1. {% if equals($cloud_siem_detection_rule_type, "real_time_rule") %}Select **Real-Time Rule**.{% /if %} {% if equals($cloud_siem_detection_rule_type, "scheduled_rule") %}Select **Scheduled Rule**.{% /if %} {% if equals($cloud_siem_detection_rule_type, "historical_job") %}Select **Historical job**, then select the **Logs Index** and **Timerange** for the job.{% /if %} -1. Select the detection method you want to use for creating signals. +1. {% if equals($cloud_siem_detection_rule_search_query, "threshold") %}Select the **Threshold** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "new_value") %}Select the **New value** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "anomaly") %}Select the **Anomaly** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "content_anomaly") %}Select the **Content Anomaly** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "impossible_travel") %}Select the **Impossible travel** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "third_party") %}Select the **Third party** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "sequence") %}Select the **Sequence** detection method.{% /if %} +{% if equals($cloud_siem_detection_rule_search_query, "signal_correlation") %}Select the **Signal correlation** detection method.{% /if %} ## Define your search query @@ -157,7 +164,7 @@ For the current step and the next step: ### Severity and notification 1. In the **Trigger** dropdown menu, select the severity status. -1. (Optional) In the **Add notify** section, click **Add Recipient** to configure [notification targets][3]. +1. (Optional) In the **And notify** section, click **Add Recipient** to configure [notification targets][3]. - You can create [notification rules][4] to manage notifications automatically, avoiding manual edits for each detection rule. ### Review the sequence preview @@ -188,7 +195,7 @@ Choose the query language you want to use. {% img src="security/security_monitoring/detection_rules/threshold_20250310.png" alt="Define the search query" style="width:100%;" /%} 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. -1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. If you are using an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. {% partial file="security/cloud_siem/threshold_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: @@ -230,7 +237,7 @@ In Datadog, SQL queries are compatible with data stored in [datasets][6]. You ca {% img src="security/security_monitoring/detection_rules/new_value_20250310.png" alt="Define the search query" style="width:100%;" /%} 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. -1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. If you are using an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. {% partial file="security/cloud_siem/new_value_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: @@ -247,7 +254,7 @@ In Datadog, SQL queries are compatible with data stored in [datasets][6]. You ca {% img src="security/security_monitoring/detection_rules/anomaly_query.png" alt="Define the search query" style="width:100%;" /%} 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. -1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. If you are using an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. {% partial file="security/cloud_siem/anomaly_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: @@ -264,7 +271,7 @@ In Datadog, SQL queries are compatible with data stored in [datasets][6]. You ca {% img src="security/security_monitoring/detection_rules/content_anomaly_query.png" alt="Define the search query" style="width:100%;" /%} 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. -1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. If you are using an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. {% partial file="security/cloud_siem/content_anomaly_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: @@ -284,7 +291,7 @@ All logs and events matching this query are analyzed for potential impossible tr {% /alert %} 1. To search Audit Trail events or events from Events Management, click the down arrow next to **Logs** and select **Audit Trail** or **Events**. -1. If you are an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. +1. If you are using an add-on and see the **Index** dropdown menu, select the index of logs you want to analyze. 1. Construct a search query for your logs or events using the [Log Explorer search syntax][1]. {% partial file="security/cloud_siem/impossible_travel_query.mdoc.md" /%} 1. (Optional) To create calculated fields that transform your logs during query time: @@ -438,17 +445,22 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-threshold %} +#### Rule multi-triggering {% #rule-multi-triggering-rt-threshold %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-threshold %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-threshold %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-rt-threshold %} +#### Enable optional group by {% #enable-group-by-rt-threshold %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-threshold %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} + {% /if %} @@ -459,21 +471,29 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Forget value {% #forget-value-rt-new-value%} +#### Forget value {% #forget-value-rt-new-value%} {% partial file="security/cloud_siem/forget_value.mdoc.md" /%} -#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-rt-new-value%} +#### Rule