Skip to main content

Hello All,

facing issue to finetunn ssh.exe from the below udm filed kindly share me with proper resolution 

principal.resource.attribute.labels.value !=

about.labels.key = "AdditionalFields"
about.labels.value = "{\\"HostName\\*********":\\"\\",\\"NetBiosName\\":******\\"\\",\\"OSFamily\\":\\"Windows\\",\\"OSVersion\\":\\"10.0\\",\\"IsDomainJoined\\":false,\\"RemediationProviders\\":[{\\"RemediationState\\":\\"Active\\",\\"RemediationDate\\":\\"2025-01-20T15:12:39.1178618Z\\",\\"Type\\":\\"remediation-provider\\"}],\\"LastRemediationState\\":\\"Active\\",\\"ThreatAnalysisSummary\\":[{\\"AnalyzersResult\\":[],\\"Verdict\\":\\"Suspicious\\",\\"AnalysisDate\\":\\"2025-01-20T15:12:39.1178618Z\\"}],\\"LastVerdict\\":\\"Suspicious\\",\\"Asset\\":true,\\"DetailedRoles\\":[\\"PrimaryDevice\\"],\\"RbacScopes\\":{\\"ScopesPerType\\":{\\"MachineGroupIds\\":{\\"Mode\\":\\"Any\\",\\"Scopes\\":[\\"794\\"]},\\"Workloads\\":{\\"Mode\\":\\"All\\",\\"Scopes\\":[\\"Mdatp\\"]}}},\\"Type\\":\\"host\\",\\"LeadingHost\\":true,\\"Role\\":0,\\"MachineId\\":\\"af93672e99238ac58325d87718a8d7d07bff9bf1\\",\\"MachineIdType\\":3,\\"HostMachineId\\":null,\\"DetectionStatus\\":\\"Detected\\",\\"SuspicionLevel\\":\\"Suspicious\\",\\"IsIoc\\":false,\\"MergeByKey\\":\\"\\"}"
metadata.base_labels.allow_scoped_access = true
metadata.base_labels.ingestion_kv_labels.key = "AZURE_BLOB"
metadata.base_labels.ingestion_kv_labels.value = "ADVANCED_HUNTING"
metadata.base_labels.log_types = "MICROSOFT_DEFENDER_ENDPOINT"
metadata.event_timestamp.seconds = 1737385885
metadata.event_timestamp.nanos = 20843400
metadata.event_type = "STATUS_UPDATE"
metadata.id = "AAAAAG3Ktz0VG9TP3TukPyOLfdYAAAAABgAAABEAAAA="
metadata.ingested_timestamp.seconds = 1737386112
metadata.ingested_timestamp.nanos = 788301000
metadata.ingestion_labels.key = "AZURE_BLOB"
metadata.ingestion_labels.value = "ADVANCED_HUNTING"
metadata.log_type = "MICROSOFT_DEFENDER_ENDPOINT"
metadata.product_event_type = "AlertEvidence"
metadata.product_log_id = "daebb07539-7c0d-4980-9a6b-3eb724c26a55_1"
metadata.product_name = "AdvancedHunting-AlertEvidence"
metadata.vendor_name = "Microsoft"
principal.resource.attribute.labels.value = "true"
principal.resource.attribute.labels.key = "DetectionStatus"
principal.resource.attribute.labels.value = "Detected"
principal.resource.attribute.labels.key = "MergeByKey"
principal.resource.attribute.labels.value = "vV0hjZ5XickIrq5xdfrXqN/yIR8="
principal.resource.attribute.labels.key = "MergeByKeyHex"
principal.resource.attribute.labels.value = "BD5D218D9E5789C908AEAE7175FAD7A8DFF2211F"
principal.resource.attribute.labels.key = "NetBiosName"
principal.resource.attribute.labels.key = "OSFamily"
principal.resource.attribute.labels.value = "Windows"
principal.resource.attribute.labels.key = "OSVersion"
principal.resource.attribute.labels.value = "10.0"
principal.resource.attribute.labels.key = "Role"
principal.resource.attribute.labels.value = "0"
principal.resource.attribute.labels.key = "SuspicionLevel"
principal.resource.attribute.labels.value = "Suspicious"
principal.resource.attribute.labels.key = "Type"
principal.resource.attribute.labels.value = "host"
principal.resource.attribute.labels.key = "AdditionalFields"
principal.resource.attribute.labels.value = "{\\"HostName\\":\\"****\\",\\"NetBiosName\\":\\"*******\\",\\"OSFamily\\":\\"Windows\\",\\"OSVersion\\":\\"10.0\\",\\"IsDomainJoined\\":false,\\"RemediationProviders\\":[{\\"RemediationState\\":\\"Active\\",\\"RemediationDate\\":\\"2025-01-20T15:12:39.1178618Z\\",\\"Type\\":\\"remediation-provider\\"}],\\"LastRemediationState\\":\\"Active\\",\\"ThreatAnalysisSummary\\":[{\\"AnalyzersResult\\":[],\\"Verdict\\":\\"Suspicious\\",\\"AnalysisDate\\":\\"2025-01-20T15:12:39.1178618Z\\"}],\\"LastVerdict\\":\\"Suspicious\\",\\"Asset\\":true,\\"DetailedRoles\\":[\\"PrimaryDevice\\"],\\"RbacScopes\\":{\\"ScopesPerType\\":{\\"MachineGroupIds\\":{\\"Mode\\":\\"Any\\",\\"Scopes\\":[\\"794\\"]},\\"Workloads\\":{\\"Mode\\":\\"All\\",\\"Scopes\\":[\\"Mdatp\\"]}}},\\"Type\\":\\"host\\",\\"LeadingHost\\":true,\\"Role\\":0,\\"MachineId\\":\\"af93672e99238ac58325d87718a8d7d07bff9bf1\\",\\"MachineIdType\\":3,\\"HostMachineId\\":null,\\"DetectionStatus\\":\\"Detected\\",\\"SuspicionLevel\\":\\"Suspicious\\",\\"IsIoc\\":false,\\"MergeByKey\\":"}"
principal.resource.attribute.labels.key = "IsDomainJoined"
principal.resource.attribute.labels.value = "false"
principal.resource.attribute.labels.key = "IsIoc"
principal.resource.attribute.labels.value = "false"
principal.resource.attribute.labels.key = "LastRemediationState"
principal.resource.attribute.labels.value = "Active"
principal.resource.attribute.labels.key = "LastVerdict"
principal.resource.attribute.labels.value = "Suspicious"
principal.resource.attribute.labels.key = "LeadingHost"
principal.resource.attribute.labels.value = "true"
principal.resource.attribute.labels.key = "MachineId"
principal.resource.attribute.labels.key = "MachineIdType"
principal.resource.attribute.labels.value = "3"
security_result.about.labels.key = "Service Source"
security_result.about.labels.value = "Microsoft Defender for Endpoint"
security_result.about.labels.key = "Detection Source"
security_result.about.labels.value = "Custom TI"
security_result.about.resource.attribute.labels.key = "Service Source"
security_result.about.resource.attribute.labels.value = "Microsoft Defender for Endpoint"
security_result.about.resource.attribute.labels.key = "Detection Source"
security_result.about.resource.attribute.labels.value = "Custom TI"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational"
security_result.threat_name = "'CustomEnterpriseBlock' malware was detected"

