All Apps and Add-ons

How to filter EventID’s using “Splunk Add-on for Microsoft Windows” (Splunk_TA_windows) challenge.

BDein
Explorer

Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and deploying unfortunately still without lock:

  1. index=wineventlog EventCode=4672 host IN (SKEXCH0*) src_user IN (SKEXCH0*$)
  2. index=wineventlog EventID=4624 TargetUserName=cscad WorkstationName IN (VHPDOC540*) IpAddress=“122.85.52.*”

Where the source for each of the two is as follows:
1.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:49:51.515030900Z'/><EventRecordID>7104199399</EventRecordID><Correlation ActivityID='{08b0282e-d41c-0001-cb3d-b0081cd4d801}'/><Execution ProcessID='924' ThreadID='54024'/><Channel>Security</Channel><Computer>SKEXCH03.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SKEXCH03$</Data><Data Name='SubjectDomainName'>SON</Data><Data Name='SubjectLogonId'>0x183d0ad065</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event>

2.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:55:10.9831608Z'/><EventRecordID>790343401</EventRecordID><Correlation/><Execution ProcessID='860' ThreadID='11144'/><Channel>Security</Channel><Computer>SKDC02.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-606747145-57989841-682003330-85457</Data><Data Name='TargetUserName'>cscad</Data><Data Name='TargetDomainName'>SON</Data><Data Name='TargetLogonId'>0x11a5ba720</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>VHPDOC540COP001</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>122.85.52.113</Data><Data Name='IpPort'>53191</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>


In the inputs.conf I’ve tried the following without any success – yet:

[WinEventLog://Security]
disabled = 0

whitelist = 512,513,517,528,529,530,531,532,533,534,535,536,537,539,540,552,592,601,602,612,624,632,636,660,852,1102,4608,4616,4624,4625,4648,4649,4656,4662,4670,4672,4688,4697,4698,4702
,4719,4720,4723,4728,4732,4742,4746,4751,4756,4761,4768,4769,4771,4776,4794,5025,5152,5805,5827,5828,5829,5830,5831,7045,7468

## Blacklisted EventCodes for Exchange and cscad
blacklist3 = EventCode="4672" host="SKEXCH0.*" src_user="SKEXCH\d{2}\$"
blacklist4 = EventCode="4624" TargetUserName="cscad" WorkstationName="VHPDOC540.*" IpAddress="122\.85\.52\.\d{1,3}"
blacklist5 = $XmlRegex="<EventID>4672</\EventID>.*?<Computer>SKEXCH\d{2}\.[a-zA-Z0-9\.]+<\/Computer>.*?SubjectUserName'>SKEXCH\d{2}\$<\/Data>"
blacklist6 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"
blacklist7 = $XmlRegex="\<EventID\>4672\</\EventID\>.*?<Computer\>SKEXCH\d{2}\.[a-zA-Z0-9\.]+\<\/Computer\>.*?SubjectUserName\'\>SKEXCH\d{2}\$\<\/Data\>"
blacklist8 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"

renderXml=true
index = wineventlog
Labels (1)
0 Karma
Get Updates on the Splunk Community!

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...