multi-triggering behavior {% #rule-multi-triggering-rt-new-value%} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 3. Decrease severity for non-production environments {% #decrease-severity-new-value%} +#### Decrease severity for non-production environments {% #decrease-severity-new-value%} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 4. Enable optional group by {% #enable-group-by-rt-new-value%} +#### Enable optional group by {% #enable-group-by-rt-new-value%} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-new-value %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} + +#### Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} + +{% partial file="security/cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} {% /if %} @@ -484,17 +504,21 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-anomaly %} +#### Rule multi-triggering {% #rule-multi-triggering-rt-anomaly %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-anomaly %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-anomaly %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-rt-anomaly %} +#### Enable optional group by {% #enable-group-by-rt-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -505,21 +529,25 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Content anomaly detection {% #content-anomaly-rt-content-anomaly %} +#### Content anomaly detection {% #content-anomaly-rt-content-anomaly %} {% partial file="security/cloud_siem/content_anomaly_options.mdoc.md" /%} -#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-rt-content-anomaly %} +#### Rule multi-triggering behavior {% #rule-multi-triggering-rt-content-anomaly %} {% partial file="security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} -#### 3. Decrease severity for non-production environments {% #decrease-severity-rt-content-anomaly %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-content-anomaly %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 4. Enable optional group by {% #enable-group-by-rt-content-anomaly %} +#### Enable optional group by {% #enable-group-by-rt-content-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-content-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -530,17 +558,21 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-impossible-travel %} +#### Rule multi-triggering {% #rule-multi-triggering-rt-impossible-travel %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-impossible-travel %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-impossible-travel %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-rt-impossible-travel %} +#### Enable optional group by {% #enable-group-by-rt-impossible-travel %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-impossible-travel %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -551,28 +583,36 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Decrease severity for non-production environments {% #decrease-severity-rt-third-party %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-third-party %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 2. Enable optional group by {% #enable-group-by-rt-third-party %} +#### Enable optional group by {% #enable-group-by-rt-third-party %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-third-party %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "real_time_rule"),equals($cloud_siem_detection_rule_search_query, "sequence")) %} -#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-sequence %} +#### Rule multi-triggering {% #rule-multi-triggering-rt-sequence %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-sequence %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-sequence %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-rt-sequence %} +#### Enable optional group by {% #enable-group-by-rt-sequence %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-rt-sequence %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -583,11 +623,11 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-rt-signal-correlation %} +#### Rule multi-triggering {% #rule-multi-triggering-rt-signal-correlation %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-rt-signal-correlation %} +#### Decrease severity for non-production environments {% #decrease-severity-rt-signal-correlation %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} {% /if %} @@ -600,17 +640,21 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-schedule-threshold %} +#### Rule multi-triggering {% #rule-multi-triggering-scheduled-threshold %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-schedule-threshold %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-threshold %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-schedule-threshold %} +#### Enable optional group by {% #enable-group-by-scheduled-threshold %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-scheduled-threshold %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -621,25 +665,25 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Forget value {% #forget-value-scheduled-new-value %} +#### Forget value {% #forget-value-scheduled-new-value %} {% partial file="security/cloud_siem/forget_value.mdoc.md" /%} -#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-new-value %} +#### Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-new-value %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 3. Decrease severity for non-production environments {% #decrease-severity-scheduled-new-value %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-new-value %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 4. Enable optional group by {% #enable-group-by-scheduled-new-value %} +#### Enable optional group by {% #enable-group-by-scheduled-new-value %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} -#### 5. Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} +#### Group signals {% #group-signals-scheduled-new-value %} -{% partial file="security/cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -650,17 +694,21 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-anomaly %} +#### Rule multi-triggering {% #rule-multi-triggering-scheduled-anomaly %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-anomaly %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-anomaly %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-scheduled-anomaly %} +#### Enable optional group by {% #enable-group-by-scheduled-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-scheduled-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -671,21 +719,25 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Content anomaly detection {% #content-anomaly-scheduled-content-anomaly %} +#### Content anomaly detection {% #content-anomaly-scheduled-content-anomaly %} {% partial file="security/cloud_siem/content_anomaly_options.mdoc.md" /%} -#### 2. Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-content-anomaly %} +#### Rule multi-triggering behavior {% #rule-multi-triggering-scheduled-content-anomaly %} {% partial file="security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} -#### 3. Decrease severity for non-production environments {% #decrease-severity-scheduled-content-anomaly %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-content-anomaly %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 4. Enable optional group by {% #enable-group-by-scheduled-content-anomaly %} +#### Enable optional group by {% #enable-group-by-scheduled-content-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-scheduled-content-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -696,17 +748,21 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-impossible-travel %} +#### Rule multi-triggering {% #rule-multi-triggering-scheduled-impossible-travel %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-impossible-travel %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-impossible-travel %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-scheduled-impossible-travel %} +#### Enable optional group by {% #enable-group-by-scheduled-impossible-travel %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-scheduled-impossible-travel %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -717,13 +773,17 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Decrease severity for non-production environments {% #decrease-severity-scheduled-third-party %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-third-party %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} -#### 2. Enable optional group by {% #enable-group-by-scheduled-third-party %} +#### Enable optional group by {% #enable-group-by-scheduled-third-party %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-scheduled-third-party %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -734,13 +794,17 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Rule multi-triggering {% #rule-multi-triggering-scheduled-signal-correlation %} +#### Rule multi-triggering {% #rule-multi-triggering-scheduled-signal-correlation %} {% partial file="security/cloud_siem/rule_multi_triggering.mdoc.md" /%} -#### 2. Decrease severity for non-production environments {% #decrease-severity-scheduled-signal-correlation %} +#### Decrease severity for non-production environments {% #decrease-severity-scheduled-signal-correlation %} {% partial file="security/cloud_siem/enable_decrease_severity.mdoc.md" /%} + +#### Group signals {% #group-signals-scheduled-signal-correlation %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -751,48 +815,67 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Job multi-triggering {% #job-multi-triggering-threshold %} +#### Job multi-triggering {% #job-multi-triggering-threshold %} {% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} -#### 2. Enable optional group by {% #enable-group-by-historical-threshold %} +#### Enable optional group by {% #enable-group-by-historical-threshold %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-historical-threshold %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "new_value")) %} - ### Other parameters -#### 1. Forget value {% #forget-value-historical-new-value %} +#### Forget value {% #forget-value-historical-new-value %} {% partial file="security/cloud_siem/forget_value.mdoc.md" /%} -#### 2. Job multi-triggering behavior {% #job-multi-triggering-historical-new-value %} +#### Job multi-triggering behavior {% #job-multi-triggering-historical-new-value %} {% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-historical-new-value %} +#### Enable optional group by {% #enable-group-by-historical-new-value %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} -#### 4. Enable instantaneous baseline {% #enable-instantaneous-baseline-new-value %} +#### Group signals {% #group-signals-historical-new-value %} -{% partial file="security/cloud_siem/enable_instantaneous_baseline.mdoc.md" /%} +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "anomaly")) %} ### Other