Skip to main content

 

Splunk Lantern

Time elapsed between two related events

 

A command line process executed on your network might have exposed the network to a virus. You want to know how much time has passed between the potential exposure and now.

Required data  

Microsoft Sysmon

Procedure

Run the following search.You can optimize it by specifying an index and adjusting the time range.

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=* 
| table _time host CommandLine
| eval cl_length=len(CommandLine)
| eval daydiff=round((now()-_time) / 86400, 0)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 

Search only Sysmon operational data.

CommandLine=* 

Return logs with a value in the command line field.

| table _time host CommandLine 

Display the results in a table with columns in the order shown.

| eval cl_length=len(CommandLine)

Create a new field called cl_length that shows the length of each command line string the search returns.

| eval daydiff=round((now()-_time) / 86400, 0)

Create a new field called daydiff, which is the difference between now and when the string executed, rounded to the nearest integer value.

This value is represented in seconds. Dividing by 86,400 converts the value to days. 

Next steps

The difference in time can help you determine what other machines and files on your network have been exposed to the virus if they were connected to the network during the same time. You might also need this time difference for reporting purposes. 

Finally, you might be interested in other processes associated with these use cases: