You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've observed scenarios where the previous_output field is not available for child rules, particularly when the child rule is constructed from composite rules or triggered based on the frequency of the parent rule. I propose an enhancement to include a trace of all the previous logs in the alert description, offering valuable insights into the triggers of the rule.
Consider the following rule as an example:
<rule id="100122" level="7" frequency="5" timeframe="120">
<if_matched_sid>60122</if_matched_sid>
<same_location />
<description>Logon failure - Unknown user or bad password two times in a row</description>
<mitre>
<id>T1078</id>
<id>T1531</id>
</mitre>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
It would greatly enhance the system if the alert description included the five previous_output logs.
The text was updated successfully, but these errors were encountered:
Dear Team,
I've observed scenarios where the
previous_outputfield is not available for child rules, particularly when the child rule is constructed from composite rules or triggered based on the frequency of the parent rule. I propose an enhancement to include a trace of all the previous logs in the alert description, offering valuable insights into the triggers of the rule.Consider the following rule as an example:
It would greatly enhance the system if the alert description included the five
previous_outputlogs.The text was updated successfully, but these errors were encountered: