Nullqueue Windows Paths Regex

gclaytontmwa · ‎01-31-2020

Trying to send all events with this contained to nullqueue:

Host Application = C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass & 'C:\WINDOWS\CCM\SystemTemp\02160779-88dd-4e84-96cc-7a1313cd97d9.ps1'

Here are my props & transforms entries:

[WinEventLog:Splunk-PowerShell]
TRANSFORMS-suppress-ps = suppress-powershell

[suppress-powershell]
REGEX=^Host\s?Application\s?=\s?C:\\WINDOWS\\system32\\WindowsPowerShell\\v1\.0\\PowerShell\.exe\s-NoLogo\s-Noninteractive\s-NoProfile\s-ExecutionPolicy\sBypass\s&\s'C:\\WINDOWS\\CCM\\SystemTemp\\[\d\w]{8}-[\d\w]{4}-[\d\w]{4}-[\d\w]{4}-[\d\w]{12}\.ps1'(\sFalse)?
DEST_KEY=queue
FORMAT=nullQueue

Matches when I use regex checkers like regexr. I've seen people suggest both double backslash and four backslashes for escaping, not sure which is appropriate for transforms. Using the four backslashes and the regex command in the search does work, but I need these events filtered out of indexing. I'd also like to use (?i) as a modifier for case insensitivity, but I need to get this part working first.

to4kawa · ‎02-01-2020

(?i)^Host\s?Application\s?=\s?C:.WINDOWS.system32.WindowsPowerShell.v1\.0.PowerShell\.exe\s-NoLogo\s-Noninteractive\s-NoProfile\s-ExecutionPolicy\sBypass\s&\s'C:.WINDOWS.CCM.SystemTemp.\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\.ps1'(\sFalse)?

\ 　⇨　.　 If backslash behavior is a problem.

Nullqueue Windows Paths Regex

Observability Highlights | November 2022 Newsletter

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

Using Machine Learning for Hunting Security Threats