Working with a list of correlation rules
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
This section describes how to view a list of correlation rules, apply filters, and manage rule deployment.
Getting started
The Yandex SIEM section will appear in the Cloud Center interface as a Security Deck module after the access request is approved.
You need the ycem.editor role to use the service.
Viewing a list of rules
To view a list of correlation rules:
- Go to Security Deck.
- In the left-hand panel, select Yandex SIEM.
- Navigate to Correlation rules.
You will see a list of all available rules and their statuses. Click a column header to sort the list by that column.
Rule filtering
To filter correlation rules based on specific criteria:
- Go to Security Deck.
- In the left-hand panel, select Yandex SIEM.
- Navigate to Correlation rules.
- Use filters above the list:
- Status: Filter rules by status: Healthy, Unhealthy, or Inactive.
- Type: Filter by type: Preset or Custom.
- Category: Filter by threat category.
- Severity: Filter by trigger severity level.
The list will refresh to show only rules that match the selected criteria.
Staging a rule for deployment
To apply changes to a rule, stage it for deployment:
- Go to Security Deck.
- In the left-hand panel, select Yandex SIEM.
- Navigate to Correlation rules.
- In the rule's row, click and select Mark for deployment.
The rule deployment status will switch to Will be deployed. Once deployment is complete, the status will change to Deployed.
Canceling rule deployment
To cancel a scheduled rule deployment:
- Go to Security Deck.
- In the left-hand panel, select Yandex SIEM.
- Navigate to Correlation rules.
- In the rule's row, click and select Do not deploy.
The rule deployment status will switch back to Changed.