Splunk Search

searching for repeated events from the same user

tkerr1357
Path Finder

Hi All,

I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application.

example event:

09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run.

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1
0 Karma

tkerr1357
Path Finder

yeesh glad I asked I was way overthinking this thanks for the help.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...