Solved: searching for repeated events from the same user

tkerr1357 · ‎09-29-2021

Hi All,

I am looking to create an alert based on the following base search. index=wineventlog w19tax.exe app_name=W19TAX . I am specifically looking for the alert to only trigger when the same SID comes up multiple time for the same application.

example event:

09/29/2021 04:21:08 PM LogName=Microsoft-Windows-AppLocker/EXE and DLL SourceName=Microsoft-Windows-AppLocker EventCode=8002 EventType=4 Type=Information ComputerName=BPOLCP01S12.rightnetworks.com User=NOT_TRANSLATED Sid=S-1-5-21-2605281412-2030159296-1019850961-762275 SidType=0 TaskCategory=None OpCode=Info RecordNumber=39961045 Keywords=None Message=D:\PROGRAM FILES\LACERTE\19TAX\W19TAX.EXE was allowed to run.

somesoni2 · ‎09-29-2021

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1

View solution in original post

somesoni2 · ‎09-29-2021

Try something like this

index=wineventlog w19tax.exe 
| stats count by app_name Sid
| where count>1

tkerr1357 · ‎09-30-2021

yeesh glad I asked I was way overthinking this thanks for the help.

searching for repeated events from the same user

count

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?