Hi @abisec94,

Can you please elaborate what value you're trying to capture, and what your current REGEX is.

Kind Regards,

Ayman

I agree here with @AymanC you haven't given us much to work with. 


Please help us help you.   I do use sites as the following to help with regex at times.  


https://gchq.github.io/CyberChef/#recipe=Regular_expression('User%20defined','',true,true,false,true,false,false,'Highlight%20matches')&input=Ig


 


 

Hello @AymanC this below regex i have used but won't work

//$e.principal.resource.attribute.labels.value != /^.*ssh.exe.*$/ nocase or
   //$e.principal.resource.attribute.labels.value != /ssh\\.exe$/ nocase)/
   //$e.principal.resource.attribute.labels[1].value != "\\\\Device\\\\HarddiskVolumeShadowCopy18\\\\Windows\\\\WinSxS\\\\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.3636_none_7494d30cd1f2eb96"
   //$e.principal.resource.attribute.labels.value != /"\\bssh\\.exe\\b"/ nocase
   //$e.principal.resource.attribute.labels.value != /"Name":\\s"ssh.exe"/ nocase
   //$e.principal.resource.attribute.labels.value != /"Name"\\\\s*:\\\\s*"ssh\\.exe"/ nocase

Hello @AymanC this below regex i have used but won't work

//$e.principal.resource.attribute.labels.value != /^.*ssh.exe.*$/ nocase or
   //$e.principal.resource.attribute.labels.value != /ssh\\.exe$/ nocase)/
   //$e.principal.resource.attribute.labels[1].value != "\\\\Device\\\\HarddiskVolumeShadowCopy18\\\\Windows\\\\WinSxS\\\\amd64_openssh-client-components-onecore_31bf3856ad364e35_10.0.19041.3636_none_7494d30cd1f2eb96"
   //$e.principal.resource.attribute.labels.value != /"\\bssh\\.exe\\b"/ nocase
   //$e.principal.resource.attribute.labels.value != /"Name":\\s"ssh.exe"/ nocase
   //$e.principal.resource.attribute.labels.value != /"Name"\\\\s*:\\\\s*"ssh\\.exe"/ nocase

Hi @abisec94,

As best practice, when you see a UDM field that is repeated (like below):

principal.resource.attribute.labels.key = "LastVerdict"
principal.resource.attribute.labels.value = "Suspicious"
principal.resource.attribute.labels.key = "LeadingHost"
principal.resource.attribute.labels.value = "true"

you can call these key value pairs like so:
INSTEAD OF:

principal.resource.attribute.labels.key = "LastVerdict"
principal.resource.attribute.labels.value = "Suspicious"

DO THIS:
principal.resource.attribute.labels["LastVerdict"] = "Suspicious"

unless of course, you want to find a value across the entire repeated UDM field.

In the initial sample log you've provided, I can't seem to locate where 'ssh.exe' is, however, lets say you want a simple regex across all of the repeated 'principal.resource.attributes.labels.value' to exclude 'ssh.exe', you can do this:

$e.principal.resource.attribute.labels.value != /ssh\\.exe/ nocase

Kind Regards,

Ayman

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.