Duplicate EventIDs

Open PhilOrdo opened this issue 1 year ago • 3 comments

Root cause presently unknown, but occasionally a few signatures will somehow be assigned the same EventID. This is not validated until attempting to push signatures on the deployment box.

The current solution is to change the signature category then change it back so the next available EventID for the category is assigned.

Example: Screenshot 2025-01-10 at 1.08.19 PM.png Changing the newest of each rule to EC then back to MC assigns them EventIDs 5002064 and 5002065 respectively.

Jan 10 '25 19:01 PhilOrdo