topic Re: Wineventlog blacklist not working in Getting Data In

How to blacklist EventCode 5145 with Wineventlog?

sun1000 — Mon, 14 Mar 2022 13:26:14 GMT

I am trying to blacklist EventCode 5145 with specific message and it is not working.

Example Event:

LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=5145
EventType=4
Type=Success Audit
ComputerName=xxxx
Category=11111
CategoryString=none
RecordNumber=xxxx
Message=A network share object was checked to see whether client can be granted desired access.

Subject:
Security ID:
Account Name:
Account Domain:
Logon ID:

Network Information:
Object Type: File
Source Address:
Source Port:

Share Information:
Share Name:
Share Path: \
Relative Target Name: x.dxmdg.com\Policies\{123456789456456456454654464546464558655}\Machine\Preferences\Registry\Registry.xml

Access Request Information:
Access Mask:
Accesses:

Access Check Results:

With below blacklist and it is not working
blacklist4 = EventCode="5145" Message="Relative Target Name:\s.+Registry.xml"

Please provide some suggestions

Re: Wineventlog blacklist not working

gcusello — Fri, 16 Apr 2021 06:27:33 GMT

Hi @sun1000,

in blacklist and whitelist options, you have to use a regex not only insert your conditions.

So please find the correct regex and try something like this:

| rex "(?ms)EventCode\=5145.*Message\=Relative Target Name:\s.+Registry\.xml"

You can see a similar regex at https://regex101.com/r/7HVoS2/1

Ciao.

Giuseppe

Re: Wineventlog blacklist not working

despoilerr — Mon, 14 Mar 2022 13:04:25 GMT

hi @gcusello i have a similar issue and i am trying to Blacklist the eventCode 4662 on universal forwarder except when AccountName!=*$ Accessmask= 0x100

Sample Log
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4662
EventType=0
Type=Information
ComputerName=xxxxxxxxxxxxxxxxxxxxxxxx
TaskCategory=Directory Service Access
OpCode=Info
RecordNumber=1079080612
Keywords=Audit Success
Message=An operation was performed on an object.

Subject :
Security ID: xx\Axxxxx
Account Name: Axxxxx
Account Domain: xxxx
Logon ID: xxxxxxxx

Object:
Object Server: DS
Object Type: computer
Object Name: CN=YDxxxx,OU=xxxxx,OU=xxxx,OU=xxxxx,DC=xxxx,DC=xxxx,DC=xxx
Handle ID: 0x0

Operation:
Operation Type: Object Access
Accesses: Control Access

Access Mask: 0x100
Properties: Control Access
Default Property Set
ms-Mcs-AdmPwd
computer

Additional Information:
Parameter 1: -
Parameter 2:

I tried multiple regex and didnt work in my inputs.conf

1) blacklist1 = EventCode="4662" Message="(Object Type:(?=\s*groupPolicyContainer))
[\s\S]*((Properties:(?=[\s\S]*Default Property Set(.*)\s*ms-Mcs-AdmPwd))(Access Mask:(?=[\s\S]*0x100)))"

2) blacklist1 = EventCode="4662" Message="(?ms)Account\sName:[\s\S]*\$*Access\sMask:[\s\S]+0x(0$|1$|2$|20$)"

Re: Wineventlog blacklist not working

bursteinb — Wed, 14 Sep 2022 18:47:42 GMT

Were you ever able to figure this out? I'm having the exact same issue trying to filter 4662 while allowing the group policy AND LAPS logs.

Re: How to blacklist EventCode 5145 with Wineventlog?

scelikok — Thu, 15 Sep 2022 03:59:50 GMT

Hi,

Could you please try below? I used the filter as blacklist3 because Windows TA already has blacklist1 ve blacklist2.

blacklist3= EventCode="4662" Message="(?ms)Account\sName:[\s\S]+\$.*Access\sMask:[\s\S]+0x100"

Re: How to blacklist EventCode 5145 with Wineventlog?

bursteinb — Thu, 15 Sep 2022 13:30:46 GMT

I appreciate the assistance but unfortunately that's not working. When applied, it looks like it's blocking only Access Mask 0x100 which is what the LAPS events fall under.

I had been considering compromising and allowing all 0x100 though, and I tried that a few different ways, but it seems like no matter what I try if I do ANY blacklisting of EventCode 4662 of any kind, the LAPS logs won't show up. When allowing 0x100, other 0x100 logs show up but the LAPS ones do not for some reason. When I remove any 4662 blacklists, they start showing up again.