reswob4 Honored Contributor.
Honored Contributor.
441 views

Trouble matching events in ActiveList when changing to all lowercase

Jump to solution

I'm having a weird problem matching events to an active list.

I have a list of windows executables that I want to monitor in lowercase in an active list called "Suspicious processes". (examples: psexec.exe, route.exe, net.exe)

I then have a filter to capture all Windows 4688 events (called windows_process) and I've piped that into a query where I'm grabbing the Destination Process Name and using Indexof and substring local variables to create a local variable (called process_name) that stores the executable part only.  So it takes the value C:\Tools\SysInternals\PsExec.exe and puts PsExec.exe into the process_name variable.


First I tried to create the query conditions like this:

AND

     MatchesFilter("/All Filters/Personal/bowserc's Filters/windows_process")

     InActiveList("/All Active Lists/Personal/bowserc's Active Lists/Suspicious processes")


Because I wanted to compare the process_name to the active list and list all matches.  The first thing I realized is that there was a case problem and I wouldn't get all the matches I wanted.


net.exe == net.exe


but


PsExec.exe != psexec.exe



So I used the to_lower function on process_name and created another variable called lower_process_name so now PsExec.exe became psexec.exe.  The I created a local variable called match_suspicious_process using the get_activelist_value against the active list I created.


So now the query conditions are this:

AND

     MatchesFilter("/All Filters/Personnal/bowserc's Filters/windows_process")

     match_suspicious_process.process_name = lower_process_name

theoretically, this will ensure I get to compare lowercase against lowercase and get matches. 

But it's not working right.

When the Destination Process Name is C:\Windows\System32\net.exe, that results in a match to the active list entry net.exe.

Same with when the Destination Process Name is C:\Windows\System32\wscript.exe and the active list entry is wscript.exe.

But when the Destination Process Name is C:\Tools\SysInternals\PsExec.exe it will not match psexec.exe.


It works if I explicitly set the conditions like this:


AND

     MatchesFilter("/All Filters/Personnal/bowserc's Filters/windows_process")

     match_suspicious_process.process_name = lower_process_name

     lower_process_name = psexec.exe

So why doesn't it work otherwise?

Thanks.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Trouble matching events in ActiveList when changing to all lowercase

Jump to solution

Set up your Filter in the RULE to IGNORE CASE  --- after building the filter it will be choice in the bottom panes on the far right hand side.

I have two filters that due that - also if you ever use Actors --- don't forget to set your User names to UPPER CASE on the Connectors.

View solution in original post

0 Likes
3 Replies
thomas.neumann Absent Member.
Absent Member.

Re: Trouble matching events in ActiveList when changing to all lowercase

Jump to solution

Hello Craig,

maybe a case-INsensitive Active List can help you out.

("Case sensivity" setting while creating AL, cannot be changed later, unfortunately.)

Best regards,

Thomas

0 Likes
Outstanding Contributor.. LakeHealthInfoS Outstanding Contributor..
Outstanding Contributor..

Re: Trouble matching events in ActiveList when changing to all lowercase

Jump to solution

Set up your Filter in the RULE to IGNORE CASE  --- after building the filter it will be choice in the bottom panes on the far right hand side.

I have two filters that due that - also if you ever use Actors --- don't forget to set your User names to UPPER CASE on the Connectors.

View solution in original post

0 Likes
Highlighted
reswob4 Honored Contributor.
Honored Contributor.

Re: Trouble matching events in ActiveList when changing to all lowercase

Jump to solution

Sorry for the long delay.  But this one worked nicely.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.