How to match a sequence of events in Splunk?

BlueTeam77 · ‎04-30-2022

Hello,

My SPL expertise are limited. I'm trying to write a search which matches a sequence of events.

I'm working with sysmon logs from a windows machine.

first event is a file creation event where Image ends with dllhost.exe and TargetFilename starts with C:\windows\system32\. something like:

index=sysmon EventID=11 Image="*dllhost.exe" TargetFilename="C:\\windows\\system32\\*"

next event is an image load event where Image starts with C:\windows\system32\ and Signature does not start with the keyword "Microsoft ". something like

index=sysmon EventID=7 Image="C:\\windows\\system32\\*" Signature != "Microsoft *"

Value of TargetFilename in Event 1 must be equal to value of ImageLoaded field in Event 2.

And Event 2 must occur within 1 minute of Event 1.

I tried inner join, where I join results based on TargetFilename from Event 1and ImageLoaded (renamed) from Event 2, But this solves only first part of the puzzle. I want both events to occur in a sequence i.e. join if Event 2 time is less than 1 minute of Event 1 time. I don't know how to articulate this with SPL.
Also I'd nice if someone can show me how to do all this with tstats 🙂

Thanks

ITWhisperer · ‎05-01-2022

Try something like this

| sort 0 _time
| eval load=if(match(image,"dllhost\.exe") AND event=11,target,if(event=7,image,null()))
| streamstats range(_time) as timespan list(image) as images global=f window=2 by load
| eval previous=if(mvcount(images)=2,mvindex(images,0),null())
| where event=7 AND match(previous,"dllhost\.exe") AND signature="Not Microsoft" AND timespan < 60

How to match a sequence of events in Splunk?

join

subsearch

tstats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?