Solved: Trying to blacklist event code with accesses

Jordan54 · ‎07-26-2017

Hello.. I am trying to black list a event code with a message and it is not working.. I have my code posted below. Am I missing something? Thanks!

blacklist5 = Eventcode="4663" Message="Accesses:ReadData (or ListDirectory)"

sbbadri · ‎07-26-2017

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

View solution in original post

sbbadri · ‎07-26-2017

try below,

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 0
blacklist1=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

Jordan54 · ‎07-27-2017

Thanks for the suggestion, but that didn't seem to help. Any other suggestions?

sbbadri · ‎07-27-2017

can you paste sample event. Regex for message might be wrong or another one is it won't effect on old events.

below is the example given in Splunk_TA_windows,

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

Jordan54 · ‎07-27-2017

This is what I have.. Thanks again!

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4700|4767|4946|4948|4779|4954|4740|4658|4634|5145|4656|4672|5158|4776|5152|5157|4769|4768|4648|4985|4690|4771|4770|4702|4670|4660|4689|4611|5154|4793|5447|5058|5061|5031|4673|5143|4742|1|4647|4723|4738"
blacklist2 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist3 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist4 = EventCode="4688" Message="New Process Name: (?i)^(C:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
blacklist5=EventCode="4663" Message=”Accesses:ReadData\s+(or\s+ListDirectory)"

index = oswinsec
renderXml=false

sbbadri · ‎07-27-2017

can you paste on sample event. I guess Message regex is wrong.

Jordan54 · ‎07-27-2017

Sorry new to splunk.. what do you mean by paste on sample event?

Thanks

sbbadri · ‎07-27-2017

Please execute below query on your search head

index=oswinsec EventCode=4663 | head 1.

It will produce one result. Copy output result and paste in comment.

Jordan54 · ‎07-27-2017

2:27:01.000 PM

07/27/2017 02:27:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4663
EventType=0
Type=Information
ComputerName=
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=473041460
Keywords=Audit Success
Message=An attempt was made to access an object.

Subject:
Security ID: S-1-5-18
Account Name:

Account Domain:

Logon ID:

Object:
Object Server: Security
Object Type: File
Object Name: D:\Program Files\
Handle ID: 0x204
Resource Attributes:
Process Information:
Process ID: 0x51c
Process Name: D:\Program Files

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask:        0x1

Collapse
EventCode = 4663 host = index = oswinsec source = WinEventLog:Security sourcetype = WinEventLog:Security

Thanks

sbbadri · ‎07-27-2017

blacklist5=EventCode="4663" Message="An attempt was made to access an object."
or
Assuming that Accesses field has been extracted
blacklist5=EventCode="4663" Accesses="ReadData\s(or\sListDirectory)"

Jordan54 · ‎07-28-2017

That worked! Thanks

sbbadri · ‎07-28-2017

cool. Glad it worked, Please vote or accept the answer

Trying to blacklist event code with accesses

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms