topic Re: Issue excluding Windows events for a specific new process in Getting Data In

Issue excluding Windows events for a specific new process

SplunkUser5 — Wed, 21 Feb 2024 22:54:54 GMT

Hi Folks,

I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it.

I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far:

_____inputs.conf_____ blacklist3 = EventCode="4688" new_process_name=".*Teams.exe" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>" blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>" None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well: _____props.conf_____ [WinEventLog:Security] TRANSFORMS-null = 4688cleanup _____transforms.conf_____ [4688cleanup] REGEX = "Teams\.exe<\/Data>" DEST_KEY = queue FORMAT = nullQueue And this: _____transforms.conf_____ [4688cleanup] REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data> DEST_KEY = queue FORMAT = nullQueue

None of these have worked so far and I'd appreciate any input y'all have.

Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process):

<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>

And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process):

<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>

Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks!

-SplunkUser5

Re: Issue excluding Windows events for a specific new process

jotne — Thu, 22 Feb 2024 06:46:55 GMT

You regex:

REGEX = "Teams\.exe<\/Data>"

does not hit your input data due to the quote.

Do not quote your regex in transforms.conf

REGEX = Teams\.exe<\/Data>

Re: Issue excluding Windows events for a specific new process

VatsalJagani — Thu, 22 Feb 2024 07:08:27 GMT

@SplunkUser5 - Yes @jotne is right about transforms.conf issue.

But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and again that is Windows path requires extra backslashes in the regex sometimes.

Try:

C:\\\Users\\\.*\\\AppData\\\Local\\\Microsoft\\\Teams\\\current

(try the 4 backslash version as well, as I'm not sure which one will work. I always have to do try and error between 2, 3, and 4 backslashes.)

I hope this helps!!! Kindly upvote if it does!!!

Re: Issue excluding Windows events for a specific new process

SplunkUser5 — Fri, 23 Feb 2024 00:30:16 GMT

Did not realize that. Thank you for the correction.

Removing quotes didn't exclude the Teams events though so I must have something else set wrong. As far as what I have posted, does it seem right? I'm not super familiar with troubleshooting props.conf and transforms.conf settings yet.

Re: Issue excluding Windows events for a specific new process

SplunkUser5 — Fri, 23 Feb 2024 00:36:39 GMT

Thanks for the input. Escaping the escape characters seems a bit silly, but alright. I couldn't get it working today so I'll try a few more variations next week as I have time. Appreciate the help!

Re: Issue excluding Windows events for a specific new process

jotne — Fri, 23 Feb 2024 06:34:48 GMT

You did remove the quotes in the second transform you posted 🙂

Problem with your first regex, is that it hits both the one to remove and the one to keep.

This may work:

NewProcessName.*?Teams\.exe<\/Data>.*?ParentProcessName

Looking for Teams.exe after NewProcessName and before ParentProcessNaneme

Always test your regex, like this:
https://regex101.com/r/v97Z1h/1

Edit:
This may be faster, since it uses less steps to find the data:

NewProcessName[^<]+Teams\.exe<

Edit2
You can also set a sourcetype for the data you are trying to delete. This way nothing are removed before you see that all is ok. If sourcetype = ToDelete show correct data, then you can send it to nullQueue:

[4688cleanup] REGEX = NewProcessName[^<]+Teams\.exe< DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::ToDelete

Re: Issue excluding Windows events for a specific new process

SplunkUser5 — Fri, 15 Mar 2024 23:29:10 GMT

I did get the exclusion under inputs.conf to work with different indexes using this format, just with double slashes rather than triple or quadruple, so there's just an issue with how my Windows security events are setup.

We're upgrading to v9.2 soon in case it's an issue with the arbitrary formatting of the Forwarded Events channel from the v9.1 update. The inputs.conf exclusion seems to work with everything else.

Re: Issue excluding Windows events for a specific new process

SplunkUser5 — Fri, 15 Mar 2024 23:31:29 GMT

I finally tried this using a different index and it worked just fine. I'm thinking it's an issue with the Forwarded Events channel forwarding issue introduced in v9.1. Once we upgrade to v9.2, it should work just fine for EventID 4688.

Again, thanks for the input!