Hi @tscroggins  @richgalloway  @PickleRick , In this below sample event  the C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe appears in both ParentParentName and NewProcessName, we might need a specialized handling. Would you like help with a xml regex pattern to cover these conditions? <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T08:18:13.998467800Z'/><EventRecordID>151265209</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11116'/><Channel>Security</Channel><Computer>xxvy.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3978</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f80</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Can we use like this ? blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>% blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%       ... View more

@richgalloway , How we can correlate data across different languages or datasets. For the specific case of merging "Approuvé" (French) and "Approved" (English) fields..  english :    Approved Sachin tendulakr from 11/25/2023 07:03 AM until 11/25/2023 03:03 PM.   french : Approuvé - Approuvé Salmon du 11/23/2023 02:10 PM au 12/23/2023 02:10 PM .  English           French Approved     Approuvé from                du until                au Thanks       ... View more

@richgalloway  I have made changes to local inputs.conf on this app and deployed it to over 3k servers so we need to move these configurations from local to default to get it work ? Thanks.. ... View more

Hello, @richgalloway @PickleRick , The regex I used seems effective, but it's unexpectedly blocking all my Windows security events. I've checked the regex, and I haven't specifically blacklisted any Windows executables. Could you assist me in analyzing the below list of blacklisted executables? # Copyright (C) 2019 Splunk Inc. All Rights Reserved. # DO NOT EDIT THIS FILE! # Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. # To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default # into ../local and edit there. # ###### OS Logs ###### [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))" blacklist2 = EventCode="5447|4634|5156|4663|4656|5152|5157|4658|4673|4661|4690|4932|4933|5158|4957|5136|4674|4660|4670|5058|5061|4985|4965" blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\btool.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-powershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-regmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-admon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-perfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)|.+(?:Windows Defender Advanced Threat Protection\\SenseCncProxy.exe)|.+(?:Windows Defender Advanced Threat Protection\\SenseCM.exe)|.+(?:Windows Defender Advanced Threat Protection\\MsSense.exe)|.+(?:Microsoft\\Windows Defender\\Platform\\.*\MsMpEng.exe)|.+(?:Microsoft\\Windows Defender\\Platform\\.*\\MpCmdRun.exe)|.+(?:Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\.*\\MsSense.exe)|.+(?:Microsoft\\Windows Defender\\Platform\\.*\\MsMpEng.exe)|.+(?:Microsoft\\Windows Defender Advanced Threat Protection\Platform\.*\\SenseIR.exe)|.+(?:Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\.*\\OpenHandleCollector.exe)|.+(?:ForeScout SecureConnector\\SecureConnector.exe)|.+(?:Windows Defender Advanced Threat Protection\\SenseIR.exe)|.+(?:Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy.exe)|.+(?:Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe|.+(?:Tanium\\Tanium Client\\TaniumCX.exe)|.+(?:AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker.exe)|.+(?:AzureConnectedMachineAgent\\GCArcService\\GC\\gc_service.exe)|.+(?:WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe)|.+(?:AzureConnectedMachineAgent\\azcmagent.exe)|.+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)" blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:Tanium\\Tanium Client)" blacklist5 = EventCode="4688" Message="(?:Creator Process Name:).+(?:Tanium\\Tanium Client)" renderXml=true index = es_winsec Thanks... ... View more

@richgalloway  Can we use the props and transforms to send the unwanted events to null queue aas the applied regex are not working! ... View more

@PickleRick @richgalloway , Can we make changes to the splunk ta windows app inputs.conf of  the deployment server ?? There was some configs messed up in the inputs.conf how we can restore to the previous configs ??   Thanks... ... View more

@richgalloway , is this with quotes ? blacklist5 = EventCode="4688" Message="(ParentProcessName.+Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe)"   ... View more

Hi Can you pls give me and eg. for above regex with out group ? Thanks ... View more

@richgalloway , When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern  blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)" https://regex101.com/r/Jq2IKb/1 What changes do we need  here? Thanks.. ... View more

@gcusello , Hi   I want to blacklist C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe of creatorprocessname would it block the newprocessname of C:\Windows\System32\cmd.exe  as well ?   Thanks ... View more

@inventsekar , I believe this is the cause of issue, from the below snapshot  Creator_Process_Name                                  New_Process_Name C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe C:\Windows\System32\cmd.exe   When I excluded the creator processname tanium its newprocess name cmd.exe is also excluded. ... View more

@bharathkumarnec , Yes, it is generating the data in the event viewer! ... View more

@bharathkumarnec  Hi, After investigating I came across audit process creation is this causing this issue ?? https://docs.splunk.com/Documentation/ES/7.2.0/Admin/ConfigureLogging   ... View more

Hi @gcusello , When do logs arrive in Splunk after a user has performed an activity ... View more

Hi @richgalloway , Pls help me in extracting  the fields from the details value i.e approved=xyz, from=11/17/2023 06:22 AM , until =11/18/2023 12:00 AM, it should not be the event specific ! Details: Approved xyz from 11/17/2023 06:22 AM until 11/18/2023 12:00 AM.   Thanks   ... View more

@gcusello  Hi, I'd like to investigate which hosts aren't forwarding the specific events with the ParentProcessName="C:\Windows\System32\cmd.exe" to Splunk. How can we troubleshoot if a host isn't sending its logs to Splunk? Thanks ... View more

@bharathkumarnec  Hi, Where exactly we can run this btool to check the configurations. I dnt have back end access can we check in ui. ... View more

... ... View more

Hi@richgalloway , I've heard that the field name removal isn't feasible while we're receiving logs from the syslog server. Is that correct to your knowledge? Thanks ... View more

Hi @richgalloway , Could you pls write the sed command to remove the space between the field names. Thanks.. ... View more