So there is a query on my splunk cloud instance. Which is below:
index=windows EventCode=4688
[| inputlookup "lotl_commands.csv"
| rename suscmd as search ]
NOT Account_Name=*$
NOT (net "use ")
NOT InteractionScripter.NET.exe
NOT (Account_Name=itreports sqlcmd.exe)
NOT (Account_Name=SRV_EtlProd winscp.exe OR MSSQLSERVER OR SQLSERVERAGENT)
NOT (Account_Name=SRV_EDW_SQLEngine sqlcmd.exe conhost.exe OR sqldiag.exe)
NOT (Creator_Process_Name="C:\\Windows\\System32\\net.exe" New_Process_Name="C:\\Windows\\System32\\conhost.exe")
NOT (New_Process_Name=C:\\Windows\\System32\\conhost.exe)
NOT (Creator_Process_Name="*\\MicroStrategy Services.exe" New_Process_Name=C:\\Windows\\System32\\cscript.exe)
NOT Account_Name="SVCBTSCAN" `comment(INC0036469)`
NOT Account_Name="SVCBTFUNC" `comment(INC0036469)`
NOT Account_Name="SRV_Vulscanning" `comment(INC0036582)`
NOT (Account_Name="SRV_Lansweep_4Server" csc.exe)
| table _time EventCode ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
| sort _time
Whenever it runs, it triggers an alert for file path:
C:\Program Files (x86)\MySQL\MySQL Notifier 1.1\MySQLNotifier.exe
C:\Windows\SysWOW64\schtasks.exe
Now this file path is running legitimately and I am trying to exempt it from being searched again so another alert does not trigger so the 10th line that starts with " NOT (Creator_Process_Name=" I created another line like that under it and inserted both file paths but when I do a 24hr search it still comes up, which means it is still not exempting that file path. So please i need help being able to exempt that file path from the search. Thanks.
