I’m trying to enrich a bunch of windows sysmon logs. The ultimate goal is to set a field on processes launched from an office application. I.e. if Word launches Powershell or an unknown process, I want to know about it.
I know Java regex seems a bit pickier than others, but here is where I’m at. Here are some samples from of sysmon logs.
However, the moment I try to use it in my pipeline, the editor cries about it. Not to mention, I can’t get an optional capture group around the (x86) working either. To me, it should be ( \(x86\))?
rule "Threat Intel - Sysmon Parent Process"
when
(has_field("parent_command") OR has_field("parent_process")) AND
(regex("(?i)(acrobat|winword|excel|lync|powerpnt|acrord32|notepad|calc)", to_string($message.parent_command)).matches == true OR
regex("(?i)(acrobat|winword|excel|lync|powerpnt|acrord32|notepad|calc)", to_string($message.parent_process)).matches == true) AND
(to_string($message.command) != "C:\\WINDOWS\\splwow64.exe 8192" AND
regex("(?i)(c:\\program files \(x86\)\\adobe).*$",to_string($message.command)).matches != true)
then
set_field("suspicious_parent",to_bool("true"));
end
Any pointers? Where have I bunged this up, aside from being a total rookie with regex.
Actually the error was on the program files regex line sorry - Try this, i’m not sure if it will actually match for you though it does allow me to save it now (added double escapes as per Jan’s comment)
That did it! Thanks @lindonm
Now that I know I need 4 slashes to replace one…
So, by that logic, do I need 8 slashes for a Windows UNC? \\Serverlocation\Folder\File.exe ? That seems pretty intense.