parameters -#### 1. Job multi-triggering {% #job-multi-triggering-historical-anomaly %} +#### Job multi-triggering {% #job-multi-triggering-historical-anomaly %} {% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} -#### 2. Enable optional group by {% #enable-group-by-historical-anomaly %} +#### Enable optional group by {% #enable-group-by-historical-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-historical-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} + +#### Bucket duration + +In the **Bucket Duration** dropdown, select a duration over which to measure percentiles. + +#### Learning duration + +In the **Learning Duration** dropdown, select an amount of time for the rule to learn new values. + +#### Learning period alerts + +In the **Learning Period Alerts** dropdown, choose whether you want Cloud SIEM to send alerts during the learning period. {% /if %} @@ -813,30 +896,38 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters -#### 1. Content anomaly detection {% #content-anomaly-historical-content-anomaly %} +#### Content anomaly detection {% #content-anomaly-historical-content-anomaly %} {% partial file="security/cloud_siem/content_anomaly_options.mdoc.md" /%} -#### 2. Job multi-triggering behavior {% #job-multi-triggering-historical-content-anomaly %} +#### Job multi-triggering behavior {% #job-multi-triggering-historical-content-anomaly %} {% partial file="security/cloud_siem/rule_multi_triggering_content_anomaly.mdoc.md" /%} -#### 3. Enable optional group by {% #enable-group-by-historical-content-anomaly %} +#### Enable optional group by {% #enable-group-by-historical-content-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-historical-content-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} {% if and(equals($cloud_siem_detection_rule_type, "historical_job"),equals($cloud_siem_detection_rule_search_query, "impossible_travel")) %} ### Other parameters -#### 1. Job multi-triggering {% #job-multi-triggering-historical-anomaly %} +#### Job multi-triggering {% #job-multi-triggering-historical-anomaly %} {% partial file="security/cloud_siem/job_multi_triggering.mdoc.md" /%} -#### 2. Enable optional group by {% #enable-group-by-historical-anomaly %} +#### Enable optional group by {% #enable-group-by-historical-anomaly %} {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-historical-anomaly %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} @@ -849,7 +940,13 @@ All logs and events matching this query are analyzed for potential impossible tr ### Other parameters +#### Enable optional group by {% #enable-group-by-historical-third-party %} + {% partial file="security/cloud_siem/enable_group_by.mdoc.md" /%} + +#### Group signals {% #group-signals-historical-third-party %} + +{% partial file="security/cloud_siem/group_signals.mdoc.md" /%} {% /if %} diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/group_signals.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/group_signals.mdoc.md new file mode 100644 index 00000000000..63a64d73adb --- /dev/null +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/group_signals.mdoc.md @@ -0,0 +1 @@ +Toggle **Group signals** if you want to reduce the number of signals generated. Then, select one or more groups for which you want to generate one security signal each. \ No newline at end of file diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/impossible_travel_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/impossible_travel_query.mdoc.md index f0050f64696..9164a42e2a9 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/impossible_travel_query.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/impossible_travel_query.mdoc.md @@ -2,7 +2,7 @@ 1. The **Location attribute** value is automatically set to `@network.client.geoip`. - The `location attribute` specifies which field holds the geographic information for a log. - The only supported value is `@network.client.geoip`, which is enriched by the [GeoIP parser][801] to give a log location information based on the client's IP address. -1. Click the **Baseline user locations** checkbox if you want Datadog to learn regular access locations before triggering a signal. +1. Select the **Baseline user locations** checkbox if you want Datadog to learn regular access locations before triggering a signal. - When selected, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. - See [How the impossible detection method works][802] for more information. diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/new_value_query.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/new_value_query.mdoc.md index 8769860afb4..81e39bc0142 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/new_value_query.