whipped5000
commented
4 years ago Just an update.
I have changed the lookup csv so it only has stars in it (wildcards) for every field that is in the lookup in the processs_create_whitelist macro.
I repalced the process_create_whitelist macro with it's actual contents from the macros.conf file, so I could play around with it.
lookup process_create_whitelist mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line output reason
I've taken the where isnull(reason) out so I can see the reasons in the results if the lookup matches.
Going through each of the lookup fields in turn, if I include either the user_name or the hash_sha256 field then I don't get a reason returned, which tells me it is not matching when there is a wildcard * in that field in the csv
Hope this makes sense
Hi there, I've been using the app since you released it at black hat.
We recent;y upgraded splunk and I ran into the issue where a large whitelist csv would make it ingest large amounts of data unwanted data.
I have cloned the repo today and overwritten the previous directory.
The whitelisting did not appear to be working, so I took the process_create_whitelist lookup back to nothing and used the editor to add a single entry.
In this case it is the word
*iModel*in the process_command_lineThe process_command_line I'm trying to whitelist has a command line that contains the following
Powershell -noprofile -ExecutionPolicy Bypass - File "C:\ProgramData\McAfeee\Agent\Current\IMODELGE1004\Install\0000\iModel-Listing.ps1"So I assume it should not show up once I add
*iModel*to the whitelist lookup.Am I missing something here?