topic Re: Removing a file path from an alert search in Getting Data In

Removing a file path from an alert search

sigiri — Wed, 17 Nov 2021 19:04:45 GMT

So there is a query on my splunk cloud instance. Which is below:

index=windows EventCode=4688

[| inputlookup "lotl_commands.csv"

| rename suscmd as search ]

NOT Account_Name=*$

NOT (net "use ")

NOT InteractionScripter.NET.exe

NOT (Account_Name=itreports sqlcmd.exe)

NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)

NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)

NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")

NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)

NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)

NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`

NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`

NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`

NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)

| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line

| sort _time

Whenever it runs, it triggers an alert for file path:

C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe
C:\Windows\SysWOW64\schtasks.exe

Now this file path is running legitimately and I am trying to exempt it from being searched again so another alert does not trigger so the 10th line that starts with " NOT (Creator_Process_Name=" I created another line like that under it and inserted both file paths but when I do a 24hr search it still comes up, which means it is still not exempting that file path. So please i need help being able to exempt that file path from the search. Thanks.

Re: Removing a file path from an alert search

richgalloway — Wed, 17 Nov 2021 20:06:48 GMT

Please share the modified query.

Re: Removing a file path from an alert search

sigiri — Wed, 17 Nov 2021 20:14:47 GMT

index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" New_Process_Name="C:\Windows\SysWOW64\schtasks.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time

So i added the line that starts with "NOT (Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1", because i want the file path to be exempted when the alert runs

Re: Removing a file path from an alert search

richgalloway — Wed, 17 Nov 2021 21:27:00 GMT

Backslashes have to be escaped. Try this

index=windows EventCode=4688 [| inputlookup "lotl_commands.csv" | rename suscmd as search ] NOT Account_Name=*$ NOT (net "use ") NOT InteractionScripter.NET.exe NOT (Account_Name=itreports sqlcmd.exe) NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT) NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe) NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe") NOT (Creator_Process_Name="C:\\Program Files (x86)\\MySQL\\MySQL Notifier 1.1\\MySQLNotifier.exe" New_Process_Name="C:\\Windows\\SysWOW64\\schtasks.exe") NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe) NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe) NOT Account_Name="SVCBTSCAN" `comment(INC0036469)` NOT Account_Name="SVCBTFUNC" `comment(INC0036469)` NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)` NOT (Account_Name="SRV_Lansweep_4Server" csc.exe) | table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line | sort _time

Re: Removing a file path from an alert search

sigiri — Wed, 17 Nov 2021 21:48:55 GMT

It does not work, i ran the query you sent me but the same file path still comes up.

i need it to be exempted. Thanks

Re: Removing a file path from an alert search

richgalloway — Thu, 18 Nov 2021 17:52:16 GMT

It will be exempted only if Creator_Process_Name is "C:\Windows\System32\net.exe" AND New_Process_Name is "C:\Windows\System32\conhost.exe" in the same event. Is that the case?

Re: Removing a file path from an alert search

sigiri — Thu, 18 Nov 2021 17:59:40 GMT

so i added:

NOT Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" New_Process_Name="C:\Windows\SysWOW64\schtasks.exe"

Because I want that file path exempted, but this did not work, when I do the search the file path still comes up.

Re: Removing a file path from an alert search

richgalloway — Thu, 18 Nov 2021 20:53:22 GMT

You added the same expression again? How was that supposed to help?

Have you tried this?

NOT Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe"