Hey all. So....been looking at EventGroups thinking this might fit the bill, but I'm not sure so I'm coming to you folks. I have the below:
1625677087.655857 CAY8g9D3jAKFwhD02 SameIP 59143 Differe ntIP 445 0.017172 \\pipe\\lsass netlogon DsrEnum erateDomainTrusts 1625677087.744290 C6mmd42niEVcW1djY5 SameIP 59144 Differe ntIP 445 0.003689 \\pipe\\lsass netlogon DsrEnum erateDomainTrusts 1625677087.776183 CamRzj1Y20KA9cv9Mi SameIP 59145 Differe ntIP 445 0.003968 \\pipe\\lsass netlogon DsrEnum erateDomainTrusts 1625677203.779593 CF4JvS21lo6Beh3jUb SameIP 59149 Differe ntIP 445 0.001475 \\pipe\\lsass netlogon DsrEnum erateDomainTrusts 1625677203.892484 C6LZI2ooakJbNI6vj SameIP 59150 Differe ntIP 445 0.023818 \\pipe\\lsass netlogon DsrEnum erateDomainTrusts My goal is to flag on this type of behaviour (a single IP enumerating domain trust against several domain controllers in a small space of time). Anyone have any tips on how to implement something like this? Is EventGroup not what I need? Thank you. James
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
