Splunk Search

searching for repeated events from the same user

tkerr1357
Path Finder

Hi All,

I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application.

example event:

09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run.

Labels (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1
0 Karma

tkerr1357
Path Finder

yeesh glad I asked I was way overthinking this thanks for the help.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...