Use an existing rule to create a new Custom Detection Rule - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Navigate to Posture Management → Rules & Policies → Rules → Cloud Workload.

In the Cloud Workload Rules page, click the policy you want to enable or disable.

In the Details page, click the More Options icon (⋮) and then select Save as new.

Modify the fields as required.

Click Create to create the new custom detection rule.