topic Re: regex in Getting Data In

regex

TheBravoSierra — Thu, 02 Nov 2023 16:24:53 GMT

Can someone help me with these regex on inputs.conf on universal forwarder?

For some reason, isn't working. Much appreciated!

blacklist7 = EventCode=4673 Process_Name="C:\Program Files\WindowsApps\AD2F1837.myHP_25.52341.876.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe"

blacklist8 = EventCode=4673 Process_Name="C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe"

Re: regex

gcusello — Thu, 02 Nov 2023 16:28:17 GMT

Hi @TheBravoSierra,

could you share a sample of your logs?

Ciao.

Giuseppe

Re: regex

TheBravoSierra — Thu, 02 Nov 2023 16:30:12 GMT

11/02/2023 10:28:49 AM LogName=Security EventCode=4673 EventType=0 ComputerName=XXXX SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=XXXX Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID:XXXX Account Name:XXXX Account Domain:XXXX Logon ID:XXXX Service: Server: Security Service Name: - Process: Process ID:XXXX Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_25.52341.876.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege

Re: regex

TheBravoSierra — Thu, 02 Nov 2023 16:35:31 GMT

I was able to successfully blacklist the below, so I am not sure why the difference.

blacklist6 = EventCode=5156 Application_Name="\device\harddiskvolume3\gcti\tsrvciscocm\cisco_cucm_tserver_bu_2\ciscocm_server.exe"

Application Name: \device\harddiskvolume3\gcti\tsrvciscocm\cisco_cucm_tserver_bu_2\ciscocm_server.exe

Re: regex

gcusello — Thu, 02 Nov 2023 16:47:17 GMT

Hi @TheBravoSierra,

please try this:

blacklist7 = EventCode\=4673.*Process Name:\s*C:\\Program Files\\WindowsApps.*\\win32\\DesktopExtension\.exe

Ciao.

Giuseppe