All Apps and Add-ons

How to filter EventID’s using “Splunk Add-on for Microsoft Windows” (Splunk_TA_windows) challenge.

BDein
Explorer

Does anyone have core knowledge on how the remove all events the fulfill these two searches, then I’d be very pleased to hear how, as I’ve already spend quite a bit of time investigating, editing and deploying unfortunately still without lock:

  1. index=wineventlog EventCode=4672 host IN (SKEXCH0*) src_user IN (SKEXCH0*$)
  2. index=wineventlog EventID=4624 TargetUserName=cscad WorkstationName IN (VHPDOC540*) IpAddress=“122.85.52.*”

Where the source for each of the two is as follows:
1.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:49:51.515030900Z'/><EventRecordID>7104199399</EventRecordID><Correlation ActivityID='{08b0282e-d41c-0001-cb3d-b0081cd4d801}'/><Execution ProcessID='924' ThreadID='54024'/><Channel>Security</Channel><Computer>SKEXCH03.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SKEXCH03$</Data><Data Name='SubjectDomainName'>SON</Data><Data Name='SubjectLogonId'>0x183d0ad065</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege</Data></EventData></Event>

2.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-22T20:55:10.9831608Z'/><EventRecordID>790343401</EventRecordID><Correlation/><Execution ProcessID='860' ThreadID='11144'/><Channel>Security</Channel><Computer>SKDC02.son.sok.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-606747145-57989841-682003330-85457</Data><Data Name='TargetUserName'>cscad</Data><Data Name='TargetDomainName'>SON</Data><Data Name='TargetLogonId'>0x11a5ba720</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>VHPDOC540COP001</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>122.85.52.113</Data><Data Name='IpPort'>53191</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>


In the inputs.conf I’ve tried the following without any success – yet:

[WinEventLog://Security]
disabled = 0

whitelist = 512,513,517,528,529,530,531,532,533,534,535,536,537,539,540,552,592,601,602,612,624,632,636,660,852,1102,4608,4616,4624,4625,4648,4649,4656,4662,4670,4672,4688,4697,4698,4702
,4719,4720,4723,4728,4732,4742,4746,4751,4756,4761,4768,4769,4771,4776,4794,5025,5152,5805,5827,5828,5829,5830,5831,7045,7468

## Blacklisted EventCodes for Exchange and cscad
blacklist3 = EventCode="4672" host="SKEXCH0.*" src_user="SKEXCH\d{2}\$"
blacklist4 = EventCode="4624" TargetUserName="cscad" WorkstationName="VHPDOC540.*" IpAddress="122\.85\.52\.\d{1,3}"
blacklist5 = $XmlRegex="<EventID>4672</\EventID>.*?<Computer>SKEXCH\d{2}\.[a-zA-Z0-9\.]+<\/Computer>.*?SubjectUserName'>SKEXCH\d{2}\$<\/Data>"
blacklist6 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"
blacklist7 = $XmlRegex="\<EventID\>4672\</\EventID\>.*?<Computer\>SKEXCH\d{2}\.[a-zA-Z0-9\.]+\<\/Computer\>.*?SubjectUserName\'\>SKEXCH\d{2}\$\<\/Data\>"
blacklist8 = $XmlRegex="EventID>4624<\/EventID>.*?Computer>SKDC\d+\.[a-zA-Z0-9\.]+<.*+TargetUserName'>cscad<\/Data>.*?'WorkstationName'>VHPDOC540[^<]+</Data.*?'IpAddress'>122\.85\.52\.\d{1,3}<\/Data>"

renderXml=true
index = wineventlog
Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti &#x1f389; —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...