Event Correlation explanation : Not occur, and followed by another Event

EtiN14 · August 13, 2020, 2:27pm

Hi all,

I’m trying to understand how the correlation rule “Not occur, and it is followed by another Event” is working.

Let’s consider those 3 events
Event A : Integrity scanner : Users file modification (+)
Event B : Syslog : User deletion
Event C : Integrity scanner : Users file modification (-)

I was expecting that the “Not occur, and it is followed by another Event” could help me trigger the event :
1 - I detect a user add in the users file (from an integrity scanner)
2 - I don’t detect any command line for user deletion (from syslog)
3 - I detect a user deletion in the users file (from an integrity scanner)

I configured my correlation rule like this:

Event A should Occur at least 1 time
Event B should Not occur, and it is followed by another Event
Event C should Occur at least 1 time

But when I configured this rule, I tested it and got those events:
… (other events)
Event A
… (other events)
Event B
… (other events)
Event C

In my understanding, it shouldn’t have triggered any alert, but unfortunately it has.

Am I missing something ?

system · August 27, 2020, 2:27pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help understanding Event Correlation Graylog Central (peer support)	5	1562	April 29, 2020
Graylog 3.1 Correlation Alert unexpected operation Graylog Central (peer support)	6	695	December 16, 2019
Correlation configuration contradiction Graylog Central (peer support)	1	289	August 15, 2020
Correlation rules original messages Graylog Central (peer support)	2	397	November 21, 2019
Fields of the correlated events in the alert notification Graylog Central (peer support)	10	3065	June 11, 2021

Event Correlation explanation : Not occur, and followed by another Event

Related topics