Add dataTypes field in fields reference and examples

utmstack · Feb 2, 2024 · 9fb6731 · 9fb6731
1 parent f431f25
commit 9fb6731
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/Correlation Rules/README.md b/Correlation Rules/README.md
@@ -34,6 +34,10 @@ If there is any category in which the alert can be grouped.
 
 If there is an incident detected by this rule fits into any of the attack tactics.
 
+**dataTypes**
+
+Group of datatypes applied to a rule, means that only the logs with dataType field matching with at least one of these values will be processed by this rule. This field is an array of string values, so, you can place more than one value separated by comma.
+
 **Reference**
 
 A list of URLs where you can get more information about the attack.
@@ -289,6 +293,7 @@ We recommend using search when the analysis period exceeds 1h or the rule's comp
   solution: Refer to NIST guidelines when creating password policies and set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.
   category: User Account Authentication
   tactic: "Brute Force: Password Guessing"
+  dataTypes: ["wineventlog"] 
   reference:
     - "https://attack.mitre.org/techniques/T1110/001/"
   frequency: 10