topic Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address in Monitoring Splunk

Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

Alex_Rus — Tue, 01 Oct 2024 09:53:57 GMT

Hi Splunk community!

I need to filter events from the Splunk_ta_Windows application by the EventCode, Account_Name and Source_Network_Address fields. Tell me, in what form should props.conf and transform.conf be written and in what folder should they be located?

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

gcusello — Tue, 01 Oct 2024 10:07:21 GMT

Hi @Alex_Rus ,

let me understand: you want to filter events on the Universal Forwarder, is it correct?

see blacklists and whiteslists in Splunk_TA_Windows documentation that guides you:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_filtering

Ciao.

Giuseppe

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

Alex_Rus — Tue, 01 Oct 2024 10:15:06 GMT

App on deployment-server. I think, filtering by props and transform is better, but maybe I'm wrong)

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

gcusello — Tue, 01 Oct 2024 10:19:11 GMT

Hi @Alex_Rus ,

yes, it's possible modifying inputs.conf on your Splunk_TA_Windows adding whitelists and/or blacklists to filter your events.

Otherwise it's possible to filter events, using props.conf and transfroms.conf on the Indexers following the instrauctions at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues

If possible it's better the first solution (inputs.conf), otherwise you can use the second one.

Ciao.

Giuseppe

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

Alex_Rus — Wed, 02 Oct 2024 08:26:56 GMT

If I use blacklist, how can I filter by multiple events at once? I need to filter by Account_Name, Source_Network_Address and eventcode. How stanza will look?

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

gcusello — Wed, 02 Oct 2024 08:47:33 GMT

Hi @Alex_Rus ,

you have to find a regex to filter your events, you can test your regex using the regex command.

then put the regex in inputs.conf:

blacklist = key=regex

if you want more help, please share a sample of the logs to filter.

Ciao.

Giuseppe

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

Alex_Rus — Wed, 02 Oct 2024 09:12:11 GMT

Log Name: Security
EventCode: 4624
EventType: 0
ComputerName: MY_ComputerName
SourceName: Microsoft Windows security auditing.
Type: Information
RecordNumber: 93370261535
Keywords: Audit Success
TaskCategory: Logon
OpCode: Info
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Information:
Logon Type: 3
Restricted Admin Mode: No
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-877741627-2216037581-1742749770-81699
Account Name: MY_Account Name
Account Domain: MY_Account Domain
Logon ID: 0x2153A91CB
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {-}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: -
Source Network Address: MY_Source Network Address
Source Port: Port

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred.

The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e., the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request. Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. Transited services indicate which intermediate services have participated in this logon request. Package name indicates which sub-protocol was used among the NTLM protocols. Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Re: Filter wineventlog:security by eventcode, Account_Name and Source_Network_Address

gcusello — Wed, 02 Oct 2024 09:19:58 GMT

Hi @Alex_Rus ,

please try this regex in the blacklist option,

(?ms)EventCode: 4624.*Account Name: MY_Account Name.*Source Network Address: MY_Source Network Address

otherwise, please try it in the transpose.conf (on Indexers) to filter events.

Ciao.

Giuseppe