Hello, My SPL expertise are limited. I'm trying to write a search which matches a sequence of events. I'm working with sysmon logs from a windows machine. first event is a file creation event where Image ends with dllhost.exe and TargetFilename starts with C:\windows\system32\. something like: index=sysmon EventID=11 Image="*dllhost.exe" TargetFilename="C:\\windows\\system32\\*" next event is an image load event where Image starts with C:\windows\system32\ and Signature does not start with the keyword "Microsoft ". something like index=sysmon EventID=7 Image="C:\\windows\\system32\\*" Signature != "Microsoft *" Value of TargetFilename in Event 1 must be equal to value of ImageLoaded field in Event 2. And Event 2 must occur within 1 minute of Event 1. I tried inner join, where I join results based on TargetFilename from Event 1and ImageLoaded (renamed) from Event 2, But this solves only first part of the puzzle. I want both events to occur in a sequence i.e. join if Event 2 time is less than 1 minute of Event 1 time. I don't know how to articulate this with SPL. Also I'd nice if someone can show me how to do all this with tstats 🙂 Thanks
... View more