Splunk Search

Regex for matching service path

Path Finder

Hello,

I want to exclude all the WinEventLogs for service C:\Windows\System32\svchost.exe which doesnt contain the default path. So for example I don't want to see all the svchost.exe services which are in this path C:\Windows\System32\
If the svchost.exe service is in any different path (e.g. C:\Windows\svchost.exe) I want to get alert on it.

Any ideas how to do it in most efficient way?

Thanks,
K.

Tags (2)
0 Karma

Builder

I'm not 100% sure if my answer is what you're looking for, but please see below, if not, leave a comment and i'll get back to you

if you're trying to send an alert if a field matches what you expect
then use a simple if statement, eval SendAlert=if(eval(match(fieldname, "{Either regex or string}")),1,0)

Then your alert settings should be to send an alert if any event has a field SendAlert set to 1.

Don't forget to comment if this isn't what you're looking for

0 Karma

Builder

Could you post a couple of sample events? You could try extracting the process name into a field and then searching for field_name != "c:\Windows\system32\svchost.exe"

Typically your search would be similar to ..

<your sourcetype> | rex _raw "Process Name: (?<process_name>[^ ]+)" | search <your sourcetype> process_name !="c:\Windows\system32\svchost.exe" 

If you can post sample events, I can confirm the regular expression.

0 Karma

Path Finder

Here is a sample log:
AccessMask = 0x2
Access
Reasons = -
Accesses = Unknown specific access (bit 1)
AccountDomain =
Account
Name =
ComputerName =
EventCode = 4656
EventCodeDescription = A handle to an object was requested
EventType = 0
HandleID = 0x0
Keywords = Audit Success
LogName = Security
Logon
ID = 0x3e7
Message = A handle to an object was requested.
Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0
ObjectName = PlugPlaySecurityObject
Object
Server = PlugPlayManager
ObjectType = Security
OpCode = Info
Privileges
UsedforAccessCheck = -
Process
ID = 0x244
ProcessName = C:\Windows\System32\svchost.exe
RecordNumber = 78829788
Restricted
SIDCount = 0
Security
ID = NT AUTHORITY\SYSTEM
SourceName = Microsoft Windows security auditing.
TaskCategory = Other Object Access Events
TransactionID = {00000000-0000-0000-0000-000000000000}
Type = Information
action = failure
action
name = loginfail
action
title = Failed Login
dest = AZA2MGTXXSQM001
eventtype = wstauthentication authentication
host =
index = gis
wst
linecount = 37
punct = //::\r=\r=.\r=\r=\r=\r=..\r=\r=\r=\r=\r=____.\r\r\r\r:
source = WinEventLog:Security
sourcetype = WinEventLog:Security
splunk
server = tag = authentication

0 Karma

Builder

I've edited my regex. That should work.

0 Karma

Path Finder

Thanks,

havent used extraction in the search ever, so this is what is my search query:
sourcetype="WinEventLog:Security" | rex raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" processname !="c:\Windows\system32\svchost.exe"

and this is what i get:

Error in 'rex' command: The regex '_raw' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma

Path Finder

sorry the query is this:

sourcetype="WinEventLog:Security" | rex raw "Process Name: (?[^ ]+)" | search sourcetype="WinEventLog:Security" processname !="c:\Windows\system32\svchost.exe"

0 Karma

Builder

Try this:

sourcetype="WinEventLog:Security" | rex field=_raw "Process Name: (?<process_name>[^ ]+)" | search sourcetype="WinEventLog:Security" process_name !="c:\Windows\system32\svchost.exe"
0 Karma

Path Finder

Here it is what's worked for me:

| rex field=unparsed_message "(?P[A-Za-z]:\[^|]+)" | rex field=fullpath "(?P.)\\." | rex field=fullpath "(?P\w+.\w+)"

0 Karma

Path Finder

Hello, thanks for this. As for sample events so they are pretty much the same in the raw logs I have the fields ProcessName indexed and extracted which is usually the path and the process I am looking for ProcessName= "c:\Windows\system32\svchost.exe". I imagine how I could end up if I had two separate fields for the path and another for the process itself, but at the moment I am struggling while having everything just in one field. The field in the raw logs is always the same as above example. What I am trying to accomplish is to set up some rules to monitor default processes which start in non-default Windows locations.

0 Karma

Path Finder

Additionally there is only one field which includes process name within raw logs - "Process Name: C:\Windows\System32\svchost.exe"

0 Karma