Deployment Architecture

How to troubleshoot the applied regex in the server

AL3Z
Builder

Hi,

I had blacklisted the "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)" in deployment server and applied it to  one of the windows server how we can trouble shoot whether it is applied or not ?

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

run a search on the index where are stored the logs you filtered and, if your filter is applied on one or more hosts, eventually adding a filter on hosts.

In the search use the same regex using the regex command (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Regex).

Something like this:

index=windows host=<your_host>
| regex "(?:ParentProcessName).+(?:C:\\Program Files\\Windows Defender Advanced Threat Protection\\)" 

Check the results and see if they arrive from the hosts you're waiting or not.

Ciao.

Giuseppe 

AL3Z
Builder

@gcusello ,

Error in 'SearchOperator:regex': The regex '(?:ParentProcessName).+(?:C:\Program Files\Windows Defender Advanced Threat Protection\)' is invalid. Regex: unknown property after \P or \p.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

as I said, seanch on the index where are stored the data that you filtered and on the hosts where the rule is applied:

if you haven't events with the used regex, the regex is correct, otherwise you have to troubleshoot it using the same search.

ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello 

How to troubleshoot changes to the inputs.conf ./etc/deployment-apps/windows_test/local/ on the deployment server not reflecting on the host C:\Program Files\SplunkUniversalForwarder\etc\apps\windows_test\local\inputs.conf.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

as I said, identify the correct regex using SPL and use that regex to blacklist events in inputs.conf.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello 
Pls help in  excluding these 3 paths using single regex ?
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe 
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

please try this regex:

C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe

if it doesn't run , please try:

C:\\\Program Files\\\Windows Defender Advanced Threat Protection\\\(MsSense|SenseCM|SenseIR)\.exe

Something there's an issue with backslashes.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

Do we need to put this inside double quotes?

Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

please try:

Blacklist1= message="C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe"

or

Blacklist1 = C:\\Program\sFiles\\Windows\sDefender\sAdvanced\sThreat\sProtection\\(MsSense|SenseCM|SenseIR)\.exe

Ciao.

Giuseppe

AL3Z
Builder

Hi 
@gcusello 

I'm trying to blacklist the below paths ..

C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.5.31\ir_agent.exe

C:\Program Files\WindowsPowerShell\Modules\gytpol\Client\fw4_6_2\GytpolClientFW4_6_2.exe

Can we use like.* in place of version if it gets new version it can also be blacklisted ??

 ----  Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe)|WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe)

 

 

Thanks

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

modify the regex in Search and see if the new regex matches all the events to filter.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

Hi 

AL3Z_0-1700566626886.png

 I want to blacklist C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe of creatorprocessname would it block the newprocessname of C:\Windows\System32\cmd.exe  as well ?

 

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z ,

as I said, does your regex match the string to search or not?

if matches it's correct, if not, it isn't!

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

hi @gcusello What could be the reason still I can see the blacklisted path events  but the count is reduced !!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

this means that the regex is working only on a subset of the data to filter, in other words there are different format logs.

Analize the not matching data and modify the regex or apply another one.

Ciao.

Giuseppe

0 Karma

AL3Z
Builder

@gcusello ,

The changes made on the DS app inputs.conf are not reflecting on the host splunk forwarder etc apps local inputs.conf file , in this case can we paste regex in  this app inputs.conf so that it can work ??

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AL3Z,

if the target server is managed by the DS, you cannot manually change a conf file, check why the new configuration isn't pushed.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...