UTMStack
Alert Rules
#879
Replies: 1 comment
-
|
Hi, @V1dal9, that is the correct behavior, please check the @osmontero's answer on this discussion -> https://github.com/orgs/utmstack/discussions/817, there he give some explanations of the correlation rules. If your rule saved fields doesn't change their value, the rule won't be triggered again within 24 h, the logs will be grouped in the same rule. Best regards |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello!
I'm facing a problem when configuring rules in UTMStack. According to the documentation, I created a rule and it was triggered correctly the first time I inserted it. However, when I try to repeat the process, i.e. trigger that same rule again, it is not working, i.e. it does not issue an alert.
Details of the problem:
Additional information:
I would like to know if there is any additional procedure to ensure that the rules are triggered correctly in subsequent executions or if there is some kind of limitation or bug that is preventing this.
Rule
severity: "Medium"
description: "An instance of explorer.exe has been created."
solution: "Review the process creation and ensure it is legitimate."
category: "Process Creation"
tactic: "Execution"
dataTypes: ["wineventlog"]
reference:
frequency: 1
cache:
operator: "=="
value: 4688 # Event ID for process creation
operator: "contains"
value: "explorer.exe"
timeLapse: 3600
minCount: 1
save:
alias: "SourceUser"
alias: "SourceHost"
alias: "ProcessID"
alias: "ParentProcessName"
Beta Was this translation helpful? Give feedback.
All reactions