[BUG] Rule Keys are are different in Log Explorer and rulesets causing no alerts #808
Description
Describe the bug
I am using UTMStack 10.5.6. I got it setup in a VM and the install went smoothly. I was able to login, I don't see any errors. However, I noticed that there were no alerts being generated. I reviewed the rules and tried generating events and nothing happened.
I then noticed that the key of the rules in the "Log Explorer" view and the "Manage Correlation rules" have a few differences. The rules below:
logx.wineventlog.event_data.ParentProcessName => logx.wineventlog.event_data.ParentImage
logx.wineventlog.event_data.ProcessName => logx.wineventlog.event_data.Image
are of interest. On the left, is what is in the rules for windows events, but on the right is what the Log Explorer is mapping the log key too. Once I updated all the windows based events, then I started getting alerts. Namely, the ParentProcessName and ProcessName are being logged as ParentImage and Image, respectively.
I also see that the logs are very similar to Sigma Rules. Can you all create a parser for Sigma rules to the UTMStack format or use the Sigma Rule format?
To Reproduce
Steps to reproduce the behavior:
- Go to '...'
Log Explorerand search for an event inlogx.wineventlog. - Click on '....'
Manage correlation rules - Scroll down to '....' =>
System => windowsand open a rule. You'll notice theLog Explorerkey is different than the rule forProcessNameandParentProcessName. - See error
Possible solution
he rules need to be updated to reflect that change for logx.wineventlog.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status