Re: best practice for tuning processes

Ring · ‎03-27-2023

chrome.exe and acrobat.exe are very noisy in our environment. I don't want to just exclude the process name because the actual process could be malicious. Was just wondering what best practice would be to make it less noisy. I was thinking of excluding the process name only if it matches the correct sha256 or is there a better way?

PickleRick · ‎03-27-2023

Your question is very ambiguous. What logs are you talking about? How are you getting them? Do you want to limit the logs ingested or just filter out during search? And so on. And so on.

Ring · ‎03-27-2023

Our original Splunk engineer left so I was sort of put as the rule tuning guy for the time being and don't have that much experience yet. The alert itself is the Unusually Long Command Line rule and I'm trying to work with the correlation search so that it is not as noisy. I was just wondering if there is a best practice when trying to tune out excel.exe, acrobat.exe, chrome.exe, etc type of processes if that makes sense.

What is best practice for tuning processes?

alert condition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation