eden881
commented
11 months ago While it's true that Splunk processes are very noisy, I don't think their creation should be entirely invisible to sysmon. I believe a rule set that filters out the constant noise-makers would be a better solution. Something like this:
<!--SECTION: Splunk-->
<ParentCommandLine condition="is">"C:\Program Files\Splunk\bin\splunkd.exe" service</ParentCommandLine> <!--Splunk: Splunk Daemon: Launches many maintenance processes-->
<CommandLine condition="is">btool server list</CommandLine> <!--Splunk: btool-->
<ParentCommandLine condition="is">btool server list</ParentCommandLine> <!--Splunk: btool-->
<ParentCommandLine condition="begin with">"C:\Program Files\Splunk\bin\Python3.exe"</ParentCommandLine> <!--Splunk: python3: Handles scheduled collection tasks-->Likewise for Universal Forwarders:
<!--SECTION: SplunkUF-->
<ParentCommandLine condition="is">"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service</ParentCommandLine> <!--SplunkUF: Splunk Daemon: Launches many maintenance processes-->
<CommandLine condition="is">btool server list</CommandLine> <!--SplunkUF: btool-->
<ParentCommandLine condition="is">btool server list</ParentCommandLine> <!--SplunkUF: btool-->
<ParentCommandLine condition="begin with">"C:\Program Files\SplunkUniversalForwarder\bin\Python3.exe"</ParentCommandLine> <!--SplunkUF: python3: Handles scheduled collection tasks-->
If using Splunk Universal Forwarders for sending events to Splunk, the Splunk process are very noisy. This will tune those out so that a default config will not log that noise.