topic Re: Regex for matching service path in Splunk Search

Regex for matching service path

kestasm — Tue, 17 Feb 2015 10:24:19 GMT

Hello,

I want to exclude all the WinEventLogs for service C:\Windows\System32\svchost.exe which doesnt contain the default path. So for example I don't want to see all the svchost.exe services which are in this path C:\Windows\System32\
If the svchost.exe service is in any different path (e.g. C:\Windows\svchost.exe) I want to get alert on it.

Any ideas how to do it in most efficient way?

Thanks,
K.

Re: Regex for matching service path

kestasm — Tue, 17 Feb 2015 10:26:18 GMT

Additionally there is only one field which includes process name within raw logs - "Process Name: C:\Windows\System32\svchost.exe"

Re: Regex for matching service path

sk314 — Tue, 17 Feb 2015 20:33:52 GMT

Could you post a couple of sample events? You could try extracting the process name into a field and then searching for field_name != "c:\Windows\system32\svchost.exe"

Typically your search would be similar to ..

<your sourcetype> | rex _raw "Process Name: (?<process_name>[^ ]+)" | search <your sourcetype> process_name !="c:\Windows\system32\svchost.exe"

If you can post sample events, I can confirm the regular expression.

Re: Regex for matching service path

kestasm — Wed, 18 Feb 2015 08:09:26 GMT

Hello, thanks for this. As for sample events so they are pretty much the same in the raw logs I have the fields ProcessName indexed and extracted which is usually the path and the process I am looking for ProcessName= "c:\Windows\system32\svchost.exe". I imagine how I could end up if I had two separate fields for the path and another for the process itself, but at the moment I am struggling while having everything just in one field. The field in the raw logs is always the same as above example. What I am trying to accomplish is to set up some rules to monitor default processes which start in non-default Windows locations.

Re: Regex for matching service path

kestasm — Mon, 28 Sep 2020 19:01:20 GMT

Here is a sample log:
Access_Mask = 0x2
Access_Reasons = -
Accesses = Unknown specific access (bit 1)
Account_Domain =
Account_Name =
ComputerName =
EventCode = 4656
EventCodeDescription = A handle to an object was requested
EventType = 0
Handle_ID = 0x0
Keywords = Audit Success
LogName = Security
Logon_ID = 0x3e7
Message = A handle to an object was requested.
Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0
Object_Name = PlugPlaySecurityObject
Object_Server = PlugPlayManager
Object_Type = Security
OpCode = Info
Privileges_Used_for_Access_Check = -
Process_ID = 0x244
Process_Name = C:\Windows\System32\svchost.exe
RecordNumber = 78829788
Restricted_SID_Count = 0
Security_ID = NT AUTHORITY\SYSTEM
SourceName = Microsoft Windows security auditing.
TaskCategory = Other Object Access Events
Transaction_ID = {00000000-0000-0000-0000-000000000000}
Type = Information
action = failure
action_name = login_fail
action_title = Failed Login
dest = AZA2MGTXXSQM001
eventtype = wst_authentication authentication
host =
index = gis_wst
linecount = 37
punct = //::\r=\r=.\r=\r=\r=\r=..\r=\r=\r=\r=\r=_____.\r\r\r\r:
source = WinEventLog:Security
sourcetype = WinEventLog:Security
splunk_server = tag = authentication

Re: Regex for matching service path

markthompson — Wed, 18 Feb 2015 10:31:02 GMT

I'm not 100% sure if my answer is what you're looking for, but please see below, if not, leave a comment and i'll get back to you

if you're trying to send an alert if a field matches what you expect
then use a simple if statement, eval SendAlert=if(eval(match(fieldname, "{Either regex or string}")),1,0)

Then your alert settings should be to send an alert if any event has a field SendAlert set to 1.

Don't forget to comment if this isn't what you're looking for

Re: Regex for matching service path

sk314 — Wed, 18 Feb 2015 18:18:14 GMT

I've edited my regex. That should work.

Re: Regex for matching service path

kestasm — Mon, 28 Sep 2020 19:01:46 GMT

Thanks,

havent used extraction in the search ever, so this is what is my search query:
sourcetype="WinEventLog:Security" | rex _raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"

and this is what i get:

Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).

Re: Regex for matching service path

kestasm — Mon, 28 Sep 2020 19:01:49 GMT

sorry the query is this:

sourcetype="WinEventLog:Security" | rex _raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"

Re: Regex for matching service path

sk314 — Fri, 20 Feb 2015 23:49:49 GMT

Try this:

sourcetype="WinEventLog:Security" | rex field=_raw "Process Name: (?<process_name>[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"

Re: Regex for matching service path

kestasm — Tue, 24 Mar 2015 08:58:29 GMT

Here it is what's worked for me:

| rex field=unparsed_message "(?P[A-Za-z]:\[^|]+)" | rex field=fullpath "(?P.)\\." | rex field=fullpath "(?P\w+.\w+)"