Skip to main content

Probably the most asked question in all of Mandiant Security Validation.  In over 4 years, this question has been asked by customers I work with hundreds of times.  While there's a hundred possible reasons the log wasn't matched to the action, there's only a few questions needed to figure it out.

First and foremost, was there actually a log generated? MSV cannot find something that does not exist. Windows group policies and many other types of security protections may not generate a log. Never fear, the next question can help answer this one. 

What kind of action is it? Seems kind of simple, but knowing what kind of action it is will narrow the search drastically. 

  • Malicious file transfer actions are not written to disk, so don't expect any EDR logs.
  • Host CLI actions seldom hit the network, so don't expect any firewall, proxy, network appliance logs.
  • DNS actions are simply name resolution requests. If DNS resolutions are not being logged, there are no logs to be found. 
  • Protected Theater only supports host based security technologies. 
  • Port scans will not produce any EDR logs.
  • Cloud actions....that one speaks for itself.
  • Email actions...ditto.

Is that log type directly integrated with MSV or is it being aggregated to the SIEM? 

  • Direct integrations are generally simple to debug.  If the log exists in the security technology, take a look to make sure the log contains the same information MSV is using. A common issue is when actors have multiple network interfaces and MSV is searching with interface one, while it is registered with the security technology with a different one.
  • If we are depending on the SIEM, make sure the log has been ingested properly.  If the necessary fields are not parsed correctly, there will be no matching. Check the timestamps. Yes, plural.  The timestamp of the event, and the time the event was ingested in the SIEM. MSV only polls the SIEM for a specific amount of time, and if the log had not been ingested by the end of that time, no match.

Are there any event filters on the integration(s)? Overly broad filters can hide the events you want. Remember, filters should almost always be "Suppress", not "Drop". Dropped logs are not saved by MSV even with suspicious events turned on.

Are the actor times synchronized with the Director? If not, sync it up and run it again.

Do the security technology timestamps match the actor times? If not, sync it up and run it again.

Now it becomes challenging. Turn on suspicious event capture for the integration(s) in question and run the action again. Wait until the integrations have had time to finish and then open up the suspicious events.

If the event is there, click on the eye and see why the event did not match.

This table can be a little misleading, but the first two columns are always accurate and must match. For example, ports are not needed for Host CLI Actions. 

In this screenshot, the actor information is not in the event and the time does not match. This event, although returned by the Splunk query, definitely will not automatically apply to this action. If this event should match this action, all of the event details are here there to show why it is not.

If you've made it this far and have not resolved the issue, it is time to reach out.  Grab a set of logs and open a ticket. However, just the Mandiant Technical Security Consultant may not be enough to solve this one.  Bring the security technology or SIEM expert to the discussion. Topics could include:

  • The query MSV is using might need adjusting.
  • How the log is parsed could be inaccurate.
  • Timezone
  • Amount of time it takes the log to be generated and available
  • A bug in the software (yes it happens)

Best of luck to anyone who reads this one.

Be the first to reply!