topic Re: How should the process name be designated for the blacklisting of Windows events? in Getting Data In

How should the process name be designated for the blacklisting of Windows events?

AL3Z — Tue, 21 Nov 2023 15:06:28 GMT

Hi,

I'm uncertain which Process name—CreatorProcessName, ParentProcessName, or NewProcessName—is the appropriate one to apply windows events blacklisting in this context.

Thanks..

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Tue, 21 Nov 2023 16:52:06 GMT

Splunk supports none of those directly. You'd have to use a regex on the Message field to filter on the desired process name. The most likely candidate is NewProcessName, but that depends on what event(s) you're filtering.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Tue, 21 Nov 2023 19:05:55 GMT

@richgalloway ,

When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern
blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)"

https://regex101.com/r/Jq2IKb/1

What changes do we need here?

Thanks..

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Tue, 21 Nov 2023 19:57:23 GMT

I don't know why Splunk is not matching that event. The regex looks good to me. Perhaps try without the groups? It shouldn't matter, but perhaps it will and the groups are not necessary.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Tue, 21 Nov 2023 20:27:29 GMT

Hi

Can you pls give me and eg. for above regex with out group ?

Thanks

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Tue, 21 Nov 2023 20:51:21 GMT

ParentProcessName.+Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Tue, 21 Nov 2023 21:12:23 GMT

@richgalloway ,

is this with quotes ?
blacklist5 = EventCode="4688" Message="(ParentProcessName.+Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe)"

Re: How should the process name be designated for the blacklisting of Windows events?

PickleRick — Tue, 21 Nov 2023 21:19:46 GMT

What format are you pulling the logs in? Traditional or XML?

 * $XmlRegex: Use this key for filtering when you render Windows Event
    log events in XML by setting the 'renderXml' setting to "true". Search
    the online documentation for "Filter data in XML format with the
    XmlRegex key" for details.

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Tue, 21 Nov 2023 21:20:56 GMT

You asked for a regex so that is what I gave you. Add quotes and other text as necessary.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Wed, 22 Nov 2023 01:58:17 GMT

@PickleRick @richgalloway ,

Can we make changes to the splunk ta windows app inputs.conf of the deployment server ??

There was some configs messed up in the inputs.conf how we can restore to the previous configs ??

Thanks...

Re: How should the process name be designated for the blacklisting of Windows events?

PickleRick — Wed, 22 Nov 2023 10:00:59 GMT

That's another question, completely unrelated to the original issue. See my response in this thread https://community.splunk.com/t5/Deployment-Architecture/What-are-the-best-practices-for-creating-and-distributing-apps/m-p/668990 for managing apps.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Wed, 22 Nov 2023 18:36:14 GMT

@richgalloway

Can we use the props and transforms to send the unwanted events to null queue aas the applied regex are not working!

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Wed, 22 Nov 2023 18:50:35 GMT

Yes, the indexers or heavy forwarders can use the regex to discard matching events.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Sat, 25 Nov 2023 09:10:56 GMT

Hello, @richgalloway @PickleRick ,

The regex I used seems effective, but it's unexpectedly blocking all my Windows security events. I've checked the regex, and I haven't specifically blacklisted any Windows executables. Could you assist me in analyzing the below list of blacklisted executables?

# DO NOT EDIT THIS FILE!

# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.

# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default

# into ../local and edit there.

###### OS Logs ######

[WinEventLog://Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"

blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:Tanium\\Tanium Client)"

blacklist5 = EventCode="4688" Message="(?:Creator Process Name:).+(?:Tanium\\Tanium Client)"

renderXml=true

index = es_winsec

Thanks...

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Sat, 25 Nov 2023 13:09:59 GMT

@AL3Z wrote:
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.

Stop right there! These comments are very important and yet you've chosen to ignore them by editing a file that should not be modified. What other instructions have you disregarded?

The configs shown look good to me, but I am not familiar enough with Windows to know if there's something there that shouldn't be there or vice versa.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Sat, 25 Nov 2023 19:35:43 GMT

@richgalloway

I have made changes to local inputs.conf on this app and deployed it to over 3k servers so we need to move these configurations from local to default to get it work ?

Thanks..

Re: How should the process name be designated for the blacklisting of Windows events?

richgalloway — Sat, 25 Nov 2023 20:47:30 GMT

It will work as it is, but it is poor practice. Your changes will be lost the next time Splunk_TA_windows is upgraded.

