Blacklist - 2 fields on same event

icewolf69 · ‎01-18-2022

Hi all, I'm trying to create a blacklist for an event after checking 2 different fields on different lines.

I can get them filtered individually, but without an "AND" operator, like OR has "|", I'm struggling.

Sample Event

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		SYSTEM
	Account Name:		COMPUTER$
	Account Domain:		XXXX.NET
	Logon ID:		0x6C6C65F09
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{970e0bf8-ccc7-18fd-7be9-d5efe2ab8b22}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

So what I'm trying to do is filter on Logon Type=3 AND Account Name: xxx$

I have tried stuff that works on regex101, etc. And it will work there, but Splunk doesn't seem to recognize it.

(?=.*?(Logon\sType:[\s]*3))(?=.*?(Account\sName:[\s]*.*\$))

Any help is appreciated

icewolf69 · ‎01-18-2022

Took me a while but figured it out, incase someone shows up here in the future!

source="WinEventLog:Security" EventCode=4624 | regex Message="(?ms)Logon\sType:[\s]*(3).*Account\sName:[\s]*(.*\$)"

Blacklist - 2 fields on same event

inputs.conf

universal forwarder

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...