topic Re: Help with SEDCMD raw event size reduction in Getting Data In

How to achieve SEDCMD raw event size reduction?

DanAlexander — Thu, 15 Jun 2023 00:21:23 GMT

Hello community,

I am having an issue creating appropriate SEDCMD to reduce the size of specific Win events.

I am trying to extract only one random bit (could be anything) and through all the rest before they get indexed.

Below is the raw Event and wanted to drop (it is large). I just want a single word/line. I did try the following but it did nothing. Under the Splunk_TA_Windows local/props I did put something like [source::XmlWinEventLog:Security] SEDCMD-4688_splunkd_events_clearing=s/.\\Program Files\\.+\\splunkd\.exe//g

----------------------------------------------- Raw Event---------------------------------------------------

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid=' XXXXXXXX -4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10:39:41.797279900Z'/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer> XXXXXXXX </Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0 XXXXXXXX 7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>XXXXXXXX -16384</Data></EventData></Event>

Caller_Domain = XXXXXXXX ller_User_Name = XXXXXXXX Channel = SecurityComputer = XXXXXXXX privEVentId = EventIDError_Code = -EventCode = 4688EventData_Xml = <Data Name='SubjectUserSid'> XXXXXXXX </Data><Data Name='SubjectUserName'> XXXXXXXX</Data><Data Name='SubjectDomainName'> XXXXXXXX </Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x2734</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x17d4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>S-1-16-16384</Data>EventID = 4688EventRecordID = 12 XXXXXXXXid = '{54849625-XXXXXXXX-a5ba-3e3b0328c30d}'Keywords = 0x8020000000000000Level = 0Logon_ID = 0x3e7MandatoryLabel = S-1-16-16384Name = 'Microsoft-Windows-Security-Auditing'NewProcessId = 0x2XXXXXXXX4NewProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeOpcode = 0ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeProcessID = '4'ProcessId = 0x17d4RecordNumber = 12536409SubjectDomainName = XXXXXXXXbjectLogonId = 0x3e7SubjectUserName = XXXXXXXX= S-1-5-18SystemTime = XXXXXXXX:39:41.797279900Z'System_Props_Xml = <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{XXXXXXXX4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-13T10XXXXXXXX/><EventRecordID>12536409</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='15216'/><Channel>Security</Channel><Computer>XXXXXXXX</Computer><Security/>TargetDomainName = -TargetLogonId = 0x0TargetUserName = -TargetUserSid = S-1-0-0Target_Domain = -Target_User_Name = -Task = 13312ThreadID = '15216'TokenElevationType = %%1936Token_Elevation_Type = %%1936Token_Elevation_Type_id = 1936Version = 2action = allowedapp = win:unknowndest = XXXXXXXX= XXXXXXXXcaracal01.greenstream.privdvc_nt_host = XXXXXXXXevent_id = 12536409eventtype = endpoint_services_processes eventtype = windows_endpoint_processes process report eventtype = windows_event_signature track_event_signatures eventtype = windows_process_new execute process start eventtype = wineventlog_security os windows eventtype = wineventlog_windows os windows eventtype = winsec securityhost = XXXXXXXXid = 12536409index = XXXXXXXXserverlinecount = 1name = A new process has been creatednew_process = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exenew_process_id = 0x2734new_process_name = splunk-MonitorNoHandle.exeparent_process = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeparent_process_id = 0x17d4parent_process_name = splunkd.exeparent_process_path = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeprocess = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeprocess_exec = splunk-MonitorNoHandle.exeprocess_id = 0XXXXXXXX4process_name = splunk-MonitorNoHandle.exeprocess_path = C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeproduct = Windowspunct = <_='://../////'><><_='---'_='{----}'/><></><></><>session_id = 0x3e7signature = A new process has been createdsignature_id = 4688source = XmlWinEventLog:Securitysourcetype = XmlWinEventLogsplunk_server = XXXXXXXX_nt_domain = XXXXXXXXsrc_user = XXXXXXXX$status = successsubject = A new process has been createdta_windows_action = failuretag = execute tag = os tag = process tag = report tag = security tag = start tag = track_event_signatures tag = windowsuser = XXXXXXXX$user_group = -vendor = Microsoftvendor_product = Microsoft Windows

Any help is much appreciated. Thank you All!

