NetWitness Community

JohnDoe1 · ‎2016-07-13

Hi,

I have a working rule to detect when an AV is stopped and not started with in the next 60 sec

@Name('Antivirus')
@RSAAlert(oneInSeconds=0, identifiers={"host_src"})
 
 
SELECT * FROM pattern 
[
    every a = Event(
                medium = 32
            AND
                device_type = 'av'
            AND
                host_src IS NOT NULL
            AND
                event_desc.toLowerCase() = 'av is stopped.'
)  ->  (
        timer:interval(60 sec)
    AND NOT
        Event(
                medium = 32
            AND
                device_type = 'av'
            AND
                host_src = a.host_src
            AND
                event_desc.toLowerCase() = 'av is started or activated.'
            )
    )
];

However, sometimes, the log 'av is stopped.' comes before the log 'av is started or activated.'.

How to handle both case?

I tried a mix with the following rule (which detects when av is restarted) without success:

SELECT * FROM Event(
        medium = 32
    AND
        device_type = 'av'
    AND
        host_src IS NOT NULL
    AND
        event_desc.toLowerCase() = 'av is stopped.'
).std:unique(host_src).win:time(60 sec) AS s0,
 
 
    Event(
        medium = 32
    AND
        device_type = 'av'
    AND
        host_src IS NOT NULL
    AND
        event_desc.toLowerCase() = 'av has been started or activated.'
).std:unique(host_src).win:time(60 sec) AS s1
 
WHERE
    s0.host_src = s1.host_src

XavierFerrier1 · ‎2016-07-29

Hello,

Good question. I worked on the same case and I didn't found any solution.

Since log integration doesn't respect the original order, alerts like this one can't work.

NetWitness Community

Correlation rule to detect AV stopped and not restarted - unordered