So there is a query on my splunk cloud instance. Which is below:
index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time
Whenever it runs, it triggers an alert for file path:
C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe
C:\Windows\SysWOW64\schtasks.exe
Now this file path is running legitimately and I am trying to exempt it from being searched again so another alert does not trigger so the 10th line that starts with " NOT (Creator_Process_Name=" I created another line like that under it and inserted both file paths but when I do a 24hr search it still comes up, which means it is still not exempting that file path. So please i need help being able to exempt that file path from the search. Thanks.
It does not work, i ran the query you sent me but the same file path still comes up.
i need it to be exempted. Thanks
It will be exempted only if Creator_Process_Name is "C:\Windows\System32\net.exe" AND New_Process_Name is "C:\Windows\System32\conhost.exe" in the same event. Is that the case?
so i added:
NOT Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" New_Process_Name="C:\Windows\SysWOW64\schtasks.exe"
Because I want that file path exempted, but this did not work, when I do the search the file path still comes up.
You added the same expression again? How was that supposed to help?
Have you tried this?
NOT Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe"
index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe" New_Process_Name="C:\Windows\SysWOW64\schtasks.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time
So i added the line that starts with "NOT (Creator_Process_Name="C:\Program Files (x86)\MySQL\MySQL Notifier 1.1", because i want the file path to be exempted when the alert runs
Backslashes have to be escaped. Try this
index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (Creator_Process_Name="C:\\Program Files (x86)\\MySQL\\MySQL Notifier 1.1\\MySQLNotifier.exe" New_Process_Name="C:\\Windows\\SysWOW64\\schtasks.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time
Please share the modified query.