Splunk Search

Quick SPL help with Windows Logs!

dfurtaw
Path Finder

Good day all,

I come to seek guidance from the experts 🙂

My team and I have been tasked with creating an alert that will capture hosts that start a Windows AV scan (EventCode=1000) on a Friday and don't complete by Monday. These long running scans are causing issues in the environment and we are hoping to tackle them before the start of business on Monday.

The hosts log EventCode=1001 OR EventCode=1002 when they have stopped their scan.

We have attempted to put together a couple queries, one using a subsearch that grabs all hosts who have logged EventCode=1000 that is piped into an outer search that does a NOT EventCode=1001 OR EventCode=1002 and the second using the transaction command with the following syntax:

 

<base search> | transaction maxspan=3d startswith=EventCode="1000" endswith=(EventCode="1001" OR EventCode="1002") keeporphans=true | where _txn_orphan=1
| stats count by ComputerName

 

but get no results. I do know that the transaction command is a hog and is generally recommended against. I wanted to ask the collective any thoughts or ideas on this to see the best practice for this type of search. I have read a couple posts using streamstats but I'm not sure if this is the best route for this specific example here As always, it is greatly appreciated. 

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Depending on the data using maxspan of 3 days for transaction is going to be difficult to diagnose. It will silently handle buffer/memory size issues, so you will rarely know if your results are reliable.

I would always starts with stats, e.g.

 

<search> EventCode=1000 OR EventCode=1001 OR EventCode=1002
| stats list(_time) as times list(EventCode) as Codes by ComputerName
| where mvcount(Codes)=1 AND mvindex(Codes,0)="1000"

 

Assuming the search is run from the Friday to some point later, then this would return you all ComputerName results where there is ONLY a single result for ComputerName and it is a 1000 EventCode

Effectively this gives you all the open scans currently in progress.

 

 

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...