MyITGuy · February 6, 2025 19:33
diff --git a/dcom_name_resolution_failure.txt b/dcom_name_resolution_failure.txt
 index=uscc_is_workstation_windows SourceName="Microsoft-Windows-DistributedCOM" EventCode=10028
 | rex field=Message "computer (?<HostName>.*) using"
 | rex field=Message "PID.*\((?<ProcessPath>.*)\)"
 | rex field=Message "CLSID.*\{(?<CLSID>.*)\}"
 | eval Component=case(
  CLSID = "8BC3F05E-D86B-11D0-A075-00C04FB68820", "Windows Management and Instrumentation",
  CLSID = "3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D", "RAServer",
  1 = 1, CLSID
 )
 ```| regex Message="ab950015400007U|a01d753600000DQ|a0307881900001M"```
 | stats count by ComputerName,ProcessPath,Component,HostName
 | sort count desc
	index=uscc_is_workstation_windows SourceName="Microsoft-Windows-DistributedCOM" EventCode=10028
	\| rex field=Message "computer (?<HostName>.*) using"
	\| rex field=Message "PID.\((?<ProcessPath>.)\)"
	\| rex field=Message "CLSID.\{(?<CLSID>.)\}"
	\| eval Component=case(
	CLSID = "8BC3F05E-D86B-11D0-A075-00C04FB68820", "Windows Management and Instrumentation",
	CLSID = "3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D", "RAServer",
	1 = 1, CLSID
	)
	```\| regex Message="ab950015400007U\|a01d753600000DQ\|a0307881900001M"```
	\| stats count by ComputerName,ProcessPath,Component,HostName
	\| sort count desc