Describe the bug
I am using UTMStack 10.5.6. I got it setup in a VM and the install went smoothly. I was able to login, I don't see any errors. However, I noticed that there were no alerts being generated. I reviewed the rules and tried generating events and nothing happened.
I then noticed that the key of the rules in the "Log Explorer" view and the "Manage Correlation rules" have a few differences. The rules below:
logx.wineventlog.event_data.ParentProcessName => logx.wineventlog.event_data.ParentImage
logx.wineventlog.event_data.ProcessName => logx.wineventlog.event_data.Image
are of interest. On the left, is what is in the rules for windows events, but on the right is what the Log Explorer is mapping the log key too. Once I updated all the windows based events, then I started getting alerts. Namely, the ParentProcessName and ProcessName are being logged as ParentImage and Image, respectively.
I also see that the logs are very similar to Sigma Rules. Can you all create a parser for Sigma rules to the UTMStack format or use the Sigma Rule format?
To Reproduce
Steps to reproduce the behavior:
- Go to '...'
Log Explorer and search for an event in logx.wineventlog.
- Click on '....'
Manage correlation rules
- Scroll down to '....' =>
System => windows and open a rule. You'll notice the Log Explorer key is different than the rule for ProcessName and ParentProcessName.
- See error
Possible solution
he rules need to be updated to reflect that change for logx.wineventlog.
Describe the bug
I am using UTMStack 10.5.6. I got it setup in a VM and the install went smoothly. I was able to login, I don't see any errors. However, I noticed that there were no alerts being generated. I reviewed the rules and tried generating events and nothing happened.
I then noticed that the key of the rules in the "Log Explorer" view and the "Manage Correlation rules" have a few differences. The rules below:
logx.wineventlog.event_data.ParentProcessName => logx.wineventlog.event_data.ParentImage
logx.wineventlog.event_data.ProcessName => logx.wineventlog.event_data.Image
are of interest. On the left, is what is in the
rulesfor windows events, but on the right is what theLog Exploreris mapping the log key too. Once I updated all the windows based events, then I started getting alerts. Namely, theParentProcessNameandProcessNameare being logged asParentImageandImage, respectively.I also see that the logs are very similar to Sigma Rules. Can you all create a parser for Sigma rules to the UTMStack format or use the Sigma Rule format?
To Reproduce
Steps to reproduce the behavior:
Log Explorerand search for an event inlogx.wineventlog.Manage correlation rulesSystem => windowsand open a rule. You'll notice theLog Explorerkey is different than the rule forProcessNameandParentProcessName.Possible solution
he rules need to be updated to reflect that change for
logx.wineventlog.