Jump to content
DarrenWhite99

Improving the SW Monitors to support Whitelist and Blacklist Wildcards

Recommended Posts

The "SW - BlackListed Install" and "SW - Unclassified Apps" monitors do not support wildcard matching, so whitelisted or blacklisted application entries with wildcards are not used in these monitor results. This causes false positives, extra ticket noise, etc.

These monitors can be adjusted to support wildcards.

For the "SW - Unclassified Apps" monitor, the default "Result" field value is: 

(Select Name from Applicationblacklist union select name from applicationwhitelist)

To enable Wildcard matching, replace the Result value with the following:

(SELECT DISTINCT `Name` FROM (SELECT Software.Name FROM Software JOIN (SELECT REPLACE(`Name`,'*','%') AS `Name` FROM ApplicationBlacklist WHERE INSTR(REPLACE(`Name`,'*','%'),'%')>0 UNION SELECT REPLACE(`Name`,'*','%') FROM ApplicationWhitelist WHERE INSTR(REPLACE(`Name`,'*','%'),'%')>0) AS AppMatches ON Software.`Name` LIKE AppMatches.`Name` UNION SELECT Software.Name FROM Software JOIN (SELECT `Name` FROM ApplicationBlacklist WHERE INSTR(`Name`,'%')=0 UNION SELECT `Name` FROM ApplicationWhitelist WHERE INSTR(`Name`,'%')=0) AS AppList ON Software.Name = AppList.Name) AS Applications)

 

For the "SW - BlackListed Install" monitor, the default "Result" field value is: 

(Select Name from Applicationblacklist)

To enable Wildcard matching, replace the Result value with the following: 

(SELECT DISTINCT `Name` FROM (SELECT Software.Name FROM Software JOIN (SELECT REPLACE(`Name`,'*','%') AS `Name` FROM ApplicationBlacklist WHERE INSTR(REPLACE(`Name`,'*','%'),'%')>0) AS AppMatches ON Software.`Name` LIKE AppMatches.`Name` UNION SELECT Software.Name FROM Software JOIN (SELECT `Name` FROM ApplicationBlacklist WHERE INSTR(`Name`,'%')=0) AS AppList ON Software.Name = AppList.Name) AS Applications)

I hope this helps!

It has been reported that some browsers are not copying the text correctly. Chrome is believed to work, Firefox may be suspect. If you have any errors try copying the text using a different browser.

  • Thanks 6

Share this post


Link to post
Share on other sites

I am trying to figure out how to adapt this to the SVC - Auto Services Stopped monitor.  With the MessagingService_random service on some of my customers computers, it is impossible to get them blacklisted.  I could add the argument directly in the monitor, but it would be nice to be able to use wildcards in this one.

 

thanks!

Cliff 

Share this post


Link to post
Share on other sites

If I have the following item "Opera Stable 52.0.2871.64" in the Whitelist and the newly installed software "Opera Stable 54.0.2952.54" is found on an agent, will this monitor (in its Wildcard-enabled form for the monitor SW - Unclassified Apps) trigger an alert?

Share this post


Link to post
Share on other sites

If the Unclassified Application Monitor is updated to respect wildcard based items in the Whitelist and Blacklist, it will not trigger an alert for "Unclassified" software since it will recognize that it belongs to the Whitelist or Blacklist.

Share this post


Link to post
Share on other sites

Thanks for you help in advance.

Apparently I don't have this setup properly.

The app Gyazo has updated to version 3.3.8 and the custom monitors I created with those additions have created a ticket for the agents with the app on them even tho Gyazo has been added to the Whitelist from previous versions.

Here is the applicable part of my Whitelist:

273ad34c6428bd88c52bd4c97e3e18ff.png

 

Here is the custom monitor:

658a45ffa84c2b194064515dc57fc857.png

The result field is:

(SELECT DISTINCT `Name` FROM (SELECT Software.Name FROM Software JOIN (SELECT REPLACE(`Name`,'*','%') AS `Name` FROM ApplicationBlacklist WHERE INSTR(REPLACE(`Name`,'*','%'),'%')>0 UNION SELECT REPLACE(`Name`,'*','%') FROM ApplicationWhitelist WHERE INSTR(REPLACE(`Name`,'*','%'),'%')>0) AS AppMatches ON Software.`Name` LIKE AppMatches.`Name` UNION SELECT Software.Name FROM Software JOIN (SELECT `Name` FROM ApplicationBlacklist WHERE INSTR(`Name`,'%')=0 UNION SELECT `Name` FROM ApplicationWhitelist WHERE INSTR(`Name`,'%')=0) AS AppList ON Software.Name = AppList.Name) AS Applications)

 

Does anything look amiss?

 

Share this post


Link to post
Share on other sites

As I am not a sql person (and I did not attempt to pull it apart and understand it which is my mistake), I thought what was happening is that the unclassified app was compared to the entries in the whitelist in a regular expression type of way.  That way there the whitelist could be used in its present form.  Thanks for the clarification.  I'll add an entry for each of the app groups to the whitelist.

Share this post


Link to post
Share on other sites

Technically it supports using * or % as a wildcard character, but I prefer % since that follows with usage in other areas of Automate (% being the SQL Wildcard character).

Share this post


Link to post
Share on other sites

Thank you Darren. I just changed those monitors today after getting 1,100 tickets for unclassified apps (post ITNE we did a reset on Ignite to audit what we are and aren't monitoring).

 

-Mike

Share this post


Link to post
Share on other sites
Posted (edited)

Just so I am clear, with this new monitor, do we still goto a machine, and whitelist or blacklist an application as per normal or do we goto the Dashboard and add an Entry with the wildcard (like Firefox%)?

Edit - Not that I've actually READ the whole post, it looks like I should be adding entries manually...

Edited by Mark Hodges

Share this post


Link to post
Share on other sites

So, the more I go through this whole unclassified, whitelisted and blacklisted app list, the more I think that the simpliest and smartest way to handle this is really to have a weekly task of reviewing the unclassified list, finding anything that I want to blacklist, using the wildcard to blacklist and then run a script that copies everything that exists in the unclassified to whitelist.

I mean its probably going to help to setup the wildcard values for most of the common apps, but damn there way too many unique apps to do it for most of the apps.

Share this post


Link to post
Share on other sites

When you are having to repeatedly whitelist new versions of previously whitelisted applications, you might want to use a wildcard. 

Share this post


Link to post
Share on other sites

yeah, I've been going through the list and query results and sorting and looking for those commonalities like Microsoft*, firefox*,etc

Its all those oddball crap that's listed that is annoying... :)

Share this post


Link to post
Share on other sites
On 6/24/2019 at 8:10 AM, Mark Hodges said:

yeah, I've been going through the list and query results and sorting and looking for those commonalities like Microsoft*, firefox*,etc

Its all those oddball crap that's listed that is annoying... :)

I made the monitor handle "*" automatically, but it's good to think in MySQL terms. "%" is the wildcard character, not "*".  Whenever "*" works as a SQL wildcard it is because someone is changing it to "%" for you.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...