Hi,
I have a working rule to detect when an AV is stopped and not started with in the next 60 sec
@Name('Antivirus')
@RSAAlert(oneInSeconds=0, identifiers={"host_src"})
SELECT * FROM pattern
[
every a = Event(
medium = 32
AND
device_type = 'av'
AND
host_src IS NOT NULL
AND
event_desc.toLowerCase() = 'av is stopped.'
) -> (
timer:interval(60 sec)
AND NOT
Event(
medium = 32
AND
device_type = 'av'
AND
host_src = a.host_src
AND
event_desc.toLowerCase() = 'av is started or activated.'
)
)
];
However, sometimes, the log 'av is stopped.' comes before the log 'av is started or activated.'.
How to handle both case?
I tried a mix with the following rule (which detects when av is restarted) without success:
SELECT * FROM Event( medium = 32 AND device_type = 'av' AND host_src IS NOT NULL AND event_desc.toLowerCase() = 'av is stopped.' ).std:unique(host_src).win:time(60 sec) AS s0, Event( medium = 32 AND device_type = 'av' AND host_src IS NOT NULL AND event_desc.toLowerCase() = 'av has been started or activated.' ).std:unique(host_src).win:time(60 sec) AS s1 WHERE s0.host_src = s1.host_src
Hello,
Good question. I worked on the same case and I didn't found any solution.
Since log integration doesn't respect the original order, alerts like this one can't work.