Hi all,
I hope somebody can help.
I'm looking to create a search based on the following in a Windows event log. I'm not even sure it's referred to as a compounded search and If that's wrong in the splunk world, what is the correct term? It seems my googling skills have failed me this time round.
EventID-5145 and RelativeTargetName={srvcsvc or lsarpc or samr} and at least 3 occurences with different RelativeTargetName and Same (Source IP, Port) and SourceUserName not like "*DC*$" within 1 minute
Thanks in advance
Something like
index=your_event_index EventID=5145 RelativeTargetName IN ("srvcsvc","lsarpc","samr") NOT SourceUserName="*DC*$"
| bin _time span=1m
| stats dc(RelativeTargetName) as UniqueTargets by src_ip src_port
| where UniqueTargets=3
Note that the RelativeTargetName search is exact, add wildcards if needed in the IN clause.
Also, you have 3 target names, so you will only have a max of 3 unique targets, maybe I misunderstood your 'at least 3 with different' point.
Adjust the fields to match your data as needed.