Let's say I run this search, earliest=-4w latest=-2w index=int sourcetype=threat | stats count by name | sort -count | head 10
Results are -
Endpoint 6434272
URL 2499463
RPC 2428255
HTTP 299502
Login 180736
enumeration 170613
SMB 167128
NetBIOS 165573
user 92934
Buffer 54541
I run the same search, just with the earlier time frame, earliest=-2w latest=-d index=int sourcetype=threat | stats count by name | sort -count | head 10
Results are -
Endpoint 7449314
SMB 2699952
URL 2489496
enumeration 503045
Options 332335
MP4 295500
Adobe 243639
NetBIOS 178598
Microsoft 139980
SIP 39992
You can see there is some overlap between the two searches and that is was I am wanting to omit. I am only wanting to see what is new when comparing the past two weeks vs an older time frame.
... View more