Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert on rulesets that don't match source logs or have 0 hits after X time. #117

Open
Brian-Echeverry opened this issue Jun 6, 2018 · 0 comments
Open

Alert on rulesets that don't match source logs or have 0 hits after X time. #117

Brian-Echeverry opened this issue Jun 6, 2018 · 0 comments

Comments

@Brian-Echeverry
Copy link

Is your feature request related to a problem? Please describe.
In dynamic environments, we may initially load more rulesets than are required as to not accidentally miss any source applications you may not be aware of at the time of deployment.

Describe the solution you'd like
In the same manner as "dynamic.rules" which can enable/alert on rulesets that are currently disabled but should be enabled based on "PROGRAM" fields from source messages, could you create a process that would alert/disable a ruleset that has not seen a matching "PROGRAM" field in source logs for a specified amount of time. This would aid in ruleset tuning.

Describe alternatives you've considered
An alternative could be to alert/disable a ruleset if it has not triggered any events in a ruleset for a specified amount of time. This alternative would likely catch more events but would likely produce some false positives in smaller rulesets that don't trigger often.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Brian-Echeverry