All,
I'm not sure what type of search I need to use...
What I would like to do is the following;
Search for EventId 4688, 4624, 4672, 4688, 4689 all within a few seconds.
I can't seem to get it to work using transaction.
Here is what I have just as a test:
source="WinEventLog:Security" * |transaction "EventCode=4688" "EventCode=4689" maxspan=30s maxpause=5s
I would think I should get something back from this as it's a simple, Process Created, Process Exited.
Make sense?
This is where I got the idea - http://www.sysforensics.org/2012/04/splunk-and-malware-fun.html
What did you try that did not work?
transaction
sounds like exactly what you should use. Something like:
EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689
This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host
, to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.
What did you try that did not work?
transaction
sounds like exactly what you should use. Something like:
EventId=4688 OR EventId=4624 OR EventId=4672 OR EventId=4688 OR EventId=4689| transaction maxspan=10s | search EventId=4688 AND EventId=4624 AND EventId=4672 AND EventId=4688 AND EventId=4689
This retrieves all the events of interest, then puts them together in transactions spanning max 10 seconds (you might want to perform this transaction on a field as well, like host
, to avoid events from different sources overlapping each other), and finally searches for transactions that contain all the EventId's.