i have created an UC which should look for the status of certain services.
This was quite easy, but now I want to look for those services status and exclude server restarts/reboot events.
For example I want to look for a certain services to be restarted , but not when a system reboots.
When a system reboots, it will cause a restart of the services.
In my test environment I can find services restart events and also server reboots, but I cannot exclude the server reboot events.
In the MAtch Component under:
This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level.
WHen selecting this option, it should exclude the server reboot events, but what really happens is that I get zero results.
How does SIEM in general exclude certain events?
This question has been open a while, but I did found the answer.
The option " This component should only trigger if matches DO NOT ..... " doesn't work and thus you have to create a different correlation rule.