search

utmstack / UTMStack

Customizable SIEM and XDR powered by Real-Time correlation and Threat Intelligence
https://utmstack.com
GNU Affero General Public License v3.0
213 stars 24 forks source link

Understanding the UTMStack Correlation Engine #753

Closed jayapradhainfysec closed 2 months ago

jayapradhainfysec commented 2 months ago

Initial Alert Triggering: When a rule is first triggered, the UTMStack correlation engine performs as expected, creating alerts in the threat management system. This is crucial for identifying new or ongoing security threats.

However, in my experience, I've noticed that the alerting behavior changes after the initial trigger. Specifically, the engine only creates alerts the first one or two times a rule is triggered for the same use case. Subsequent triggers do not generate new alerts in the threat management system. So, How actually it works?

osmontero commented 2 months ago

This is not an issue. Please use the GitHub Discussions for Q&A.