Need to find hosts where an event of a type was not followed by event of another type within an hour
I need to find hosts where virus infection was detected and it failed to perform any action, where "None" is not followed up by of the other events " Blocked OR removed OR quarantined" in 1 hour
Fields available are
ComputerName=
VirusName=
Action Taken=
Sample log
10/11/2014 20:01 : ComputerName=test1 VirusName=conficker ActionTaken=None
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker ActionTaken=blocked
10/11/2014 22:01 : ComputerName=test20 VirusName=conficker ActionTaken=None
10/11/2014 20:01 : ComputerName=test30 VirusName=conficker ActionTaken=None
10/11/2014 20:02 "ComputerName=test30 VirusName=conficker ActionTaken=removed
As you can seen above, no action was taken by antivirus on Computer test20. I need to write a search query to create a report or dashboard to find any such machine.
Any pointers in the right direction would be appreciated
Give this a try
your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t | where mvcount(ActionTaken) =1 AND mvindex(ActionTaken,0)="None"
Hello there
can you please check if there is something wrong in the syntax
Hi @shellnight
@somesoni2 updated the query. can you confirm whether or not this worked for you?
I updated the query. Please check back.
Error in 'where' command: The arguments to the 'isnull' function are invalid.
I hope you're saying you want to INCLUDE events where final "Action Taken" is "Partly Remove" OR "Unkonwn", so try this one.
your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t | where isnull(mvfind(ActionTaken,"removed")) OR isnull(mvfind(ActionTaken,"blocked"))
Basically add all the ActionTaken your want to exclude in the where clause
Hello please can you provide update
Hi @shellnight
@somesoni2 responded to the thread above with an update. Can you respond to that as a comment to confirm whether or not that updated search solves your requirement?
Hello somesoni2 can you update the query to exclude the events where actiontaken is either partly removed or Unknown so that they show up in search
your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t | where mvcount(ActionTaken) =1 AND mvindex(ActionTaken,0)="None"
thank you very much 🙂
It works fine
please can someone help
The search ran for logs of a 1 month period with no errors but failed to retrieve any results
One machine had 3 occurrences of action taken= none and wasnt followed by any removal actions
10/11/2014 20:01 : ComputerName=test1 VirusName=conficker ActionTaken=None
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker ActionTaken=None
10/11/2014 20:03 : ComputerName=test1 VirusName=conficker ActionTaken=None
Would it work?
<your search here> | transaction maxspan=70m ComputerName startswith="ActionTaken=None" keepevicted=f | search NOT Blocked NOT removed NOT quarantined | table ComputerName, VirusName
What Antivirus software are you using?