Example of an affected rule:
- Rule tests:
- when the event category for the event is one of the following Exploit.Misc Exploit
- when at least 3 events are seen with the same Source IP and different Event Name in 30 minutes
- Rule Action: Do not check "Ensure the detected event is part of an offense"
- Rule Response: Check "Dispatch New Event" and "Ensure the dispatched event is part of an offense"
Resolving The Problem
Users can use offense chaining to fix this issue. To set up offense chaining, remove the offense generation from the first rule, then create a second rule that tests for the first rule and generates the wanted offense.
- Edit the first rule's response so that it does not generate an offense. Take note of the Event Name.
- Create a second rule that tests for the event generated by the first rule by monitoring for the event property Event Name and match the name of the event from the first rule.
- Set this second rule to generate the wanted offense.
Was this topic helpful?
25 April 2022