Can I make a compound search for this Windows even...

Cboats · ‎03-29-2023

Hi all,

I hope somebody can help.

I'm looking to create a search based on the following in a Windows event log. I'm not even sure it's referred to as a compounded search and If that's wrong in the splunk world, what is the correct term? It seems my googling skills have failed me this time round.

EventID-5145 and RelativeTargetName={srvcsvc or lsarpc or samr} and at least 3 occurences with different RelativeTargetName and Same (Source IP, Port) and SourceUserName not like "*DC*$" within 1 minute

Thanks in advance

bowesmana · ‎03-29-2023

Something like

index=your_event_index EventID=5145 RelativeTargetName IN ("srvcsvc","lsarpc","samr") NOT SourceUserName="*DC*$"
| bin _time span=1m
| stats dc(RelativeTargetName) as UniqueTargets by src_ip src_port
| where UniqueTargets=3

Note that the RelativeTargetName search is exact, add wildcards if needed in the IN clause.

Also, you have 3 target names, so you will only have a max of 3 unique targets, maybe I misunderstood your 'at least 3 with different' point.

Adjust the fields to match your data as needed.

Can I make a compound search for this Windows event log?

other

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!