Hi Everyone,

I'm having a little trouble tuning a correlation search which ships with ES.

The rule primarily looks for when event logs have been cleared or the logging has been stopped.

| from datamodel:"Change_Analysis"."Auditing_Changes" 
| where ('action'="cleared" OR 'action'="stopped" ) 
| stats max(_time) as "lastTime",latest(_raw) as "orig_raw",count by "dest","result" 
| rename "result" as "signature"

In our environment, all of these alerts (and we get hundreds) are caused by the machine restarting due to a reboot, mainly when a patch is pushed out.

I have found a way of tuning these out so they won't alert but I'm stuck with how to implement it.

What I've found is that there is an eventcode "1074" which occurs before, which is a remote restart command.

Unfortunately, the data model which this is using to alert, doesn't contain that particular eventcode and only looks for "1100" which is the code when a the service is stopped.

I can get this to work mostly while using this command, but it's not 100%.

index=wineventlog sourcetype=WinEventLog*   EventCode=1074 OR EventCode=1100 | transaction startswith=EventCode="1074" endswith=EventCode="1100"
|  stats count by dest

What I'm really looking for is an "alert" which fires if there has been a log cleared without a preceding reboot event. If anyone has got any ideas which would work. If they work within a data model, would be better, but just getting it to work is a higher priority, (even if
this means making a change to the data model itself).

Thanks in advance.

Steve