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/new_value_query.mdoc.md @@ -1,9 +1,9 @@ 1. In the **Detect new value** dropdown menu, select the attributes you want to detect. - - For example, if you create a query for successful user authentication with the following settings: + - For example, you can create a query for successful user authentication with the following settings: - **Detect new value** is `country` - **group by** is `user` - Learning duration is `after 7 days` - {% br /%}Then, logs coming in over the next 7 days are evaluated with those configured values. If a log comes in with a new value after the learning duration (`7 days`), a signal is generated, and the new value is learned to prevent future signals with this value. + {% br /%}Then, logs coming in over the next 7 days are evaluated with those configured values. If a log comes in with a new value after the learning duration (`7 days`), a signal is generated, and the new value is learned to prevent future signals with this value. - You can also identify users and entities using multiple **Detect new value** attributes in a single query. - For example, if you want to detect when a user signs in from a new device and from a country that they've never signed in from before, add `device_id` and `country_name` to the **Detect new value** field. 1. (Optional) Define a signal grouping in the **group by** dropdown menu. diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_content_anomaly.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_content_anomaly.mdoc.md index e1d39dab285..dcbca156ae4 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_content_anomaly.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_content_anomaly.mdoc.md @@ -10,7 +10,7 @@ {% /alert %} 1. In the **within a window of** dropdown menu, select the time period during which a signal is triggered if the condition is met. - An `evaluation window` is specified to match when at least one of the cases matches true. This is a sliding window and evaluates cases in real time. -1. In the **Add notify** section, click **Add Recipient** to optionally configure [notification targets][101]. +1. In the **And notify** section, click **Add Recipient** to optionally configure [notification targets][101]. - You can also create [notification rules][102] to avoid manual edits to notification preferences for individual detection rules. [101]: /security_platform/notifications/#notification-channels diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md index 6ca8f4498a1..f0532d5b422 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_then_operator.mdoc.md @@ -12,7 +12,7 @@ {% alert level="info" %} The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. {% /alert %} -1. In the **Add notify** section, click **Add Recipient** to optionally configure [notification targets][101]. +1. In the **And notify** section, click **Add Recipient** to optionally configure [notification targets][101]. - You can create [notification rules][102] to manage notifications automatically, avoiding manual edits for each detection rule. [101]: /security_platform/notifications/#notification-channels diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_third_party.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_third_party.mdoc.md index d6feb7f0f8c..0d1f0cd0f49 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_third_party.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_third_party.mdoc.md @@ -2,7 +2,7 @@ 1. In the **Set severity to** dropdown menu, select the appropriate severity level (`INFO`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`). 1. In the **Query** field, enter the tags of a log that you want to trigger a signal. - For example, if you want logs with the tag `dev:demo` to trigger signals with a severity of `INFO`, enter `dev:demo` in the query field. Similarly, if you want logs with the tag `dev:prod` to trigger signals with a severity of `MEDIUM`, enter `dev:prod` in the query field. -1. (Optional) In the **Add notify** section, click **Add Recipient** to configure [notification targets][101]. +1. (Optional) In the **And notify** section, click **Add Recipient** to configure [notification targets][101]. - You can also create [notification rules][102] to avoid manual edits to notification preferences for individual detection rules. 1. For the `else` condition, follow steps 3 and 4. - The `else` condition is the default condition. If you don't add any other conditions, then all logs trigger a signal with the severity set in the default condition. diff --git a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_threshold.mdoc.md b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_threshold.mdoc.md index 02a5ca95a4b..e9d7bb392b4 100644 --- a/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_threshold.mdoc.md +++ b/layouts/shortcodes/mdoc/en/security/cloud_siem/set_conditions_threshold.mdoc.md @@ -1,6 +1,6 @@ 1. If you have a single query, skip to step 2. If you have multiple queries, you can create a **Simple condition** or **Then condition**. - - If you want to create a simple condition, leave the selection as is. - - If you want to create a `then` condition, click **THEN condition**. + - If you want to create a **simple** condition, leave the selection as is. + - If you want to create a **then** condition, click **THEN condition**. - Use the **Then condition** when you want to trigger a signal if query A occurs and then query B occurs. {% alert level="info" %} The `then` operator can only be used on a single rule condition. @@ -14,7 +14,7 @@ {% alert level="info" %} The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. {% /alert %} -1. (Optional) In the **Add notify** section, click **Add Recipient** to configure [notification targets][101]. +1. (Optional) In the **And notify** section, click **Add Recipient** to configure [notification targets][101]. - You can also create [notification rules][102] to avoid manual edits to notification preferences for individual detection rules. [101]: /security_platform/notifications/#notification-channels