Hi all,
I hope somebody can help.
I'm looking to create a search based on the following in a Windows event log. I'm not even sure it's referred to as a compounded search and If that's wrong in the splunk world, what is the correct term? It seems my googling skills have failed me this time round.
EventID-5145 and RelativeTargetName={srvcsvc or lsarpc or samr} and at least 3 occurences with different RelativeTargetName and Same (Source IP, Port) and SourceUserName not like "*DC*$" within 1 minute
Thanks in advance
... View more