Searching for a specific order of events in Log Server

[rferebee]

Hello,

I would like to know if there is a way to perform a search in Log Server that dictates if one specific event is found then look for another event to occur immediately after? Sort of an if this/than that search.

We're trying to find a way to search for a potential security vulnerability described in this article: https://thehackernews.com/2020/09/detec ... tical.html

It says to look for Windows event ID 4742 followed by or combined with event ID 4672 (the would involve the same SubjectUserName or Account Name.

Thank you.

[rferebee]

I also found this article: https://www.lares.com/blog/from-lares-l ... 2020-1472/

I'm having trouble searching for multiple event IDs at the same time and I'm not sure what I'm doing wrong. When I search them separately I get results, but when I search both I only get one or the other.

[scottwilkerson]

There is no way to specifically have a single search trigger another

I'm having trouble searching for multiple event IDs at the same time and I'm not sure what I'm doing wrong. When I search them separately I get results, but when I search both I only get one or the other.

This should be able to be accomplished with something like

Code: Select all

EventID:4742 OR EventID:4672

[rferebee]

Ok, I'll try that. Thank you.

[scottwilkerson]

Ok, I'll try that. Thank you.

No problem

[rferebee]

This thread can be locked. Thank you.

[scottwilkerson]

This thread can be locked. Thank you.

Great!

Locking thread