Customizable Correlation Rule not generating Alerts

[Dunkaknee]

I am creating a Customizable Correlation rule to generate alerts whenever I receive logs from my Sentinel One integration for "Threat status changed" I can view the logs and when I filter by these fields the logs appear, but no alerts are generated

Here is my example Correlation Rule,

- name: "Sentinel One EDR Alert"
  severity: "High"
  description: "This alert is generated when an EDR Alert is sent"
  solution: "We recommend carefully reviewing the events in the Sentinel One portal"
  category: "SentinelOne EDR Alert"
  tactic: ""
  dataTypes: ["antivirus-sentinel-one"]
  reference: ""
  frequency: 60
  cache:
    - oneOf:
        - field: "logx.sentinel_one.act_msg"
          operator: "=="
          value: "Threat status changed"
        - field: "logx.sentinel_one.activityType"
          operator: "=="
          value: "4008"
      minCount: 1
      timeLapse: 60
      save:
        - field: "logx.sentinel_one.act_msg"
          alias: "Sentinel One Activity"
        - field: "logx.sentinel_one.activityID"
          alias: "Activity ID"
        - field: "logx.sentinel_one.activityType"
          alias: "Activity Type"
        - field: "logx.sentinel_one.severity"
          alias: "Severity"
        - field: "logx.sentinel_one.siteName"
          alias: "Site Name"

Below is an example Alert

@timestamp: "2024-12-17T16:21:17.286454752Z"
dataSource: "Hidden"
dataType: "antivirus-sentinel-one"
deviceTime: "2024-12-17T16:21:17.223610559Z"
host: "10.0.1.36"
id: "91935bed-208a-4e05-bea4-c24c25ce5a70"
logx:
sentinel_one:
accountId: "Hidden"
accountName: "Hidden"
act_msg: "Threat status changed"
activityID: "2107416621616565044"
activityType: "4008"
cat: "SystemEvent"
cef_version: "0"
deviceVersion: "S-24.2.6#171"
embDeviceProduct: "Mgmt"
embDeviceVendor: "SentinelOne"
fileHash: "ffffffffffffffffffffffffffffffffffffffff"
filePath: "/Volumes/test.pkg"
message: "<14>2024-12-17 16:21:17,212 sentinel - CEF:0|SentinelOne|Mgmt|S-24.2.6#171|4008|Threat status changed|1|osName=macOS fileHash=ffffffffffffffffffffffffffffffffffffffff filePath=/Volumes/test.pkg cat=SystemEvent rt=Tue, 17 Dec 2024, 16:20:38 UTC activityID=2107416621616565044 activityType=4008 siteId=Hidden siteName=Hidden accountId=Hidden accountName=Hidden notificationScope=SITE"
notificationScope: "SITE"
osName: "macOS"
rt: "Tue, 17 Dec 2024, 16:20:38 UTC"
severity: "1"
signatureID: "4008"
siteId: "Hidden"
siteName: "Hidden"

[c3s4rfred]

Hi, @Dunkaknee the alert has some issues, please read our documentation in -> https://docs.utmstack.com/Correlation%20Rules/README.html

• Go to the end of cache -> timeLapse section and see before 'search' examples, the alias that you can use in 'save' section of the rule. Check the way of use in the examples.

Best regards

[c3s4rfred]

Check in UTMStack's log explorer if the logs are actually entering in the platform and the corresponding index of sentinel one, and match the conditions. See the json view in log explorer, to see that the string doesn't have a space at the end or something like that.

[Dunkaknee]

SentinelOne_EDR_Alert.zip

[Dunkaknee]

Confirming that everything is indexing properly in the logs explorer and the strings don't end with a space in the json view
Also fixed the indentation for the alias at the bottom

[c3s4rfred]

Hi @Dunkaknee, please check the identation of the alias field, goes exactly above field word without tabulations
Original

Changed

Best regards

[Dunkaknee]

@c3s4rfred I fixed the indentation, but still do not receive alerts,

[c3s4rfred]

Hi, @Dunkaknee, restart the instance and send logs, if not fixed try this, remove the rule from utmstack web app, then got to settings from lateral menu, then index management section, once there, remove all alert indexes, after that, create de rule again using the app.

Let us know.
Best regards