Detecting Common User/Domain Recon- Splunk

Modify and employ the Splunk search provided at the end of this section on all ingested data (All time) to find all process names that made LDAP queries where the filter includes the string (samAccountType=805306368). Enter the missing process name from the following list as your answer. N/A, Rubeus, SharpHound, mmc, powershell, _

index=main earliest=1690195896 latest=1690285475 source="WinEventLog:SilkService-Log"
| spath input=Message 
| rename XmlEventData.* as * 
| table _time, ComputerName, ProcessName, ProcessId, DistinguishedName, SearchFilter
| sort 0 _time
| search SearchFilter="*(samAccountType=805306368)*"
| stats min(_time) as _time, max(_time) as maxTime, count, values(SearchFilter) as SearchFilter by ComputerName, ProcessName, ProcessId
| where count > 10
| convert ctime(maxTime)

I’ve tried to modify the search a few different ways but can only find about 7 process names, non of which work as the answer. I’ve switched the time frame to be All time so I know that’s not the issue.

Try to remove the time range from the query and modify the Event Count. I hope it helps.