Re: Help with SEDCMD raw event size reduction

gcusello — Tue, 13 Jun 2023 11:44:39 GMT

Hi @DanAlexander,

you can use the TRUNCATE option in props.conf to define the max lenght of each event.

to use SEDCMD, you have to identify a regex with the contents to maintain.

Can you highlight in bold the events' partes to maintain?

did you defined a rule about the contents to maintain?

Ciao.

Giuseppe

Re: Help with SEDCMD raw event size reduction

DanAlexander — Tue, 13 Jun 2023 11:50:45 GMT

Thanks for the reply @gcusello

I would like to replace all of the content with the following: ParentProcessName = C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe

Regards,

Dan

Re: Help with SEDCMD raw event size reduction

gcusello — Tue, 13 Jun 2023 11:53:37 GMT

Hi @DanAlexander,

please try this:

SEDCMD = s/.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

Ciao.

Giuseppe

Re: Help with SEDCMD raw event size reduction

DanAlexander — Tue, 13 Jun 2023 12:39:28 GMT

I tried the following but still, events are intact:

[XmlWinEventLog]

SEDCMD = s/.*/ParentProcessName \= C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

Re: Help with SEDCMD raw event size reduction

gcusello — Tue, 13 Jun 2023 12:48:51 GMT

Hi @DanAlexander,

please try:

SEDCMD = s/.*/ParentProcessName\s*\=\s*C:\\Program\sFiles\\SplunkUniversalForwarder\\bin\\splunkd\.exe/g

it runs on regex101.com as you can see at https://regex101.com/r/TM5deo/1

if it doesn't run in Splunk, use three backslashes where there are two.

SEDCMD = s/.*/ParentProcessName\s*\=\s*C:\\\Program\sFiles\\\SplunkUniversalForwarder\\\bin\\\splunkd\.exe/g

Ciao.

Giuseppe

Re: Help with SEDCMD raw event size reduction

DanAlexander — Tue, 13 Jun 2023 13:17:12 GMT

Unfortunately is not working

Re: Help with SEDCMD raw event size reduction

gcusello — Tue, 13 Jun 2023 13:30:12 GMT

Hi @DanAlexander,

are you sure that your logs have sourcetype=XmlWinEventLog ?

Ciao.

Giuseppe

Re: Help with SEDCMD raw event size reduction

DanAlexander — Tue, 13 Jun 2023 14:24:43 GMT

Hi @gcusello,

I am sure the below:

source=XmlWinEventLog:Security with sourcetype=XmlWinEventLog

Thank you

Re: Help with SEDCMD raw event size reduction

gcusello — Tue, 13 Jun 2023 14:55:44 GMT

Hi @DanAlexander,

only for testing, please try:

SEDCMD = s/.*/ParentProcessName/g

If this runs, the problem is the regex for the substitution.

ciao.

giuseppe

Re: Help with SEDCMD raw event size reduction

DanAlexander — Tue, 13 Jun 2023 15:29:58 GMT

Hi @gcusello

I cannot test it in production as one of the indexers throughs a replication error and I had to rollback.

All regexes work but when adding to the Splunk TA Windows under local props would not work and logs are of the same size.

Any other thoughts, please?

Regards,

Dan

Re: Help with SEDCMD raw event size reduction

gcusello — Wed, 14 Jun 2023 07:18:40 GMT

Hi @DanAlexander,

could you use a test system with the same configurations?

I hinted this test because all the times I had to work with regexes containing backslasher I found problems in Splunk, but the SEDCMD I share should be correct.

For this reason I'd like to understand if the problem is inside or outside the regex, to be focused on the issue.

Ciao.

Giuseppe

Re: Help with SEDCMD raw event size reduction

DanAlexander — Wed, 14 Jun 2023 08:58:27 GMT

Hi @gcusello

I did add the below to one of our indexers in /opt/splunk/etc/system/local/props.conf for testing as the highest precedence and searched specifically for events coming from that particular indexer and still no changes seen

WinEventLog]