Understanding Log Sources & Investigating with Splunk - Introduction to Splunk & SPL

I finally solved it.
According to splunk documentation, range() => Returns the difference between the maximum and minimum values in a field.
So I tried below SPL, then check the line with the most count number.

I solved it. You can check network connection event from sysmon log and narrow down the range to known malicious image name that you knew.

I was able to solve it but I think coincidentially, if you could kindly further elaborate

@Lyann has given a good hint to check the event code…
another hint is that the callback server here gets the connection request from compromised machine…now you can understand to look at source and destination ips

Still you have to check the malicious image.

index=* EventCode=4624
| stats min(_time) as firstLogin, max(_time) as lastLogin by Account_Name
| eval timeDiff=lastLogin - firstLogin
| where timeDiff <= 600
| eval firstLogin=strftime(firstLogin, “%Y-%m-%d %H:%M:%S”), lastLogin=strftime(lastLogin, “%Y-%m-%d %H:%M:%S”)
| table Account_Name, firstLogin, lastLogin, timeDiff
| sort - timeDiff

1 Like

index=“main” EventCode=* Image=“C:\Windows\System32\rundll32.exe” | table _time, ComputerName, SourceIp, DestinationIp, DestinationPort, Image, ProcessId, CommandLine | where _time >= relative_time(now(), “-1d@d”) | stats count by dest_ip | sort count | rare limit=20 DestinationIp

for port number, this works index=“main” EventCode=3 (SourceIp=“” OR SourceIp=“”)
| table _time, SourceIp, DestinationIp, DestinationPort, ComputerName