All Apps and Add-ons

How to filter EventID’s using “Splunk Add-on for Microsoft Windows” (Splunk_TA_windows) challenge.

BDein
Explorer

Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and deploying unfortunately still without lock:

  1. index=wineventlog EventCode=4672 host IN (SKEXCH0*) src_user IN (SKEXCH0*$)
  2. index=wineventlog EventID=4624 TargetUserName=cscad WorkstationName IN (VHPDOC540*) IpAddress=“122.85.52.*”

Where the source for each of the two is as follows:
1.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:49:51.515030900Z'/><EventRecordID>7104199399</EventRecordID><Correlation ActivityID='{08b0282e-d41c-0001-cb3d-b0081cd4d801}'/><Execution ProcessID='924' ThreadID='54024'/><Channel>Security</Channel><Computer>SKEXCH03.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SKEXCH03$</Data><Data Name='SubjectDomainName'>SON</Data><Data Name='SubjectLogonId'>0x183d0ad065</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event>

2.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:55:10.9831608Z'/><EventRecordID>790343401</EventRecordID><Correlation/><Execution ProcessID='860' ThreadID='11144'/><Channel>Security</Channel><Computer>SKDC02.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-606747145-57989841-682003330-85457</Data><Data Name='TargetUserName'>cscad</Data><Data Name='TargetDomainName'>SON</Data><Data Name='TargetLogonId'>0x11a5ba720</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>VHPDOC540COP001</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>122.85.52.113</Data><Data Name='IpPort'>53191</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>


In the inputs.conf I’ve tried the following without any success – yet:

[WinEventLog://Security]
disabled = 0

whitelist = 512,513,517,528,529,530,531,532,533,534,535,536,537,539,540,552,592,601,602,612,624,632,636,660,852,1102,4608,4616,4624,4625,4648,4649,4656,4662,4670,4672,4688,4697,4698,4702
,4719,4720,4723,4728,4732,4742,4746,4751,4756,4761,4768,4769,4771,4776,4794,5025,5152,5805,5827,5828,5829,5830,5831,7045,7468

## Blacklisted EventCodes for Exchange and cscad
blacklist3 = EventCode="4672" host="SKEXCH0.*" src_user="SKEXCH\d{2}\$"
blacklist4 = EventCode="4624" TargetUserName="cscad" WorkstationName="VHPDOC540.*" IpAddress="122\.85\.52\.\d{1,3}"
blacklist5 = $XmlRegex="<EventID>4672</\EventID>.*?<Computer>SKEXCH\d{2}\.[a-zA-Z0-9\.]+<\/Computer>.*?SubjectUserName'>SKEXCH\d{2}\$<\/Data>"
blacklist6 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"
blacklist7 = $XmlRegex="\<EventID\>4672\</\EventID\>.*?<Computer\>SKEXCH\d{2}\.[a-zA-Z0-9\.]+\<\/Computer\>.*?SubjectUserName\'\>SKEXCH\d{2}\$\<\/Data\>"
blacklist8 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"

renderXml=true
index = wineventlog
Labels (1)
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...