topic Re: Time Comparison of Unique Service Start/Stop Pairs in Security

Time Comparison of Unique Service Start/Stop Pairs

Krafter — Sat, 21 Jan 2023 23:32:14 GMT

Hey all, requiring some assistance in tuning an out-of-box Splunk detection rule.

Volume Shadow Copy services frequently enters the running/stopped state by itself.
I wish to compare the lastTimeStamp of the running/stopped state of a unique service.
Ideally, if the comparison is more than one hour, a field stoppedForMoreThanAnHour equals to True.

How can I achieve this?

Re: Time Comparison of Unique Service Start/Stop Pairs

richgalloway — Sun, 22 Jan 2023 01:21:03 GMT

Replace the last two lines of the existing query with these. They keep the most recent event for each computer only if it's a "stopped" event. Then the timestamp is checked to see if it's more than an hour old.

| dedup computerName | where match(_raw, "stopped") AND _time < relative_time(now(), "-1h")

Re: Time Comparison of Unique Service Start/Stop Pairs

Krafter — Sun, 22 Jan 2023 01:51:51 GMT

Hey richgalloway! Thanks for the assistance.

I don't think what you're proposing quite achieves what I wish to do, I likely explained it badly.

I'm not looking for events where the stopped message was more than an hour ago.

I'm looking for events where the difference in time between the "last stopped message" and "last started message" is more than an hour.

Re: Time Comparison of Unique Service Start/Stop Pairs

ITWhisperer — Sun, 22 Jan 2023 11:27:36 GMT

Replace the last line with:

| rex field=Message "The (?<service>.*?) service.^ (?<state>\w+) state" | eval starttime=if(state="running", latestTimeStamp, null()) | eval stoptime=if(state="stopped", latestTimeStamp, null()) | stats values(starttime) as starttime values(stoptime) as stoptime by ComputerName service | eval downtime=starttime - stoptime | where downtime > 3600