Re: How should the process name be designated for the blacklisting of Windows events?

tscroggins — Sat, 25 Nov 2023 21:09:39 GMT

Hi @AL3Z,

Windows event log events are stored by Windows in a language-independent format. When using renderXml = true, Splunk does not forward the locale-specific message string. You can further optimize forwarder resource usage by also setting the suppress_* settings to true.

In the case of the security event log Microsoft-Windows-Security-Auditing provider/source, event identifier 4688 will have no Message field beginning with "A new process has been created." You must instead use whitelist and blacklist values that reference $XmlRegex and match against the raw XML event.

For example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-11-19T16:06:34.0318973Z" /><EventRecordID>139624</EventRecordID><Correlation /><Execution ProcessID="4" ThreadID="344" /><Channel>Security</Channel><Computer>titan</Computer><Security /></System><EventData><Data Name="SubjectUserSid">S-1-5-18</Data><Data Name="SubjectUserName"></Data><Data Name="SubjectDomainName"></Data><Data Name="SubjectLogonId">0x3e7</Data><Data Name="NewProcessId">0x320</Data><Data Name="NewProcessName">C:\Windows\System32\lsass.exe</Data><Data Name="TokenElevationType">%%1936</Data><Data Name="ProcessId">0x1c8</Data><Data Name="CommandLine" /><Data Name="TargetUserSid">S-1-0-0</Data><Data Name="TargetUserName"></Data><Data Name="TargetDomainName"></Data><Data Name="TargetLogonId">0x0</Data><Data Name="ParentProcessName">C:\Windows\System32\wininit.exe</Data><Data Name="MandatoryLabel">S-1-16-16384</Data></EventData></Event>

The raw XML event contains a series of <Data> elements, one of which is <Data Name="NewProcessName">. To exclude a specific NewProcessName value, e.g. C:\Windows\System32\lsass.exe, we can construct a blacklist value using the $XmlRegex key. I'll use percent (%) as the regular expression delimiter. You can use one $XmlRegex key to match multiple parts of the raw XML or multiple $XmlRegex keys to make your matches easier to maintain. I've used three $XmlRegex keys to match the Provider, EventID, and Data elements:

blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">C:\\Windows\\System32\\lsass\.exe<\/Data>%

Note that I've included the provider/source because all Windows events are uniquely identified by a three-tuple of log, provider/source, and event identifier, e.g. Security, Microsoft-Windows-Security-Auditing, and 4688.

You can add additional processes to your blacklist by using a regular expression group construct within the NewProcessName match:

blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Windows\\System32\\lsass\.exe|C:\\Program Files\\MyApp\\MyProgram\.exe)<\/Data>%

This setting would be added to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf.

Note that the default blacklist1 and blacklist2 values provided by Splunk Add-on for Windows do not work when renderXML = true, so we'll modify those as well. I did not include the provider in the modifications; it's a direct translation of the default.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = true
suppress_keywords = true
suppress_opcode = true
suppress_sourcename = true
suppress_task = true
suppress_text = true
suppress_type = true
blacklist1 = $XmlRegex=%<EventID>4662<\/EventID>% $XmlRegex=%<Data Name="ObjectType">(?!\s*groupPolicyContainer)%
blacklist2 = $XmlRegex=%<EventID>566<\/EventID>% $XmlRegex=%<Data Name="ObjectType">(?!\s*groupPolicyContainer)%
blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Windows\\System32\\lsass\.exe|C:\\Program Files\\MyApp\\MyProgram\.exe)<\/Data>%

Deploy inputs.conf and restart Splunk Universal Forwarder using your configuration management tool of choice, e.g. a Splunk deployment server.

Re: How should the process name be designated for the blacklisting of Windows events?

tscroggins — Sun, 26 Nov 2023 01:33:08 GMT

For reference:

1. Microsoft Corporation. "About Event Logging." Windows App Development, 7 January 2021, https://learn.microsoft.com/en-us/windows/win32/eventlog/about-event-logging.

2. Splunk Inc. "inputs.conf Event Log allow list and deny list formats." Splunk Enterprise Admin Manual, 16 November 2023, https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_allow_list_and_deny_list_formats.

Re: How should the process name be designated for the blacklisting of Windows events?

AL3Z — Mon, 27 Nov 2023 08:47:52 GMT

Hi @tscroggins @richgalloway @PickleRick ,

In this below sample event the C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe appears in both ParentParentName and NewProcessName, we might need a specialized handling. Would you like help with a xml regex pattern to cover these conditions?

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T08:18:13.998467800Z'/><EventRecordID>151265209</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11116'/><Channel>Security</Channel><Computer>xxvy.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3978</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f80</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

Can we use like this ?

blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%