topic Assistance Needed: Reformatting Provided Events to Match Structure of 'blacklist3' in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Assistance-Needed-Reformatting-Provided-Events-to-Match/m-p/670518#M112433 <P>Hi,</P><P><SPAN>Is it possible for someone to aid me in reformatting the given events to align with the structure present in blacklist3, organizing them into their respective blacklists or potentially amalgamating them into a unified blacklist?</SPAN><BR /><BR />blacklist3 = $XmlRegex="&lt;EventID&gt;4688&lt;\/EventID&gt;.*&lt;Data Name=('NewProcessName'|'ParentProcessName')&gt;[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"</P><P><BR /><BR />Tanium&nbsp; Events:</P><P>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\Tools\\StdUtils\\TaniumExecWrapper\.exe|<BR />C:\\Program Files (\x86\)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\python38\\TPython\.exe|<BR />C:\Program Files (x86)\Tanium\Tanium Client\Tools\Patch\7za.exe</P><P>Windows defender:</P><P><BR />C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe<BR />C:\ProgramData\Microsoft\Windows Defender\Platform\.*\MpCmdRun.exe<BR />C:\ProgramData\Microsoft\Windows Defender\Platform\.*\MsMpEng.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\.*\OpenHandleCollector.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\SenseCM.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\SenseIR.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\MsSense.exe<BR />C:\Program Files\Windows Defender\MpCmdRun.exe<BR />C:\Program Files\Windows Defender\MsMpEng.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseTVM.exe</P><P><BR />Rapid7</P><P>ParentProcessName count<BR />C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.4.63\ir_agent.exe<BR />C:\Program Files\Rapid7\Insight Agent\components\insight_agent\4.0.0.1\ir_agent.exe<BR />C:\Program Files\Rapid7\Insight Agent\ir_agent.exe<BR />C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy\.exe|</P><P>Azure:</P><P>C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\gc_service.exe<BR />C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_arc_service.exe<BR />C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_service.exe<BR />C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_worker.exe<BR />C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe</P><P><BR />Gytpol:</P><P>C:\\Program Files\\WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*\.exe|</P><P>forescout:</P><P>ParentProcessName count<BR />C:\Program Files\ForeScout SecureConnector\SecureConnector.exe</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks//..</P> Sat, 02 Dec 2023 07:14:42 GMT AL3Z 2023-12-02T07:14:42Z Assistance Needed: Reformatting Provided Events to Match Structure of 'blacklist3' https://community.splunk.com/t5/Getting-Data-In/Assistance-Needed-Reformatting-Provided-Events-to-Match/m-p/670518#M112433 <P>Hi,</P><P><SPAN>Is it possible for someone to aid me in reformatting the given events to align with the structure present in blacklist3, organizing them into their respective blacklists or potentially amalgamating them into a unified blacklist?</SPAN><BR /><BR />blacklist3 = $XmlRegex="&lt;EventID&gt;4688&lt;\/EventID&gt;.*&lt;Data Name=('NewProcessName'|'ParentProcessName')&gt;[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"</P><P><BR /><BR />Tanium&nbsp; Events:</P><P>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\Tools\\StdUtils\\TaniumExecWrapper\.exe|<BR />C:\\Program Files (\x86\)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe|<BR />C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\python38\\TPython\.exe|<BR />C:\Program Files (x86)\Tanium\Tanium Client\Tools\Patch\7za.exe</P><P>Windows defender:</P><P><BR />C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe<BR />C:\ProgramData\Microsoft\Windows Defender\Platform\.*\MpCmdRun.exe<BR />C:\ProgramData\Microsoft\Windows Defender\Platform\.*\MsMpEng.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\.*\OpenHandleCollector.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\SenseCM.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\SenseIR.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\MsSense.exe<BR />C:\Program Files\Windows Defender\MpCmdRun.exe<BR />C:\Program Files\Windows Defender\MsMpEng.exe<BR />C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe<BR />C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseTVM.exe</P><P><BR />Rapid7</P><P>ParentProcessName count<BR />C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.4.63\ir_agent.exe<BR />C:\Program Files\Rapid7\Insight Agent\components\insight_agent\4.0.0.1\ir_agent.exe<BR />C:\Program Files\Rapid7\Insight Agent\ir_agent.exe<BR />C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy\.exe|</P><P>Azure:</P><P>C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\gc_service.exe<BR />C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_arc_service.exe<BR />C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_service.exe<BR />C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_worker.exe<BR />C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe</P><P><BR />Gytpol:</P><P>C:\\Program Files\\WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*\.exe|</P><P>forescout:</P><P>ParentProcessName count<BR />C:\Program Files\ForeScout SecureConnector\SecureConnector.exe</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks//..</P> Sat, 02 Dec 2023 07:14:42 GMT https://community.splunk.com/t5/Getting-Data-In/Assistance-Needed-Reformatting-Provided-Events-to-Match/m-p/670518#M112433 AL3Z 2023-12-02T07:14:42Z