7 Replies Latest reply on Oct 7, 2016 1:08 PM by yd9038

    " if matches DO NOT" statement not working

    ecan007

      I have a test environment and I need to see if event log service has been stopped (this part is working) , but not

      when a reboot/shutdown has been.

      I have selected the option:

       

      This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level. (see picture)

       

      The problem is that I don't get any alerts when the second rule has been added.

      Is this the correct way of excluding certain events (reboot/shutdown)

       

      siem1.png

      siem 2.png

        • 1. Re: " if matches DO NOT" statement not working
          xded

          I thinks this doesn't work because you have a Sequence in your correlation rule.

          This will be trigger if comes the first Event and then the second Event with the Reboot. Go to your AND Shortcut and modify it to only AND. And than test it.

          • 2. Re: " if matches DO NOT" statement not working
            ecan007

            I already tested without the sequence and that didnt work.

            The problem is that the option:

            This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level. (see picture)


            is not working and looks like a bug or I am not using it the correct way.

            • 3. Re: " if matches DO NOT" statement not working
              davidp64

              Hello,

              Try this,if not works splits second signature ID with AND operator.

              Corr.PNG

              I think you your scenario is that to achieve windows event log service stop event and no events for shutdown.

               

              ......David

              • 4. Re: " if matches DO NOT" statement not working
                rgarrett

                I take it the logic you want is: service stopped, but not a service related to a shutdown.

                I see the command "stopped" in my test, but I dont see application "windows event log".  You may have more data than i do.  then do as David suggested, but use command =stopped.  Also use the group by function. Perhaps hosts or something similar.

                • 5. Re: " if matches DO NOT" statement not working
                  acommons

                  Did you get this to work?

                   

                  If you did can you post some details?

                   

                  cheers,

                  Andrew

                  • 6. Re: " if matches DO NOT" statement not working
                    edimarco

                    I Have the same problem with 9.6 release. I  configured a similar correlation rule with "AND Gate" and two "Match component", the last one with  the advanced option "This component should only trigger if...." enabled. Is there anyone that he succesfully  did tests about this functionality?

                    • 7. Re: " if matches DO NOT" statement not working
                      yd9038

                      There is probably more than one way of doing this, and this may not exactly be what you are looking for, but here's how I did it in our lab environment:

                       

                      1. Created a correlation rule to capture:
                        1. 43-216070360 (EVENT_SERVICE_STATUS_SUCCESS) and Command "stopped"
                        2. 43-295000130 (Operating system is shutting down)

                                Grouped events by "Source IP" so that it only correlates these two events if they are from the same source within 1 minute, because these two events usually take please within seconds of each other.

                                      

                       

                           2. I then used the Sig ID of the correlation rule to create this alarm:

                               

                       

                        The alarm now alerts when Event Service is Stopped, but not due to a system shutdown event:

                                    

                       

                      I hope this helps!    

                      2 of 2 people found this helpful