[BUG] Correlation rule not working - Asking for support

[yallagr]

Hello,
I'm Giulio Ranieri, a Security Analyst from Yalla Security, an Italian start up that is trying to create an opensource siem using UTMSTACK as a base,
I opened a ticket to the support an issue for a correlation rule and I would love to share the integration that I'm building for Trend Micro if you can help understand how to let the correlation rule work because it looks fine but still no alert have been generated by the console with the json ingestion that i created.
I'm on Discord so if it is possible to address the issue together it would be nice.

[thedunston]

Giulio,

Can you post details of your log and the rule that should be triggered. I wonder if this is similar to the issue I'm having in Issue: #808?

Add a screenshot of your log from the "Log Explorer" search and then a screenshot of the rule that it should match. Check to see if the key/value pair in the "Log Explorer" view matches the Key in the respective "Correlation Rule."

[yallagr]

Hello, this is the log in question for Trend Micro:

@timestamp
Sep 6, 2024, 2:33:59 PM

dataSource
TrendMicro

dataType
json-input

deviceTime
Sep 6, 2024, 2:33:58 PM

id
9ad88673-3387-4d75-9b11-ca8ffe5c286a

logx.json_input.Canale di infezione
Web

logx.json_input.Dominio

logx.json_input.Etichetta

logx.json_input.Event Name
LogVirus

logx.json_input.Generata
2024-09-06T14:25:20+02:00

logx.json_input.IPv4 Address
10.10.1.10

logx.json_input.Indirizzo IPv6

logx.json_input.Nome del gruppo
Windows Client

logx.json_input.Nome dispositivo
LAPRANIERI

logx.json_input.Nome file
Non confermato 672050.crdownload

logx.json_input.Nome virus/minaccia
Eicar_test_file

logx.json_input.Operazione eseguita
Il tentativo di disinfettare il file infetto non è riuscito. File messo in quarantena

logx.json_input.Percorso
C:\Users\GiulioRanieri\Downloads\

logx.json_input.Product Name
WFBS-SVC-AC

logx.json_input.Ricevuto
2024-09-06T14:25:35+02:00

logx.json_input.Tipo di scansione
Scansione in tempo reale

And this is the correlation rule:

Rule version v1.0.0

• name: "File quarantined by TrendMicro"
  severity: "High"
  description: "This rule detects when a file infected with malware has been quarantined. Quarantine actions indicate that the antivirus software was unable to disinfect the file and has instead isolated it to prevent further damage."
  solution: "Regularly review quarantine logs and investigate the nature of quarantined files. Ensure that your antivirus software is up-to-date and configured to handle malware effectively. Perform additional scans to confirm that no other infections are present."
  category: "Malware"
  tactic: "Data Exfiltration"
  dataTypes: ["json-input"]
  reference:
  • "https://www.trendmicro.com/en_us/security-intelligence.html"
    frequency: 60
    cache:
  • allOf:
    • field: "logx.json_input.Event Name"
      operator: "=="
      value: "LogVirus"
    • field: "logx.json_input.Operazione eseguita"
      operator: "=="
      value: "Il tentativo di disinfettare il file infetto non è riuscito. File messo in quarantena"
      minCount: 1
      timeLapse: 60
      save:
    • field: "logx.json_input.IPv4 Address"
      alias: "SourceIP"
    • field: "logx.json_input.Nome dispositivo"
      alias: "SourceHost"
    • field: "logx.json_input.Nome file"
      alias: "InfectedFile"
    • field: "logx.json_input.Nome virus/minaccia"
      alias: "MalwareName"
    • field: "logx.json_input.Percorso"
      alias: "FilePath"

It worked just once and now that im trying to generate new alerts of the same type with the same fields and the same information wont work, no new alerts have been generated. What could be the problem?

[thedunston]

I see. I've had the same problem too. The rule alert worked once and it wouldn't alert again.

[yallagr]

Ok I have modified the correlation rule like this and a new alert has been generated but the problem is that all the new logs that Im generating and sending to the console are not been threated like new alerts but included in the one already created: # Rule version v1.0.1

• name: "File quarantined by TrendMicro"
  severity: "High"
  description: "This rule detects when a file infected with malware has been quarantined. Quarantine actions indicate that the antivirus software was unable to disinfect the file and has instead isolated it to prevent further damage."
  solution: "Regularly review quarantine logs and investigate the nature of quarantined files. Ensure that your antivirus software is up-to-date and configured to handle malware effectively. Perform additional scans to confirm that no other infections are present."
  category: "Malware"
  tactic: "Data Exfiltration"
  dataTypes: ["json-input"]
  reference:
  • "https://www.trendmicro.com/en_us/security-intelligence.html"
    frequency: 30 # Controllo ogni 30 secondi
    cache: # Rimuovere il caching per prevenire raggruppamenti
  • allOf:
    • field: "logx.json_input.Event Name"
      operator: "=="
      value: "LogVirus"
    • field: "logx.json_input.Operazione eseguita"
      operator: "=="
      value: "Il tentativo di disinfettare il file infetto non è riuscito. File messo in quarantena"
    • field: "id" # Aggiunta dell'ID per creare univocità
      operator: "!=" # Impostazione per evitare di raggruppare log simili
      value: ""
      minCount: 1
      timeLapse: 60 # Puoi ridurlo se necessario
      save:
    • field: "logx.json_input.IPv4 Address"
      alias: "SourceIP"
    • field: "logx.json_input.Nome dispositivo"
      alias: "SourceHost"
    • field: "logx.json_input.Nome file"
      alias: "InfectedFile"
    • field: "logx.json_input.Nome virus/minaccia"
      alias: "MalwareName"
    • field: "logx.json_input.Percorso"
      alias: "FilePath"
    • field: "id" # Salva anche l'ID univoco del log
      alias: "LogID"
      As you can see, this is the new alert:
      

and is including every log related instead creating a new alert for every one of them.
Now I know it would be better to give the rule a minimum count before generate the alert but at the moment we need it to create an alert for every log received for testing purposes.
What can I do to adjust the rule?

[yallagr]

Sorry can I have a feedback about this?

[osmontero]

The UTMStack correlation engine will group all similar events under the same alert, taking into account the source, destination, rule name, and other alert information. Unless new events are generated that are sufficiently different from the original alert, you will not see any new alerts and instead the events will be related under the same alert for the next 24 hours. Since this is the expected behavior I will move this to the discussions and close the issue.