How can I test the created Correlation rule?

[oguz6578]

How can I test the created Correlation rule?

I am writing a sample correlation rule
First I open a new folder and create xxxxxxxx.yml file in it.

Rule version v1.0.0

• name: "Traefik: Multiple 404 Errors Detected"
  severity: "Medium"
  description: "This alarm triggers when multiple 404 (Not Found) errors are detected from the same client within a short time period."
  solution: "Investigate the source of the requests and the requested paths. This could indicate a misconfigured client, broken links, or potential scanning activity."
  category: "Web Application Security"
  tactic: "Discovery"
  dataTypes: ["traefik"]
  reference:
  • "https://doc.traefik.io/traefik/observability/access-logs/"
  • "https://attack.mitre.org/tactics/TA0007/"
    frequency: 300 # Rule evaluation frequency in seconds
    cache:
  • allOf:
    • field: "logx.traefik.message.DownstreamStatus"
      operator: "=="
      value: "404"
      minCount: 5 # Alert after 5 occurrences
      timeLapse: 300 # Time window of 5 minutes
      save:
    • field: "logx.traefik.message.ClientAddr"
      alias: "SourceIP"
    • field: "logx.traefik.message.RequestMethod"
      alias: "Method"
    • field: "logx.traefik.message.RequestPath"
      alias: "Path"
    • field: "logx.traefik.message.RequestHost"
      alias: "Host"
    • field: "logx.traefik.message.StartUTC"
      alias: "Timestamp"
    • field: "logx.traefik.message.DownstreamStatus"
      alias: "DownstreamStatus"
    • field: "logx.traefik.message.OriginStatus"
      alias: "OriginStatus"

However, it cannot generate alarms, how can I check why it does not generate, or how can I create this rule correctly.

logx.traefik.message

{"ClientAddr":"94.55.60.203:45707","ClientHost":"94.55.60.203","ClientPort":"45707","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":404,"Duration":1225165,"OriginContentSize":0,"OriginDuration":1063088,"OriginStatus":204,"Overhead":162077,"RequestAddr":"api.xxxx.com","RequestContentSize":0,"RequestCount":1388894,"RequestHost":"api.xxxx.com","RequestMethod":"OPTIONS","RequestPath":"/api/UserVallet/GetUserVallet","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"backend-app-https@swarm","ServiceAddr":"10.0.1.246:5005","ServiceName":"backend-app@swarm","ServiceURL":"http://10.0.1.246:5005","StartLocal":"2025-01-20T14:45:14.225476445Z","StartUTC":"2025-01-20T14:45:14.225476445Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2025-01-20T14:45:14Z"}

[c3s4rfred]

Hi @oguz6578 your rule code is wrong, the 'save' part has not allowed aliases, please check our documentation.

Best regards

[c3s4rfred]

After the rule is ok, you must generate logs according to the conditions (5 occurrences of status 404 within 5 minutes).