cancel
Showing results for 
Search instead for 
Did you mean: 
ecan007
Level 9

" if matches DO NOT" statement not working

I have a test environment and I need to see if event log service has been stopped (this part is working) , but not

when a reboot/shutdown has been.

I have selected the option:

This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level. (see picture)

The problem is that I don't get any alerts when the second rule has been added.

Is this the correct way of excluding certain events (reboot/shutdown)

siem1.png

siem 2.png

0 Kudos
7 Replies
xded
Level 12

Re: " if matches DO NOT" statement not working

I thinks this doesn't work because you have a Sequence in your correlation rule.

This will be trigger if comes the first Event and then the second Event with the Reboot. Go to your AND Shortcut and modify it to only AND. And than test it.

0 Kudos
ecan007
Level 9

Re: " if matches DO NOT" statement not working

I already tested without the sequence and that didnt work.

The problem is that the option:

This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level. (see picture)


is not working and looks like a bug or I am not using it the correct way.

0 Kudos
davidp64
Level 10

Re: " if matches DO NOT" statement not working

Hello,

Try this,if not works splits second signature ID with AND operator.

Corr.PNG

I think you your scenario is that to achieve windows event log service stop event and no events for shutdown.

......David

0 Kudos
rgarrett
Level 9

Re: " if matches DO NOT" statement not working

I take it the logic you want is: service stopped, but not a service related to a shutdown.

I see the command "stopped" in my test, but I dont see application "windows event log".  You may have more data than i do.  then do as David suggested, but use command =stopped.  Also use the group by function. Perhaps hosts or something similar.

0 Kudos
acommons
Level 10

Re: " if matches DO NOT" statement not working

Did you get this to work?

If you did can you post some details?

cheers,

Andrew

0 Kudos
edimarco
Level 7

Re: " if matches DO NOT" statement not working

I Have the same problem with 9.6 release. I  configured a similar correlation rule with "AND Gate" and two "Match component", the last one with  the advanced option "This component should only trigger if...." enabled. Is there anyone that he succesfully  did tests about this functionality?

0 Kudos
yd9038
Level 9

Re: " if matches DO NOT" statement not working

There is probably more than one way of doing this, and this may not exactly be what you are looking for, but here's how I did it in our lab environment:

  1. Created a correlation rule to capture:
    1. 43-216070360 (EVENT_SERVICE_STATUS_SUCCESS) and Command "stopped"
    2. 43-295000130 (Operating system is shutting down)

          Grouped events by "Source IP" so that it only correlates these two events if they are from the same source within 1 minute, because these two events usually take please within seconds of each other.

                

     2. I then used the Sig ID of the correlation rule to create this alarm:

         

  The alarm now alerts when Event Service is Stopped, but not due to a system shutdown event:

              

I hope this helps!