- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Assistance Needed: Reformatting Provided Events to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assistance Needed: Reformatting Provided Events to Match Structure of 'blacklist3'
Hi,
Is it possible for someone to aid me in reformatting the given events to align with the structure present in blacklist3, organizing them into their respective blacklists or potentially amalgamating them into a unified blacklist?
blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name=('NewProcessName'|'ParentProcessName')>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"
Tanium Events:
C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\Tools\\StdUtils\\TaniumExecWrapper\.exe|
C:\\Program Files (\x86\)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper\.exe|
C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe|
C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo\.exe|
C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe|
C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\python38\\TPython\.exe|
C:\Program Files (x86)\Tanium\Tanium Client\Tools\Patch\7za.exe
Windows defender:
C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\.*\MpCmdRun.exe
C:\ProgramData\Microsoft\Windows Defender\Platform\.*\MsMpEng.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\.*\OpenHandleCollector.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\SenseCM.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\SenseIR.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\.*\MsSense.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\10.8560.25364.1036\SenseTVM.exe
Rapid7
ParentProcessName count
C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.2.4.63\ir_agent.exe
C:\Program Files\Rapid7\Insight Agent\components\insight_agent\4.0.0.1\ir_agent.exe
C:\Program Files\Rapid7\Insight Agent\ir_agent.exe
C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy\.exe|
Azure:
C:\Program Files\AzureConnectedMachineAgent\ExtensionService\GC\gc_service.exe
C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_arc_service.exe
C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_service.exe
C:\Program Files\AzureConnectedMachineAgent\GCArcService\GC\gc_worker.exe
C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe
Gytpol:
C:\\Program Files\\WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*\.exe|
forescout:
ParentProcessName count
C:\Program Files\ForeScout SecureConnector\SecureConnector.exe
Thanks//..
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
