Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THREAT-354 Converting caching rules to correlation #1348

Merged
merged 4 commits into from
Sep 16, 2024
Merged

THREAT-354 Converting caching rules to correlation #1348

merged 4 commits into from
Sep 16, 2024

Conversation

akozlovets098
Copy link
Contributor

Changes

Converted two caching rules to correlation:

  • Notion.AccountChangedAfterLogin
  • OneLogin.HighRiskLogin

@akozlovets098 akozlovets098 requested a review from a team as a code owner September 10, 2024 10:02
@github-actions GitHub Actions
Copy link

😱
looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml

@arielkr256 arielkr256 added the scheduled_rules Scheduled rules pair Queries with Rules for query based detections label Sep 11, 2024
arielkr256
arielkr256 requested changes Sep 11, 2024
View reviewed changes
correlation_rules/notion_account_changed_after_login.yml Outdated
- On: p_alert_context.actor_id
LookbackWindowMinutes: 1440
Schedule:
RateMinutes: 60
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RateMinutes should match LookbackWindowMinutes

correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml Outdated
- On: user_name
LookbackWindowMinutes: 1440
Schedule:
RateMinutes: 60
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RateMinutes should match LookbackWindowMinutes

arielkr256
arielkr256 approved these changes Sep 16, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@arielkr256 arielkr256 enabled auto-merge (squash) September 16, 2024 19:46
@arielkr256 arielkr256 merged commit 4ebb769 into release Sep 16, 2024
6 checks passed
@arielkr256 arielkr256 deleted the THREAT-354-Caching-rules-to-correlation branch September 16, 2024 19:47
@arielkr256 arielkr256 added correlation_rules Correlation rules establish correlations across logs, identify anomalies, and model complex attack b and removed scheduled_rules Scheduled rules pair Queries with Rules for query based detections labels Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
correlation_rules Correlation rules establish correlations across logs, identify anomalies, and model complex attack b
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akozlovets098 @arielkr256