topic Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder. in Splunk Search

Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Wed, 06 Dec 2023 13:08:37 GMT

Hi,

Looking for some assistance with Regex to blacklist inputs.conf on Windows Systems. We modified inputs.conf located:
/opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf

Applied Regex :

blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'> (C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe)|(C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe) </Data>"

I attempted all available methods to blacklist the events above, but they did not take effect. Do we need to make modifications in order to successfully blacklist them?

Thanks

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

gcusello — Mon, 09 Oct 2023 16:51:40 GMT

Hi @AL3Z,

please try this regex:

\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumCX\.exe)

that you can test at https://regex101.com/r/053rNX/1

Ciao.

Giuseppe

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Tue, 10 Oct 2023 13:56:05 GMT

@gcusello
Hi @gcusello/@richgalloway ,
This regex is not getting applied forthe events. I believe we need to blacklist by using parent field ??

blacklist3 = $XmlRegex="<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)"

This is the actual log from EventViewer :

A new process has been created.

Creator Subject:

Security ID: SYSTEM

Account Name: SECUREJUMP$

Account Domain: EC

Logon ID: 0x3E7

Target Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Process Information:

New Process ID: 0x561c

New Process Name: C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe

Token Elevation Type: %%1936

Mandatory Label: Mandatory Label\System Mandatory Level

Creator Process ID: 0x3520

Creator Process Name: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Process Command Line:

Thanks

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

richgalloway — Mon, 09 Oct 2023 17:50:52 GMT

The RHS of the blacklist setting must be in key=regex format where key is one of Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, or User; and regex is a regular expression enclosed in delimiters (quotes can be a delimiter).

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

richgalloway — Tue, 10 Oct 2023 12:15:30 GMT

I see a few problems here.

1. The blacklist1 setting is not in the proper format. It must be a list of event IDs or a keyword followed by "=" followed by a regular expression.

2. The regex shown is trying to match XML, but the sample event is not in XML.

3. The regex is looking for text ("4688", "MsSense.exe", "TaniumCX.exe") that is not in the sample event.

Any of these would cause the blacklist to fail. To fix them:

1. Put the blacklist1 setting in an expected format.

2. Examine the log entry as Splunk sees it (_raw) rather than as shown by another program (which may have changed it for display purposes).

3. Ensure the regex matches the sample data.

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Tue, 10 Oct 2023 15:05:11 GMT

Hi @richgalloway ,

Need a clarification on blacklisting the field which one we need to put under blacklist is it newprocessname or parentprocessname ??

Thanks

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

richgalloway — Tue, 10 Oct 2023 15:53:35 GMT

The blacklist setting supports neither of those. See my earlier reply for the list of supported keywords/fields.

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Tue, 10 Oct 2023 23:39:56 GMT

Hi @richgalloway @gcusello ,

Is there any option where we can see the errors for the blacklisted regex if it's not getting applied?

Thanks..

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

richgalloway — Wed, 11 Oct 2023 00:14:29 GMT

I'm not aware of any such option. Perhaps one of the DEBUG log settings will help.

Failure to apply a regex is not an error - it just means the data doesn't match the regex, which is perfectly normal.

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Fri, 13 Oct 2023 17:22:40 GMT

Hi,

I have been struggling to fix this blacklist in windows_ta app inputs.conf in the DS and deployed it to clients but it not working as expected, please help me in fixing this issue

Still logs are ingesting..

Thanks Eagerly waiting for your answers....

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

gcusello — Wed, 11 Oct 2023 06:29:15 GMT

Hi @AL3Z ,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662" with equal and quotes, the filter doesn't work.

Use regex101 (as I did in my first answer) to find the regex to filter your logs.

Ciao.

Giuseppe

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Wed, 11 Oct 2023 06:52:40 GMT

@gcusello Is this a right format of applying?

blacklist5 = EventCode="4688" $XmlRegex="

Thanks..

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

gcusello — Wed, 11 Oct 2023 06:54:55 GMT

Hi @AL3Z,

this regex seems to not work,

Did you tried the one I shared (that works on rgex101)?

Ciao.

Giuseppe

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Wed, 11 Oct 2023 06:57:00 GMT

It's not 4662 it's 4688.

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Wed, 11 Oct 2023 07:05:55 GMT

Nope, I have added $xmlRegex followed by your regex

Is this a right one as you mentioned in the regex101 if not pls correct it

blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumCX\.exe)"

Thanks

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

gcusello — Wed, 11 Oct 2023 07:08:22 GMT

Hi @AL3Z,

don't use quotes:

blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumCX\.exe)

Ciao.

Giuseppe

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Wed, 11 Oct 2023 08:09:42 GMT

Hi @gcusello ,

This regex is not working ! Do we need to use followed by EventCode="4688" Message=" " to get it work ?

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

gcusello — Wed, 11 Oct 2023 08:25:23 GMT

Hi @AL3Z ,

it's a regex, instead these are Splunk fields: try only the regex.

the EventCode=4688 is inside the regex, so you don't need to repeat it.

Ciao.

Giuseppe

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

AL3Z — Wed, 11 Oct 2023 09:49:43 GMT

Hi @gcusello ,

I had gone through your one of the answer in the post
https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-inputs-conf/td-p/598999
, But in my case there is no Transforms.conf in my windows_ta app,H ow we can apply the same in my case and stop the logs from ingesting into splunk ?

Thanks

Re: Having trouble in applying regex to blacklist Windows events on a Universal Forwarder.

gcusello — Wed, 11 Oct 2023 10:04:48 GMT

Hi @AL3Z,

blacklisting is in inputs.conf.

transformas.conf and props.conf is the second solution described in the above link used to filter logs on Indexers or Heavy Forwarders (if present), when you cannot filter logs on the Universal forwarder.

It isn't your situation: you have to find the exact regex, please try with my first regex, to insert in the blacklist option of your inputs.conf

Ciao.

Giuseppe