topic Re: Excluding the service account from the Event of splunk ES. in Security

How to exclude the service account from the event of Splunk ES?

AL3Z — Tue, 20 Jun 2023 02:54:18 GMT

Hi,

I'm trying to exclude the service accounts of the users from the below event in splunk ES.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>

Thanks

Re: Excluding the service account from the Event of splunk ES.

gcusello — Sat, 17 Jun 2023 10:25:04 GMT

Hi @AL3Z,

when you have one or more events with users that yu want to exclude from the results, you have to open the dropdown list on the rights of the dashboard and choose the option suppress events, eventually (it isn't mandatory) adding an expiratin date to this suppression rule.

You can also manage your suppression rules modifying them.

You culd also modify the scheduled search that populates the Authentication DataModel excluding these accounts.

Ciao.

Giuseppe

Re: Excluding the service account from the Event of splunk ES.

AL3Z — Mon, 19 Jun 2023 14:43:04 GMT

@gcusello

Here I'm trying to xclude the service account using join,

search:

(index=winevent OR index=winsec source="XmlWinEventLog:*") eventcode=4662 OR eventcode=4738

We have the field OU and processname associated with eventcode=4662
under ou we have a serviceid , we have to exclude this , under process name we have to exclude agent.exe,

Likewise there is other fields present in the eventcode 4738 which are not present in the 4662

How we can use the join and colerate these two datasets ?

Thanks.

Re: Excluding the service account from the Event of splunk ES.

gcusello — Mon, 19 Jun 2023 16:05:22 GMT

Hi @AL3Z,

using join command you never accelerate a search but you always slow it!

Anyway, to exclude results from a correlation search the easiest way is the suppression list I hinted.

Otherwise you can add a filter in the Correlation Search To exclude some resulta, but not a join.

Ciao.

Giuseppe