topic Re: How to blacklist Windows Security Events in XML format in All Apps and Add-ons

How to blacklist Windows Security Events in XML format

gratstein — Wed, 30 Sep 2020 04:30:08 GMT

Hello,

I'm trying to blacklist Windows Security Events in XML format.

In non XML format we have this blacklist

blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"

The format for XML blacklist is described here
hxxps://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_and_whitelists_to_filter_on_XML-based_events

blacklist1 = $XmlRegex =

This is not accepted

blacklist1 = $XmlRegex = <EventID>4688<\/EventID>.*<Data Name=\'NewProcessName\'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe

Character ' is seen as a delimiter.

Has anyone been able to build something similar?
Is it a good idea to keep the EventID in the regex?

RAW Event:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{12345678-1234-1234-A1B2-1A2B3456C78D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated1 SystemTime='2020-03-05T17:11:17.754003000Z'/><EventRecordID>5254707</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11888'/><Channel>Security</Channel><Computer>COMPUTER.contoso.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>COMPUTER$</Data><Data Name='SubjectDomainName'>CONTOSO</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3668</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x3c28</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data></EventData></Event>

Thanks.

Re: How to blacklist Windows Security Events in XML format

xavierashe — Thu, 12 Mar 2020 03:10:58 GMT

have you tried not escaping the carat?

blacklist1 = $XmlRegex = <EventID>4688<\/EventID>.*<Data Name='NewProcessName'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe

Re: How to blacklist Windows Security Events in XML format

gratstein — Fri, 13 Mar 2020 09:58:39 GMT

Thanks for the help. The ' character is seen as a a delimiter so it's seeking for a new key after 'NewProcessName'

03-13-2020 02:53:52.326 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist4', failed to find key in string data '>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe'

Re: How to blacklist Windows Security Events in XML format

xavierashe — Fri, 13 Mar 2020 12:09:17 GMT

Have you tried dots instead of quotes?

blacklist1 = $XmlRegex = <EventID>4688<\/EventID>.*<Data Name=.NewProcessName.>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe

Re: How to blacklist Windows Security Events in XML format

gratstein — Fri, 13 Mar 2020 14:41:07 GMT

Same error message

03-13-2020 06:37:58.315 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find key in string data '>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe'

Re: How to blacklist Windows Security Events in XML format

gratstein — Fri, 13 Mar 2020 15:02:53 GMT

I needed to add the double quotes, this is working now

blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"

Re: How to blacklist Windows Security Events in XML format

xavierashe — Fri, 13 Mar 2020 15:04:40 GMT

blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi))\.exe"

Re: How to blacklist Windows Security Events in XML format

xavierashe — Fri, 13 Mar 2020 15:05:14 GMT

Great! I'll toss it down in the answers for future readers.

Re: How to blacklist Windows Security Events in XML format

seanjconnell — Tue, 08 Sep 2020 17:52:31 GMT

You answered my same question from earlier with this one.