Re: Drop Windows Event Logs with EventID 5156 and ...

rtalcik · ‎10-22-2021

HI All,

So i wrote this in attempt to reject all RFC1918 TO RFC1918 logs for windows event logs with WID 5156. basically log anything external but not internal to internal communication. The sample log is a sniplet of what i am trying to drop.

Props.conf

[WinEventLog:Security]
TRANSFORMS-sec = WinEventCode5156Drop,WinEventCodeSecDrop,WinEventCodeSecPass

Transforms.conf (Is order of operations my issue here?)

[WinEventCode5156Drop]
REGEX=((EventCode(?:\S+)5156)[\s\S]*(((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.))|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168))[\s\S]*((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168)))
DEST_KEY = queue
FORMAT = nullQueue


[WinEventCodeSecDrop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue



[WinEventCodeSecPass]
REGEX=(?:^EventCode=|<EventID>)(4618|4649|4719|4765|4766|4794|4897|4964|5124|550|1102|4621|4675|4692|4693|4706|4713|4714|4715|4716|4724|4727|4735|4737|4739|4754|4755|4764|4764|480|4816|4865|4866|4867|4868|4870|4882|4885|4890|4892|4896|4906|4907|4908|4912|4960|4961|4962|4963|4965|4976|4977|4978|4983|4984|5027|5028|5029|5030|5035|5037|5038|5120|5121|5122|5123|5376|5377|5453|5480|5483|5484|5485|6145|6273|6274|6275|6276|6277|6278|6279|6280|640|619|24586|24592|24593|2454|4608|4609|4610|4611|4612|4614|4615|4616|4622|4624|4625|4634|4646|4647|4648|4650|4651|4652|4653|4654|4655|4656|4657|4658|4659|4660|4661|4662|4663|4664|4665|4666|4667|4668|4670|4671|4672|4673|4674|4688|4689|4690|4691|4694|4695|4696|4697|4698|4699|4700|4701|4702|4704|4705|4707|4709|4710|4711|712|4717|4718|4720|4722|4723|4725|4726|4728|4729|4730|4731|4732|4733|4734|4738|4740|4741|4742|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|473|4756|4757|4758|4759|4760|4761|4762|4767|4768|4769|4770|4771|4772|4774|4775|4776|4777|4778|4779|4781|4782|4783|4784|4785|4786|4787|4788|4789|4790|4793|4800|4801|4802|4803|4864|4869|4871|4872|4873|4874|4875|4876|4877|4878|4879|4880|4881|4883|4884|4886|4887|4888|4889|4891|4893|4894|4895|4898|902|4904|4905|4909|4910|4928|4929|4930|4931|4932|4933|4934|4935|4936|4937|4944|4945|4946|4947|4948|4949|4950|4951|4952|4953|4954|4956|4957|4958|499|4980|4981|4982|4985|5024|5025|5031|5032|5033|5034|5039|5040|5041|5042|5043|5044|5045|5046|5047|5048|5050|5051|5056|5057|5058|5059|5060|5061|5062|5063|5064|5065|5066|5067|5068|5069|5070|5125|5126|5127|5136|5137|5138|5139|5140|5141|5152|5153|5154|5155|5156|5157|5158|5159|5378|5440|5441|5442|443|5444|5446|5447|5448|5449|5450|5451|5452|5456|5457|5458|5459|5460|5461|5462|5463|5464|5465|5466|5467|5468|5471|5472|5473|5474|5477|5479|5632|5633|5712|5888|5889|5890|608|6144|6272|561|563|625|613|614|615|616|24577|24578|24579|24580|24581|24582|24583|24584|24588|24595|24621|5049|5478)
DEST_KEY = queue
FORMAT = indexQueue

I can't figure out why this isn't working.

Sample Log

10/21/2021 10:06:05 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName= (REDACTED BY ME THE POSTER)
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=7865970185
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		1548
	Application Name:	\device\harddiskvolume4\windows\system32\dns.exe

Network Information:
	Direction:		Inbound
Source Address:                 10.10.211.7
	Source Port:		53
Destination Address:            10.1.0.0
	Destination Port:       57834
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	90427
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

PickleRick · ‎11-02-2024

Ouch.

1. I'd go for blacklisting events at the source forwarder as @isoutamo already hinted. It's way closer to source and it saves you a lot of bandwidth and CPU downstream.

2. If possible, use XML formatted windows events.

3. As far as I remember, modern windows inputs by default set sourcetype as just WinEventLog or XMLWinEventLog. The channels are specified in the source field, not in the sourcetype. So your whole props stanza will not match.

4. Yes, order of operations does matter but yours is pretty OK. (but the WinEventCode5156Drop transform is pointless since next you're setting all events' queue to nullQueue).

isoutamo · ‎11-13-2024

I think that currently it is used XMLWinEventLog at least that is used on those nodes which I can check now.

isoutamo · ‎11-02-2024

Based on your example and REGEX this should work. See https://regex101.com/r/puu59N/1 .
Probably what you get from windows to Splunk is somehow different and for that reason it didn't match to your regex.
r. Ismo

woody188 · ‎10-30-2024

Use "blacklist" in the inputs.conf instead.

Drop Windows Event Logs with EventID 5156 and not RFC 1918

props.conf

sourcetype

transforms.conf

Windows

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?