Hey guys,

Thanks for the advice, still not working im afraid, I can see that it works on Regex101 also managed to get it working on Regex101 with ^[a-zA-Z]+:[\s[a-z]+\s[a-z]+$

When its thrown into Splunk it still doesn't work, I swappped the [ ] for ( ) too as [ ] dont work in Splunk.... Ill keep trying

🙂

Cheers

I updated my answer.

still the same i'm afraid no results... very much appreciate your assistance though 🙂

You must not swap [] for () because it completely changes the RegEx. Did you try mine exactly as I showed it or did you modify it?

exactly as yours pal

Hey Cusello,

you would think so right but that brings back no results for me at all, however if I do a ("CommandLine:" AND "net" AND "share" that will bring back some results as shown below however it brings back events that just contain either 1 or 2 of the other words where all I really want to see is events containing the exact match of "CommandLine: net share"

Dont worry the below systems are throw away lab systems so no corp data is available

Time Event
1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431111
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.340
ProcessGuid: {834924C0-CD99-5C45-0000-0010B3DAC700}
ProcessId: 4680
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: C:\Windows\system32\net1 share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=382169595D5BBEB535C4575B3EC8CC7E5E933115
ParentProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ParentProcessId: 1540
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net share
Collapse
CommandLine = C:\Windows\system32\net1 share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

1/21/19
1:48:09.000 PM

01/21/2019 01:48:09 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=DC01.PurpleHaze.local
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=431110
Keywords=None
Message=Process Create:
RuleName:
UtcTime: 2019-01-21 13:48:09.330
ProcessGuid: {834924C0-CD99-5C45-0000-00100FDAC700}
ProcessId: 1540
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.14393.0 (rs1_release.160715-1616)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
CommandLine: net share
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {834924C0-3E0A-5C40-0000-0020E7030000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=B160F4462A4728BEC8FA053B99709622A4B4DD20
ParentProcessGuid: {834924C0-C9D7-5C45-0000-0010FCA2C500}
ParentProcessId: 3064
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentCommandLine: C:\Windows\system32\cmd.exe
Collapse
CommandLine = net share host = DC01 source = WinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = WinEventLog:Microsoft-Windows-Sysmon/Operational

Hi AaronMoorcroft,
in the first sample you shared I see:
ParentCommandLine: net share that matches your string but before the string there's an additional word, instead in the second one I see CommandLine: net share that exactly matches your search.
To distinguish the two events, you could use the regex command:

| regex "\s+CommandLine: net share"

you can test it at https://regex101.com/r/N9cnAe/1

Bye.
Giuseppe