Removing a file path from an alert search

sigiri · ‎11-17-2021

So there is a query on my splunk cloud instance. Which is below:

index=windows EventCode=4688

[| inputlookup "lotl_commands.csv"

| rename suscmd as search ]

NOT Account_Name=*$

NOT (net "use ")

NOT InteractionScripter.NET.exe

NOT (Account_Name=itreports sqlcmd.exe)

NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)

NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)

NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")

NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)

NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)

NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`

NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`

NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`

NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)

| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line

| sort _time

Whenever it runs, it triggers an alert for file path:

C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe
C:\Windows\SysWOW64\schtasks.exe

Now this file path is running legitimately and I am trying to exempt it from being searched again so another alert does not trigger so the 10th line that starts with " NOT (Creator_Process_Name=" I created another line like that under it and inserted both file paths but when I do a 24hr search it still comes up, which means it is still not exempting that file path. So please i need help being able to exempt that file path from the search. Thanks.

sigiri · ‎11-17-2021

It does not work, i ran the query you sent me but the same file path still comes up.

i need it to be exempted. Thanks

richgalloway · ‎11-18-2021

It will be exempted only if Creator_Process_Name is "C:\Windows\System32\net.exe" AND New_Process_Name is "C:\Windows\System32\conhost.exe" in the same event. Is that the case?

---
If this reply helps you, Karma would be appreciated.

sigiri · ‎11-18-2021

so i added:

NOT Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" New_Process_Name="C:\Windows\SysWOW64\schtasks.exe"

Because I want that file path exempted, but this did not work, when I do the search the file path still comes up.

richgalloway · ‎11-18-2021

You added the same expression again? How was that supposed to help?

Have you tried this?

NOT Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe"

---
If this reply helps you, Karma would be appreciated.

sigiri · ‎11-17-2021

index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" New_Process_Name="C:\Windows\SysWOW64\schtasks.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time

So i added the line that starts with "NOT (Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1", because i want the file path to be exempted when the alert runs

richgalloway · ‎11-17-2021

Backslashes have to be escaped. Try this

index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (Creator_Process_Name="C:\\Program Files (x86)\\MySQL\\MySQL Notifier 1.1\\MySQLNotifier.exe" New_Process_Name="C:\\Windows\\SysWOW64\\schtasks.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎11-17-2021

Please share the modified query.

---
If this reply helps you, Karma would be appreciated.

Removing a file path from an alert search

field extraction

source

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!