utmstack
Support for new fields in correlation rule form context
Describe the feature
The correlation rule form allows users to define conditions to detect complex patterns of events. To enhance rule precision and event management, two new fields will be added to the rule schema and UI.
New Fields AfterEvents ([]SearchRequest): A list of additional conditions that must occur after the main event. Each condition can have its own index pattern, expression list, optional OR blocks, time window (within), and occurrence count. This enables modeling of sequences or follow-up actions.
DeduplicatedBy ([]string): A list of fields used to deduplicate correlated events, such as "source_ip" or "hostname". This helps avoid generating multiple incidents for the same root pattern.
Use Case
Adding support for afterEvents and deduplicatedBy enables more accurate and flexible correlation rules by:
Allowing the definition of multi-step attack sequences through post-event conditions.
Reducing alert noise by deduplicating events based on custom criteria, improving detection quality and operational efficiency.
Proposed Solution
No response
Other Information
No response
Acknowledgements
- [ ] I may be able to implement this feature request
- [ ] This feature might incur a breaking change
