So I have some data like below in my _raw:
Name: BES Client, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe"", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: ""C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe"", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc
I am trying to parse out just the "running" process name like "BES Client" or "BESClientHelper", however it has to have the text "Running" behind it so I know its a running process. Not the two "exe" files crossed out above.
Make sense? 🙂 Thanks!!
This will give you a process field with the name of the process if it has the "Running" text after.
| rex "Name: (?<process>[^,]*), Running"
This doesn't quite work as it grabs the first "Name: " it sees in the raw and in my case spits out "Adobe Acrobat" and then stops....is there a way to keep it going naming all the "Name: xxxxxxxx, Running". Does that make sense?
yes, I assumed these were separate rows, but if this is one big _raw event, then use the max_match=0 param with rex that will make a multi value field with all the found matches of the regex.
Here is an example with your data as a single event
| makeresults
| eval _raw="Name: BES Client, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe\"\", SHA1: 5bf0d29324081f2f830f7e66bba7aa5cb1c46047
Name: BESClientHelper, Running as: LocalSystem, Path: \"\"C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientHelper.exe\"\", SHA1: c989ae2278a9f8d6d5c5ca90fca6a57d19b168b8
Name: svchost.exe, PID: 424, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:41:57 -0700 ), Running as: NT AUTHORITY\LOCAL SERVICE, Path: C:\Windows\System32\svchost.exe, SHA1: 3196f45b269a614a3926efc032fc9d75017f27e8
Name: scsrvc.exe, PID: 1384, PPID: 432, ( Started up: Mon, 19 Sep 2022 03:42:34 -0700 ), Running as: NT AUTHORITY\SYSTEM, Path: C:\Program Files\McAfee\Solidcore\scsrvc.exe, SHA1: ef1cc70f3e052a6c480ac2fe8cdfe21a502669cc"
| rex max_match=0 "Name: (?<process>[^,]*), Running"
You could append a search command to look for only those events.
| search process=*