[BUG] Rule Keys are are different in Log Explorer and rulesets causing no alerts

[thedunston]

Describe the bug

I am using UTMStack 10.5.6. I got it setup in a VM and the install went smoothly. I was able to login, I don't see any errors. However, I noticed that there were no alerts being generated. I reviewed the rules and tried generating events and nothing happened.

I then noticed that the key of the rules in the "Log Explorer" view and the "Manage Correlation rules" have a few differences. The rules below:

logx.wineventlog.event_data.ParentProcessName => logx.wineventlog.event_data.ParentImage
logx.wineventlog.event_data.ProcessName => logx.wineventlog.event_data.Image

are of interest. On the left, is what is in the rules for windows events, but on the right is what the Log Explorer is mapping the log key too. Once I updated all the windows based events, then I started getting alerts. Namely, the ParentProcessName and ProcessName are being logged as ParentImage and Image, respectively.

I also see that the logs are very similar to Sigma Rules. Can you all create a parser for Sigma rules to the UTMStack format or use the Sigma Rule format?

To Reproduce

Steps to reproduce the behavior:

1. Go to '...' Log Explorer and search for an event in logx.wineventlog.
2. Click on '....' Manage correlation rules
3. Scroll down to '....' => System => windows and open a rule. You'll notice the Log Explorer key is different than the rule for ProcessName and ParentProcessName.
4. See error

Possible solution

he rules need to be updated to reflect that change for logx.wineventlog.

[osmontero]

@c3s4rfred please check it.

[osmontero]

@thedunston please provide more information/evidence related to the issue (screenshots, sample logs, ...).

[thedunston]

Please see the attached screenshots and reposting steps:
To Reproduce

Steps to reproduce the behavior:

Go to '...' Log Explorer and search for an event in logx.wineventlog.
Click on '....' Manage correlation rules
Scroll down to '....' => System => windows and open a rule. You'll notice the Log Explorer key is different than the rule for ProcessName and ParentProcessName.

[thedunston]

Any updates on this issue? Alerting is critical.

[osmontero]

That rule was created based on example logs we got in our lab. And the field names in the example logs are the ones we included in the rule. If for some reason in your instance you are receiving data in different fields you can make a copy of the rule and add it in an additional folder outside of the system rules folder so that it is not removed during upgrades. I will move this to the discussions as we do not identify this as a bug.

[thedunston]

You all wrote code to pull the latest rules from the GitHub repo:

https://github.com/utmstack/UTMStack/blob/main/correlation/rules/update.go

which also contains the .ProcessName. Why have this in the production versions of UTMStack if it is a test you all do in the lab that does not work? This issue exists on the hosted Cloud Platform as well. My plan was to evaluate and then purchase a Cloud License. However, I don't understand why you all advertise having all these rules available and then I have to modify the rules to make it work.

[osmontero]

In our tests the event is received with the fields that were included in the rule and not in the fields you mention. Since UTMStack allows you to create custom rules, and in your case, your Windows installation seems to be reporting that information in an unexpected field for some reason, you can create your own rule evaluating that field instead of the one we normally receive in our tests.
https://github.com/utmstack/rules.git is the official UTMStack rules repository, so it's fine to download them from there.