Deployment Architecture

How to troubleshoot the applied regex in the server

AL3Z
Builder

Hi,

I had blacklisted the "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)" in deployment server and applied it to  one of the windows server how we can trouble shoot whether it is applied or not ?

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

run a search on the index where are stored the logs you filtered and, if your filter is applied on one or more hosts, eventually adding a filter on hosts.

In the search use the same regex using the regex command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Regex).

Something like this:

index=windows host=<your_host>
| regex "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)" 

Check the results and see if they arrive from the hosts you're waiting or not.

Ciao.

Giuseppe 

AL3Z
Builder

@gcusello ,

Error in 'SearchOperator:regex': The regex '(?:ParentProcessName).+(?:C:\Program Files\Windows Defender Advanced Threat Protection\)' is invalid. Regex: unknown property after \P or \p.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

as I said, seanch on the index where are stored the data that you filtered and on the hosts where the rule is applied:

if you haven't events with the used regex, the regex is correct, otherwise you have to troubleshoot it using the same search.

ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello 

How to troubleshoot changes to the inputs.conf ./etc/deployment-apps/windows_test/local/ on the deployment server not reflecting on the host C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\inputs.conf.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

as I said, identify the correct regex using SPL and use that regex to blacklist events in inputs.conf.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello 
Pls help in  excluding these 3 paths using single regex ?
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe 
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

please try this regex:

C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe

if it doesn't run , please try:

C:\\\Program Files\\\Windows Defender Advanced Threat Protection\\\(MsSense|SenseCM|SenseIR)\.exe

Something there's an issue with backslashes.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

Do we need to put this inside double quotes?

Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

please try:

Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"

or

Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\sAdvanced\sThreat\sProtection\\(MsSense|SenseCM|SenseIR)\.exe

Ciao.

Giuseppe

AL3Z
Builder

Hi 
@gcusello 

I'm trying to blacklist the below paths ..

C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe

C:\Program Files\WindowsPowerShell\Modules\gytpol\Client\fw4_6_2\GytpolClientFW4_6_2.exe

Can we use like.* in place of version if it gets new version it can also be blacklisted ??

 ----  Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe)|WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe)

 

 

Thanks

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

modify the regex in Search and see if the new regex matches all the events to filter.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

Hi 

AL3Z_0-1700566626886.png

 I want to blacklist C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe of creatorprocessname would it block the newprocessname of C:\Windows\System32\cmd.exe  as well ?

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

as I said, does your regex match the string to search or not?

if matches it's correct, if not, it isn't!

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

hi @gcusello What could be the reason still I can see the blacklisted path events  but the count is reduced !!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

this means that the regex is working only on a subset of the data to filter, in other words there are different format logs.

Analize the not matching data and modify the regex or apply another one.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

The changes made on the DS app inputs.conf are not reflecting on the host splunk forwarder etc apps local inputs.conf file , in this case can we paste regex in  this app inputs.conf so that it can work ??

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

if the target server is managed by the DS, you cannot manually change a conf file, check why the new configuration isn't pushed.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...