Invalid eval expression for 'EVAL-target_process_name'

olafhartong / ThreatHunting

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

MIT License

1.12k stars 175 forks source link

Invalid eval expression for 'EVAL-target_process_name' #83

Closed Suirand1 closed 2 years ago

Suirand1 commented 3 years ago

I am getting some warnings in splunkd.log every half an hour. CalcFieldProcessor - Invalid eval expression for 'EVAL-target_process_name' in stanza [source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]: The operator at ',replace(TargetImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")' is invalid.

Suirand1 commented 3 years ago

I did modified props.conf

- EVAL-target_process_name = case(EventCode=="6","System",EventCode=="8" OR EventCode=="10"),replace(TargetImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")    
+ EVAL-target_process_name = case(EventCode=="6","System",EventCode=="8" OR EventCode=="10",replace(TargetImage,"(.*\\\)(?=.*(\.\w*)$|(\w+)$)",""),1==1,"")

error is gone now

olafhartong commented 2 years ago

thanks ( very late) I fixed it!