How do I build this Sysmon log search without havi...

Ash · ‎11-23-2022

I want to implement this correlation search:

`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`

I do not have the required fields from Sysmon log data. I have fields like Image,ParentImage,Processid but do not have TargetImage, TargetProcessId, SourceImage, SourceProcessId. How do I build the above query using the fields I have.

yuanliu · ‎11-24-2022

This is a very strange request. If you don't have fields needed for your task, how can other people invent them? Maybe you have some definition that you have in mind but have difficulty implement your ideas? Else, you can illustrate sample data and desired outcome to explain what you really wanted from this correlation?

How do I build this Sysmon log search without having required fields?

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation