Hi,
I had blacklisted the "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)" in deployment server and applied it to one of the windows server how we can trouble shoot whether it is applied or not ?
Hi @AL3Z ,
run a search on the index where are stored the logs you filtered and, if your filter is applied on one or more hosts, eventually adding a filter on hosts.
In the search use the same regex using the regex command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Regex).
Something like this:
index=windows host=<your_host>
| regex "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)"
Check the results and see if they arrive from the hosts you're waiting or not.
Ciao.
Giuseppe
@gcusello ,
Error in 'SearchOperator:regex': The regex '(?:ParentProcessName).+(?:C:\Program Files\Windows Defender Advanced Threat Protection\)' is invalid. Regex: unknown property after \P or \p.
Hi @AL3Z,
as I said, seanch on the index where are stored the data that you filtered and on the hosts where the rule is applied:
if you haven't events with the used regex, the regex is correct, otherwise you have to troubleshoot it using the same search.
ciao.
Giuseppe
How to troubleshoot changes to the inputs.conf ./etc/deployment-apps/windows_test/local/ on the deployment server not reflecting on the host C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\inputs.conf.
Hi @AL3Z,
as I said, identify the correct regex using SPL and use that regex to blacklist events in inputs.conf.
Ciao.
Giuseppe
@gcusello
Pls help in excluding these 3 paths using single regex ?
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe
Hi @AL3Z,
please try this regex:
C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe
if it doesn't run , please try:
C:\\\Program Files\\\Windows Defender Advanced Threat Protection\\\(MsSense|SenseCM|SenseIR)\.exe
Something there's an issue with backslashes.
Ciao.
Giuseppe
Do we need to put this inside double quotes?
Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"
Hi @AL3Z ,
please try:
Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"
or
Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\sAdvanced\sThreat\sProtection\\(MsSense|SenseCM|SenseIR)\.exe
Ciao.
Giuseppe
Hi
@gcusello
I'm trying to blacklist the below paths ..
C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe
C:\Program Files\WindowsPowerShell\Modules\gytpol\Client\fw4_6_2\GytpolClientFW4_6_2.exe
Can we use like.* in place of version if it gets new version it can also be blacklisted ??
---- Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe)|WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe)
Thanks
Hi @AL3Z,
modify the regex in Search and see if the new regex matches all the events to filter.
Ciao.
Giuseppe
Hi
I want to blacklist C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe of creatorprocessname would it block the newprocessname of C:\Windows\System32\cmd.exe as well ?
Thanks
Hi @AL3Z ,
as I said, does your regex match the string to search or not?
if matches it's correct, if not, it isn't!
Ciao.
Giuseppe
hi @gcusello What could be the reason still I can see the blacklisted path events but the count is reduced !!
Hi @AL3Z,
this means that the regex is working only on a subset of the data to filter, in other words there are different format logs.
Analize the not matching data and modify the regex or apply another one.
Ciao.
Giuseppe
The changes made on the DS app inputs.conf are not reflecting on the host splunk forwarder etc apps local inputs.conf file , in this case can we paste regex in this app inputs.conf so that it can work ??
Hi @AL3Z,
if the target server is managed by the DS, you cannot manually change a conf file, check why the new configuration isn't pushed.
Ciao.
Giuseppe