@gcusello ,

Error in 'SearchOperator:regex': The regex '(?:ParentProcessName).+(?:C:\Program Files\Windows Defender Advanced Threat Protection\)' is invalid. Regex: unknown property after \P or \p.

Hi @AL3Z,

as I said, seanch on the index where are stored the data that you filtered and on the hosts where the rule is applied:

if you haven't events with the used regex, the regex is correct, otherwise you have to troubleshoot it using the same search.

ciao.

Giuseppe

@gcusello 

How to troubleshoot changes to the inputs.conf ./etc/deployment-apps/windows_test/local/ on the deployment server not reflecting on the host C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\inputs.conf.

Hi @AL3Z,

as I said, identify the correct regex using SPL and use that regex to blacklist events in inputs.conf.

Ciao.

Giuseppe

@gcusello 
Pls help in  excluding these 3 paths using single regex ?
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe 
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe

Hi @AL3Z,

please try this regex:

C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe

if it doesn't run , please try:

C:\\\Program Files\\\Windows Defender Advanced Threat Protection\\\(MsSense|SenseCM|SenseIR)\.exe

Something there's an issue with backslashes.

Ciao.

Giuseppe

Do we need to put this inside double quotes?

Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"

Hi @AL3Z ,

please try:

Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"

or

Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\sAdvanced\sThreat\sProtection\\(MsSense|SenseCM|SenseIR)\.exe

Ciao.

Giuseppe

Hi 
@gcusello 

I'm trying to blacklist the below paths ..

C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe

C:\Program Files\WindowsPowerShell\Modules\gytpol\Client\fw4_6_2\GytpolClientFW4_6_2.exe

Can we use like.* in place of version if it gets new version it can also be blacklisted ??

 ----  Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe)|WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe)

Thanks

Hi @AL3Z,

modify the regex in Search and see if the new regex matches all the events to filter.

Ciao.

Giuseppe

@gcusello ,

Hi 

 I want to blacklist C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe of creatorprocessname would it block the newprocessname of C:\Windows\System32\cmd.exe  as well ?

Thanks

Hi @AL3Z ,

as I said, does your regex match the string to search or not?

if matches it's correct, if not, it isn't!

Ciao.

Giuseppe

hi @gcusello What could be the reason still I can see the blacklisted path events  but the count is reduced !!

Hi @AL3Z,

this means that the regex is working only on a subset of the data to filter, in other words there are different format logs.

Analize the not matching data and modify the regex or apply another one.

Ciao.

Giuseppe

@gcusello ,

The changes made on the DS app inputs.conf are not reflecting on the host splunk forwarder etc apps local inputs.conf file , in this case can we paste regex in  this app inputs.conf so that it can work ??

Hi @AL3Z,

if the target server is managed by the DS, you cannot manually change a conf file, check why the new configuration isn't pushed.

Ciao.

Giuseppe