UTMStack
-
|
Hi Trying to auto tag a specific false positive that is raised as an alert when a windows user starts a powershell session where is profile autoloads the posh-git powershell module. The alert is named "Windows: Suspicious .NET Reflection via PowerShell" Is there a way to set the auto tagging rule to only apply to such alerts that contain the following for example: logx.wineventlog.event_data.Path -> C:\Program Files\WindowsPowerShell\Modules\posh-git\1.1.0\AnsiUtils.ps1 Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hello, False positive rules are limited to the list of fields available in the alert itself. To achieve more advanced filtering, we recommend creating a custom rule instead. You can do this by duplicating the system rule that is generating the alert and then adding additional expressions under the "allOf" section. You can find more information about creating and managing custom rules here. |
Beta Was this translation helpful? Give feedback.
-
|
Very interesting. And I would then be able to apply a false positive auto tagging rule to the alert generated by the custom correlation rule? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, |
Beta Was this translation helpful? Give feedback.
Hello,
False positive rules are limited to the list of fields available in the alert itself. To achieve more advanced filtering, we recommend creating a custom rule instead.
You can do this by duplicating the system rule that is generating the alert and then adding additional expressions under the "allOf" section.
You can find more information about creating and managing custom rules here.