Skip to content

How can I test the created Correlation rule? #949

New issue
New issue
Closed
Closed
How can I test the created Correlation rule?#949
@oguz6578

Description

@oguz6578
oguz6578
opened on Jan 20, 2025

How can I test the created Correlation rule?

I am writing a sample correlation rule
First I open a new folder and create xxxxxxxx.yml file in it.

Rule version v1.0.0

  • name: "Traefik: Multiple 404 Errors Detected"
    severity: "Medium"
    description: "This alarm triggers when multiple 404 (Not Found) errors are detected from the same client within a short time period."
    solution: "Investigate the source of the requests and the requested paths. This could indicate a misconfigured client, broken links, or potential scanning activity."
    category: "Web Application Security"
    tactic: "Discovery"
    dataTypes: ["traefik"]
    reference:
    • "https://doc.traefik.io/traefik/observability/access-logs/"
    • "https://attack.mitre.org/tactics/TA0007/"
      frequency: 300 # Rule evaluation frequency in seconds
      cache:
    • allOf:
      • field: "logx.traefik.message.DownstreamStatus"
        operator: "=="
        value: "404"
        minCount: 5 # Alert after 5 occurrences
        timeLapse: 300 # Time window of 5 minutes
        save:
      • field: "logx.traefik.message.ClientAddr"
        alias: "SourceIP"
      • field: "logx.traefik.message.RequestMethod"
        alias: "Method"
      • field: "logx.traefik.message.RequestPath"
        alias: "Path"
      • field: "logx.traefik.message.RequestHost"
        alias: "Host"
      • field: "logx.traefik.message.StartUTC"
        alias: "Timestamp"
      • field: "logx.traefik.message.DownstreamStatus"
        alias: "DownstreamStatus"
      • field: "logx.traefik.message.OriginStatus"
        alias: "OriginStatus"

However, it cannot generate alarms, how can I check why it does not generate, or how can I create this rule correctly.

logx.traefik.message

{"ClientAddr":"94.55.60.203:45707","ClientHost":"94.55.60.203","ClientPort":"45707","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":404,"Duration":1225165,"OriginContentSize":0,"OriginDuration":1063088,"OriginStatus":204,"Overhead":162077,"RequestAddr":"api.xxxx.com","RequestContentSize":0,"RequestCount":1388894,"RequestHost":"api.xxxx.com","RequestMethod":"OPTIONS","RequestPath":"/api/UserVallet/GetUserVallet","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"backend-app-https@swarm","ServiceAddr":"10.0.1.246:5005","ServiceName":"backend-app@swarm","ServiceURL":"http://10.0.1.246:5005","StartLocal":"2025-01-20T14:45:14.225476445Z","StartUTC":"2025-01-20T14:45:14.225476445Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2025-01-20T14:45:14Z"}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    UTMStack OSS

    Status

    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions