Probably the most asked question in all of Mandiant Security Validation. In over 4 years, this question has been asked by customers I work with hundreds of times. While there's a hundred possible reasons the log wasn't matched to the action, there's only a few questions needed to figure it out.
First and foremost, was there actually a log generated? MSV cannot find something that does not exist. Windows group policies and many other types of security protections may not generate a log. Never fear, the next question can help answer this one.
What kind of action is it? Seems kind of simple, but knowing what kind of action it is will narrow the search drastically.
Is that log type directly integrated with MSV or is it being aggregated to the SIEM?
Are there any event filters on the integration(s)? Overly broad filters can hide the events you want. Remember, filters should almost always be "Suppress", not "Drop". Dropped logs are not saved by MSV even with suspicious events turned on.
Are the actor times synchronized with the Director? If not, sync it up and run it again.
Do the security technology timestamps match the actor times? If not, sync it up and run it again.
Now it becomes challenging. Turn on suspicious event capture for the integration(s) in question and run the action again. Wait until the integrations have had time to finish and then open up the suspicious events.
If the event is there, click on the eye and see why the event did not match.
This table can be a little misleading, but the first two columns are always accurate and must match. For example, ports are not needed for Host CLI Actions.
In this screenshot, the actor information is not in the event and the time does not match. This event, although returned by the Splunk query, definitely will not automatically apply to this action. If this event should match this action, all of the event details are here there to show why it is not.
If you've made it this far and have not resolved the issue, it is time to reach out. Grab a set of logs and open a ticket. However, just the Mandiant Technical Security Consultant may not be enough to solve this one. Bring the security technology or SIEM expert to the discussion. Topics could include:
Best of luck to anyone who reads this one.