-
Hello, |
Beta Was this translation helpful? Give feedback.
Replies: 10 comments 1 reply
-
Giulio, Can you post details of your log and the rule that should be triggered. I wonder if this is similar to the issue I'm having in Issue: #808? Add a screenshot of your log from the "Log Explorer" search and then a screenshot of the rule that it should match. Check to see if the key/value pair in the "Log Explorer" view matches the Key in the respective "Correlation Rule." |
Beta Was this translation helpful? Give feedback.
-
Hello, this is the log in question for Trend Micro: @timestamp dataSource dataType deviceTime id logx.json_input.Canale di infezione logx.json_input.Dominiologx.json_input.Etichettalogx.json_input.Event Name logx.json_input.Generata logx.json_input.IPv4 Address logx.json_input.Indirizzo IPv6logx.json_input.Nome del gruppo logx.json_input.Nome dispositivo logx.json_input.Nome file logx.json_input.Nome virus/minaccia logx.json_input.Operazione eseguita logx.json_input.Percorso logx.json_input.Product Name logx.json_input.Ricevuto logx.json_input.Tipo di scansione And this is the correlation rule: Rule version v1.0.0
It worked just once and now that im trying to generate new alerts of the same type with the same fields and the same information wont work, no new alerts have been generated. What could be the problem? |
Beta Was this translation helpful? Give feedback.
-
I see. I've had the same problem too. The rule alert worked once and it wouldn't alert again. |
Beta Was this translation helpful? Give feedback.
-
Ok I have modified the correlation rule like this and a new alert has been generated but the problem is that all the new logs that Im generating and sending to the console are not been threated like new alerts but included in the one already created: # Rule version v1.0.1
and is including every log related instead creating a new alert for every one of them. |
Beta Was this translation helpful? Give feedback.
-
Sorry can I have a feedback about this? |
Beta Was this translation helpful? Give feedback.
-
The UTMStack correlation engine will group all similar events under the same alert, taking into account the source, destination, rule name, and other alert information. Unless new events are generated that are sufficiently different from the original alert, you will not see any new alerts and instead the events will be related under the same alert for the next 24 hours. Since this is the expected behavior I will move this to the discussions and close the issue. |
Beta Was this translation helpful? Give feedback.
-
Can we change that? If someone closes that case and the alert appears on another system, we won't get an alert to know other events have been triggered. |
Beta Was this translation helpful? Give feedback.
-
I ran the certutil.exe -urlcache -split http:/xx.x.xx a few times. The related logs only shows one which was the alert and not the others. In the video, you can see the alert from today, just one. Then the log showing the one alert from View related logs. Then I show how in "Log Explorer" how I can search for RelatedAlertsNotShowing.webm |
Beta Was this translation helpful? Give feedback.
-
The problem is not on the related logs because all the logs related to the same events are correctly put under the same alert with the correct rule. |
Beta Was this translation helpful? Give feedback.
-
May I have a feedback about this? |
Beta Was this translation helpful? Give feedback.
Hi @yallagr, please contact our sales team, they can help you with your questions about partnership and UTMStack capabilities. There are ways to archive what you need, but itsn't recommended because a lot of alerts can be generated if you alter the correct behavior of the rules. Get in touch with our sales team to schedule a "Proof of concept".
Best regards