Solved: searching for repeated events from the same user

tkerr1357 · ‎09-29-2021

Hi All,

I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application.

example event:

09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run.

somesoni2 · ‎09-29-2021

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1

View solution in original post

somesoni2 · ‎09-29-2021

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1

tkerr1357 · ‎09-30-2021

yeesh glad I asked I was way overthinking this thanks for the help.

searching for repeated events from the same user

count

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services