cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ecan007
Level 9
Report Inappropriate Content
Message 1 of 8

" if matches DO NOT" statement not working

I have a test environment and I need to see if event log service has been stopped (this part is working) , but not

when a reboot/shutdown has been.

I have selected the option:

This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level. (see picture)

The problem is that I don't get any alerts when the second rule has been added.

Is this the correct way of excluding certain events (reboot/shutdown)

siem1.png

siem 2.png

7 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 8

Re: " if matches DO NOT" statement not working

I thinks this doesn't work because you have a Sequence in your correlation rule.

This will be trigger if comes the first Event and then the second Event with the Reboot. Go to your AND Shortcut and modify it to only AND. And than test it.

ecan007
Level 9
Report Inappropriate Content
Message 3 of 8

Re: " if matches DO NOT" statement not working

I already tested without the sequence and that didnt work.

The problem is that the option:

This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level. (see picture)


is not working and looks like a bug or I am not using it the correct way.

davidp64
Level 9
Report Inappropriate Content
Message 4 of 8

Re: " if matches DO NOT" statement not working

Hello,

Try this,if not works splits second signature ID with AND operator.

Corr.PNG

I think you your scenario is that to achieve windows event log service stop event and no events for shutdown.

......David

rgarrett
Level 9
Report Inappropriate Content
Message 5 of 8

Re: " if matches DO NOT" statement not working

I take it the logic you want is: service stopped, but not a service related to a shutdown.

I see the command "stopped" in my test, but I dont see application "windows event log".  You may have more data than i do.  then do as David suggested, but use command =stopped.  Also use the group by function. Perhaps hosts or something similar.

acommons
Level 11
Report Inappropriate Content
Message 6 of 8

Re: " if matches DO NOT" statement not working

Did you get this to work?

If you did can you post some details?

cheers,

Andrew

edimarco
Level 7
Report Inappropriate Content
Message 7 of 8

Re: " if matches DO NOT" statement not working

I Have the same problem with 9.6 release. I  configured a similar correlation rule with "AND Gate" and two "Match component", the last one with  the advanced option "This component should only trigger if...." enabled. Is there anyone that he succesfully  did tests about this functionality?

yd9038
Level 9
Report Inappropriate Content
Message 8 of 8

Re: " if matches DO NOT" statement not working

There is probably more than one way of doing this, and this may not exactly be what you are looking for, but here's how I did it in our lab environment:

  1. Created a correlation rule to capture:
    1. 43-216070360 (EVENT_SERVICE_STATUS_SUCCESS) and Command "stopped"
    2. 43-295000130 (Operating system is shutting down)

          Grouped events by "Source IP" so that it only correlates these two events if they are from the same source within 1 minute, because these two events usually take please within seconds of each other.

                

     2. I then used the Sig ID of the correlation rule to create this alarm:

         

  The alarm now alerts when Event Service is Stopped, but not due to a system shutdown event:

              

I hope this helps!    

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community