SIGMA Correlation Rule - No generated events

[tamer-fpga]

Version

2.4.140

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

16

RAM

32

Storage for /

400

Storage for /nsm

600

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am trying to create a brute force attack sigma rule through correlation which is aligned with default sigma rule "Security Onion - SOC Login Failure". the issue is that brute force rule doesn't generate alerts. however, through testing, the default rule generates failed login alerts. Here is the correlation rule:

title: brute force - 3 login failed or more
id: 12345678-abcd-ef12-3456-789abcdef123
description: Detects when the same client IP fails to log in to the Security Onion Web UI three times within 24 hours.
author: Security Onion Solutions
date: 2025/05/01
license: Elastic-2.0

logsource:
product: kratos
service: audit
category: iam

detection:
correlation:
type: event_count
rules:
- bf86ef21-41e6-417b-9a05-b9ea6bf2xxxx # this is the ID of sigma rule "Security Onion - SOC Login Failure"
group_by:
- http_request.headers.x-real-ip
timespan: 24h
condition:
gte: 3
condition: correlation

falsepositives:

• brief bursts of mistyped passwords
  level: high

---

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[tamer-fpga]

I am looking forward to getting the first response of my question!

[InfosecGoon]

The "correlation" syntax that you're using in this rule is not supported in Security Onion.

[tamer-fpga]

Thanks a lot for the response. Is there any correlation syntax supported by SO? if not, how can I get a brute force sigma rule without correlation?

[tamer-fpga]

The way I see this! it is still not answered as There should be a way to fulfill such a task without getting back to manually configure elastalert rules. If there a document link that would guide me with the right correlation-based sigma rule please type it here. EQL-based sigma won't work however, if you have the right doc for this type it down as well. Thanks

[tamer-fpga]

The "correlation" syntax that you're using in this rule is not supported in Security Onion.

Thanks for the response! Can I know what can is supported at this level to be able to create a "stateful detection rule"?