Hi guys, Pulled this search off gosplunk's website and tried to run it in my test environment, and received the error above. Not exactly sure what to fix in the 'eval' command. This is supposed to alert for potential Windows suspicious activity.
Can anyone lend some advice, please?
sourcetype="WinEventLog:Security" EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe)
| eval Message=split(Message, ".")
| eval Short_Message=mvindex(Message,0)
| table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message
Funny thing happened. I decided to run it again this morning on a different SH prior to making any changes and it ran just fine. Still will not work on the first SH so that's something I gotta figure out. Much appreciate the inputs. Thanks guys
You need to wrap your code line in backticks so special characters don't get lost.
I ran this search on my splunk instance and it works fine.