Special considerations and limitations of Anomaly Detection using Sigma Rules

The Anomaly Detection using Sigma rules functionality has the following limitations:

• For the "Windows Event Log modification or deletion on DeltaV host" Sigma rule to work, immediately after installing the "Anomaly Detection using Sigma rules" component, you must restart the computer or stop the Windows Event Log service and start it again.
  1. Start the Windows Services application (services.msc).
  2. In the list of services, find Windows Event Log.
  3. In the context menu of the Windows Event Log service, select Stop to stop the service.
  4. In the context menu of the Windows Event Log service, select Start to start the service.
• The following value modifiers are not supported: base64offset, cidr, lt, windash.
• Regular expressions are not supported.
• Escaping of wildcard characters is not supported.
• The application treats the ? wildcard as *.
• The "condition: not selection" construct is not supported; however, the "condition: selection and not filter" construct is supported.
• Rules that do not have one or more values of the EventID parameter specified as criteria for searching Windows event logs for anomalies are not supported.
• For Sigma rules that describe file operations, the report includes the first 50 detections. If a process performs operations on files that have similar paths, detections are counted separately for each process.
• The application supports Sigma rules on Windows XP and Windows Server 2003 computers with some limitations. Opening alert details for detections on computers running these operating systems may fail with the Failed to open the alert details. Possible reasons: host is offline, problems with the network, alert storage time has expired error. You can open alert details using Kaspersky Industrial CyberSecurity for Networks.

Page top