UTMStack
Correlation Rules to Meaningful Alert? #1011
Replies: 1 comment 2 replies
-
|
Hi @hackdefendr the rules are grouped and named by datasource type, the only thing you have to do is send logs to the platform according to the rules that you want to check, for example: windows agent integration (sends windows event logs) -> windows rules. So, first you have to check the rules folder and then, send logs that matches the rules (the matching rules will raise). Best regards |
Beta Was this translation helpful? Give feedback.
-
|
You can add custom rules following our guides -> https://docs.utmstack.com/Correlation%20Rules/README.html and https://docs.utmstack.com/Correlation%20Rules/CustomizableRules.html |
Beta Was this translation helpful? Give feedback.
-
|
Thank-you for replying! So something must be wrong with my setup then? I currently have nearly 2 million records ingested, spread across a few integrations, but nothing is showing up in any of the alert related visuals. I can look and query the logs all day long, and they seem to be indexed properly with daily rollover. I even have a very talkative Windows 11 laptop feeding event logs and none of the Windows based rules are firing even when simple tests like failed logins are done. |
Beta Was this translation helpful? Give feedback.
-
I see all of the SYSTEM Correlation rules, but I have no idea what to do with them. I'm an experienced cybersecurity professional and system administrator, but I am at a loss here. I would expect that I should be able to edit a SYSTEM rule, customize it, save it, and start it some how. I am probably missing something.
For example:
/data/alert/alert-rule-managementis empty. How do I put rules in there so they become meaningful alerts?Regards,
Jeff
Beta Was this translation helpful? Give feedback.
All reactions