Getting Data In

Blacklisting in [WinEventLog://Security]

nick_currie
Explorer

Im looking to drop EventID 4673 where the action=failure

Here is an example log

 

3/15/2023 02:51:42 PM LogName=Security EventCode=4673 EventType=0 ComputerName=redacted SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=redacted Keywords=Audit Failure TaskCategory=Sensitive Privilege Use OpCode=Info Message=A privileged service was called. Subject: Security ID: redacted  Account Name: redacted Account Domain: redacted Logon ID: redacted Service: Server: Security Service Name: Process: Process ID: xxxxx Process Name: C:\Windows\System32\backgroundTaskHost.exe Service Request Information: Privileges: SeTcbPrivilege

 

From reading 

 

 

https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf?_ga=2.40401506.1999669205.1678852413-817152181.1624861549&_gl=1*s1kmhp*_ga*ODE3MTUyMTgxLjE2MjQ4NjE1NDk.*_ga_5EPM2P39FV*MTY3ODg2MDY5OS44Ni4xLjE2Nzg4NjA3NjAuNjAuMC4w#Event_Log_allow_list_and_deny_list_formats

 

 

I can see that action is not a valid field to filter on? 

# Valid keys for the key=regex format:

* The following keys are equivalent to the fields that appear in the text of
  the acquired events:
  * Category, CategoryString, ComputerName, EventCode, EventType, Keywords,
    LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName,
    TaskCategory, Type, User

So i chose to use Keywords which has the value Audit Failure

Here is my inputs.conf

 

---------------------

[WinEventLog://Security]
disabled = 0
index=corp_oswinsec
current_only=1
evt_resolve_ad_obj=0
checkpointInterval = 5

blacklist1 = EventCode="4673" Keywords="Audit Failure"

--------------------------------

I am still seeing these events being indexed however - any tips on where i am going wrong would be much appreciated!

 

 

Labels (1)
0 Karma
1 Solution

nick_currie
Explorer

Ok thanks Rick - What worked for this was

EventCode="4673" Keywords=".*Failure"

Thanks for your help!

View solution in original post

0 Karma

nick_currie
Explorer

Further testing has shown i can filter with regex on the Message field - such as this to filter out any msedge events.
blacklist = EventCode="4673" Message=".*Edge"

The issue is that the Message field does not contain whether it is successful or not. That information is only within the Keywords field of the fields that the UF is supposed to be able to blacklist with.. Is this a bug or do I need to do this another way? I dont want to have to send all of this traffic back to a HF to filter it as we have some mobile devices that send logs directly to splunk cloud so as not to require the VPN.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm not sure I follow. If the Success/Failure value is stored in Keywords field, you can't match against it on Message field.

In such case you should match on

EventCode=4673 Keywords=Failure

 

0 Karma

nick_currie
Explorer

No what i mean is that the regex does not seem to work for me on the Keywords field. Have you tried?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No.  I "misadvised" you. I forgot that indeed the regex must be surrounded by something (and since you used a quote, I mistook it with the typical mistake in props.conf).

Yes, the regex must be surrounded by something so that the UF can properly find where the spearate regexes start and end.

So it turns out it should be done like this:

EventCode="4673" Keywords="Failure"

or

EventCode=%4673% Keywords=%Failure%

or

EventCode=*4673* Keywords=/Failure/

...

0 Karma

nick_currie
Explorer

Ok thanks Rick - What worked for this was

EventCode="4673" Keywords=".*Failure"

Thanks for your help!

0 Karma

nick_currie
Explorer

Thanks for the suggestions however none of them work - i have tried both of those as well as various other options combinations - with and without quotes on the eventcode and on the keywords statement

blacklist = EventCode=4673 Keywords=Audit\sFailure
blacklist = EventCode=4673.*Keywords=Audit Failure

 

what i have discovered is that I can blacklist the entire event easily enough by using 

blacklist = EventCode="4673"

but when i try to blacklist the event without quotes it doesnt work.

However I would like to keep the successful events in splunk - has anyone else managed this and is willing to share their configuration? 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Specifying regexes for white/blacklisting can be a PITA sometimes. Instead of

EventCode="4673" Keywords="Audit Failure"

Try

EventCode=4673 Keywords=Audit\sFailure

 In your case quotes are interpreted as parts of regexes so if your values don't contain them, they're not getting filtered out.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nick_currie,

to blacklist events you can use more approaches in wineventlog:

blacklist = <comma-separated list> | key=regex [key=regex]

if you have more fields, I'd prefer to use a regex

blacklist = EventCode=4673.*Keywords=Audit Failure

Ciao.

Giuseppe

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...