From b314066e06bb4959441e4abc94a6f3f6eee6c218 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 2 May 2020 22:20:48 -0700 Subject: [PATCH 1/3] Fixing Splunk regex --- Vagrant/resources/splunk_server/transforms.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf index 5e76d4c..abdd80a 100644 --- a/Vagrant/resources/splunk_server/transforms.conf +++ b/Vagrant/resources/splunk_server/transforms.conf @@ -20,11 +20,11 @@ DEST_KEY = queue FORMAT = nullQueue [osqueryd_wineventlog_null] -REGEX = "Process_Name=C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe" +REGEX = "Process\sName:\s+C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe"" DEST_KEY = queue FORMAT = nullQueue [autoruns_wineventlog_null] REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1" DEST_KEY = queue -FORMAT = nullQueue \ No newline at end of file +FORMAT = nullQueue From f0a7b1481f0c3d4f770ddf7677ca5ada93a9a9a9 Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sat, 2 May 2020 22:21:24 -0700 Subject: [PATCH 2/3] Typo --- Vagrant/resources/splunk_server/transforms.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf index abdd80a..e88932a 100644 --- a/Vagrant/resources/splunk_server/transforms.conf +++ b/Vagrant/resources/splunk_server/transforms.conf @@ -20,7 +20,7 @@ DEST_KEY = queue FORMAT = nullQueue [osqueryd_wineventlog_null] -REGEX = "Process\sName:\s+C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe"" +REGEX = "Process\sName:\s+C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe" DEST_KEY = queue FORMAT = nullQueue From 9e9120f02b2e3c7aee2e618c498b09f8bae1126d Mon Sep 17 00:00:00 2001 From: Chris Long Date: Sun, 3 May 2020 17:08:22 -0700 Subject: [PATCH 3/3] Implementing blacklist on wef_inputs.conf Resolving Issue #436 --- Vagrant/resources/splunk_forwarder/wef_inputs.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf index 35651dd..7690af9 100755 --- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf +++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf @@ -140,6 +140,7 @@ disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 +blacklist1 = EventCode="4798" Message=".+Process Name:.+\\osqueryd\\osqueryd.exe" [WinEventLog://WEC3-Windows-Diagnostics] sourcetype = WinEventLog:System