Correlation Rules to Meaningful Alert?

[hackdefendr]

I see all of the SYSTEM Correlation rules, but I have no idea what to do with them. I'm an experienced cybersecurity professional and system administrator, but I am at a loss here. I would expect that I should be able to edit a SYSTEM rule, customize it, save it, and start it some how. I am probably missing something.

For example: /data/alert/alert-rule-management is empty. How do I put rules in there so they become meaningful alerts?

Regards,
Jeff

[c3s4rfred]

Hi @hackdefendr the rules are grouped and named by datasource type, the only thing you have to do is send logs to the platform according to the rules that you want to check, for example: windows agent integration (sends windows event logs) -> windows rules. So, first you have to check the rules folder and then, send logs that matches the rules (the matching rules will raise).

Best regards

[c3s4rfred]

You can add custom rules following our guides -> https://docs.utmstack.com/Correlation%20Rules/README.html and https://docs.utmstack.com/Correlation%20Rules/CustomizableRules.html

[hackdefendr]

Thank-you for replying! So something must be wrong with my setup then? I currently have nearly 2 million records ingested, spread across a few integrations, but nothing is showing up in any of the alert related visuals. I can look and query the logs all day long, and they seem to be indexed properly with daily rollover. I even have a very talkative Windows 11 laptop feeding event logs and none of the Windows based rules are firing even when simple tests like failed logins are done.

[c3s4rfred]

Hi @hackdefendr to make the windows rules work you have to follow the windows agent integration, the windows agent will collect the logs from the machine and then you can test windows alerts like failed logins -> rule "Windows: Probable Password guessing". Note: to test, perform 5 failing attempts within 60 seconds.

Best regards