IBM QRadar

Hi,

I build a UseCase to monitor for Windows Audit Log beeing cleared or terminated. If Windows Servers get shutdown the logging service gets terminated, so I tried to build an exception for it if the shutdown actually happens. This is the Rule and Building Blocks I used for it:

Apply Windows Audit Log Cleared or Terminated on events which are detected by the Local system

and when the event(s) were detected by one or more of Microsoft Windows Security Event Log

and when an event matches any of the following BB: Audit Log Terminated

and NOT when BB: System restart match at least 1 times with the same Log Source in 5 minutes after BB: Audit Log Terminated match

BB: System restart on events which are detected by the Local system

and when the event(s) were detected by one or more of Microsoft Windows Security Event Log

and when the event matches Event ID (custom) is any of [4608 or 4826 or 43 or 19]

BB: Audit Log Terminated on events which are detected by the Local system

and when the event(s) were detected by one or more of Microsoft Windows Security Event Log

and when the event matches Event ID (custom) is any of [1100 or 1102 or 104]

The Problem is that the Storage time of the service shutdown an the windows starting up event is always the same. Since the rule uses the condition "after" the exception wont work. I did not find anything I could use instead. I tried with a reference set (writing the machine identifier into an reference set when a reboot happend and having the rule look if the machine identifier is in the refset) but it has the same problem.
Anyone any Ideas? Its producing a lot of FP
Thanks in advance

In your UseCase, you are using the "after" condition to define an exception for the "Audit Log Terminated" building block. However, this condition is based on the time of the event itself rather than the time of the previous event. This means that the exception will never be triggered because there is no previous event against which to compare. 

To resolve this issue, you could consider using another condition such as "before", "between", or "within" to define the timeframe for which the exception should apply. Alternatively, you could modify your rule to include a reference set that stores the machine identifier of each system that has been shut down. Then, you could use this reference set to identify when a system has been shut down and trigger the exception.