One of the most common questions I hear about MSV is why an event isn’t being attributed to an action being executed.  I normally go through the following steps to see if we can determine why the event wasn’t attributed:

1. Does the event exist at all? (Seriously.)  Is there an event in the security technology that we are integrated with that matches the action that we ran.


2. Is the time good for the event?  Every action executed in MSV has a start time and end time.  The event in question needs to occur between those two times. For example, _time is used in Splunk to denote the time of an event. If _time isn’t between the start time and end time, we will generally not match it to an action.


3. Does the event have correct information?  Is the source IP, destination IP, and/or hostname correct?  Sometimes security technologies put a default (not null) value for a field when it hasn’t been explicitly assigned, and that can cause MSV to not match.


4. Does the event show up in “suspicious events” (and are suspicious events turned on for the integration in question)?  Suspicious events are events that are returned by the query (or API call) for an integration that are “close” to matching but have some sort of defect.  If we don’t see the event at all, we will have to look at whether the event is pullable with the current configuration of the integration.  If the event does show up in suspicious events, it helps us distinguish what MSV sees the event data as versus what we know.


5. Does the event get available in time for the integration check period?  By default, we query for events from an integration for 15 minutes.  If the event shows up in the security technology dashboard after this period of time, we do not query or match for it.  Some technologies list a “index time” - that is; the time that the event was available to be searched.  As an example, Splunk uses the normally hidden field _indextime.

Checking these 5 things helps troubleshoot the vast majority of event matching issues in MSV.  For most of these questions, the result of that investigation may help produce a finding where a security technology isn’t configured correctly. Testing in MSV allows you to validate many things with a single action.