I have several custom correlation rules that have worked for months and they broke - presumably after the last ESU I did in February.
Old logic is shown here. Notice that I use a Device Group - not a Device Class. The view containing this rule no longer will start.
If I edit this rule, when I get to the Filter section I am no longer able to choose individual variables. I can only choose [CONTENT]. THis is a clear change since the current (unmodifed rule shows I was previously able to select individual variables (like username and saddr).
There have been no changes to the rule. The Device Group contains multiple device types, but this rule clearly says to only look at UNIX Solaris.
I tested this rule using a current ESU on our test instance, that mimics this rule's design (incl device group and some specific device type for eventIDs), it doesn't work anymore.
Any ideas why this would stop working? Its as if RSA made a change that broke this. That isn't very acceptable. Its ruined the ability to use rules against only the devices we care about. The only fix seems to be using a Device Type. Which will have lots of other devices we don't want to trigger this alert for.
|Consider every event in the Event Selection|