Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to match a sequence of events in Splunk?

BlueTeam77
New Member
‎04-30-2022 10:05 PM

Hello,

My SPL expertise are limited. I'm trying to write a search which matches a sequence of events.

I'm working with sysmon logs from a windows machine.

first event is a file creation event where Image ends with dllhost.exe and TargetFilename starts with C:\windows\system32\. something like:

 

index=sysmon EventID=11 Image="*dllhost.exe" TargetFilename="C:\\windows\\system32\\*"

 

next event is an image load event where Image starts with C:\windows\system32\ and Signature does not start with the keyword "Microsoft ". something like

 

index=sysmon EventID=7 Image="C:\\windows\\system32\\*" Signature != "Microsoft *"

 

Value of TargetFilename in Event 1 must be equal to value of ImageLoaded  field in Event 2.

And Event 2 must occur within 1 minute of Event 1.

I tried inner join, where I join results based on TargetFilename from Event 1and ImageLoaded  (renamed) from Event 2, But this solves only first part of the puzzle. I want both events to occur in a sequence i.e. join if Event 2 time is less than 1 minute of Event 1 time.  I don't know how to articulate this with SPL.
Also I'd nice if someone can show me how to do all this with tstats 🙂

Thanks

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-01-2022 02:19 AM

Try something like this

| sort 0 _time
| eval load=if(match(image,"dllhost\.exe") AND event=11,target,if(event=7,image,null()))
| streamstats range(_time) as timespan list(image) as images global=f window=2 by load
| eval previous=if(mvcount(images)=2,mvindex(images,0),null())
| where event=7 AND match(previous,"dllhost\.exe") AND signature="Not Microsoft" AND timespan < 60
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...