Getting Data In

Drop Windows Event Logs with EventID 5156 and not RFC 1918

rtalcik
Path Finder

HI All,

   So i wrote this in attempt to reject all RFC1918  TO RFC1918 logs for windows event logs with WID 5156.  basically log anything external but not internal to internal communication.  The sample log is a sniplet of what i am trying to drop.

 

 

Props.conf

 

 

[WinEventLog:Security]
TRANSFORMS-sec = WinEventCode5156Drop,WinEventCodeSecDrop,WinEventCodeSecPass

 

 

 

 

Transforms.conf  (Is order of operations my issue here?)

 

 

[WinEventCode5156Drop]
REGEX=((EventCode(?:\S+)5156)[\s\S]*(((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.))|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168))[\s\S]*((((?:Source Address|Destination Address)(?:\S+))(?:\s)+10\.)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.1[6-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.2[0-9])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+172\.3[0-1])|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+127\.0\.0\.1)|(((?:Source Address|Destination Address)(?:\S+))(?:\s)+192\.168)))
DEST_KEY = queue
FORMAT = nullQueue


[WinEventCodeSecDrop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue



[WinEventCodeSecPass]
REGEX=(?:^EventCode=|<EventID>)(4618|4649|4719|4765|4766|4794|4897|4964|5124|550|1102|4621|4675|4692|4693|4706|4713|4714|4715|4716|4724|4727|4735|4737|4739|4754|4755|4764|4764|480|4816|4865|4866|4867|4868|4870|4882|4885|4890|4892|4896|4906|4907|4908|4912|4960|4961|4962|4963|4965|4976|4977|4978|4983|4984|5027|5028|5029|5030|5035|5037|5038|5120|5121|5122|5123|5376|5377|5453|5480|5483|5484|5485|6145|6273|6274|6275|6276|6277|6278|6279|6280|640|619|24586|24592|24593|2454|4608|4609|4610|4611|4612|4614|4615|4616|4622|4624|4625|4634|4646|4647|4648|4650|4651|4652|4653|4654|4655|4656|4657|4658|4659|4660|4661|4662|4663|4664|4665|4666|4667|4668|4670|4671|4672|4673|4674|4688|4689|4690|4691|4694|4695|4696|4697|4698|4699|4700|4701|4702|4704|4705|4707|4709|4710|4711|712|4717|4718|4720|4722|4723|4725|4726|4728|4729|4730|4731|4732|4733|4734|4738|4740|4741|4742|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|473|4756|4757|4758|4759|4760|4761|4762|4767|4768|4769|4770|4771|4772|4774|4775|4776|4777|4778|4779|4781|4782|4783|4784|4785|4786|4787|4788|4789|4790|4793|4800|4801|4802|4803|4864|4869|4871|4872|4873|4874|4875|4876|4877|4878|4879|4880|4881|4883|4884|4886|4887|4888|4889|4891|4893|4894|4895|4898|902|4904|4905|4909|4910|4928|4929|4930|4931|4932|4933|4934|4935|4936|4937|4944|4945|4946|4947|4948|4949|4950|4951|4952|4953|4954|4956|4957|4958|499|4980|4981|4982|4985|5024|5025|5031|5032|5033|5034|5039|5040|5041|5042|5043|5044|5045|5046|5047|5048|5050|5051|5056|5057|5058|5059|5060|5061|5062|5063|5064|5065|5066|5067|5068|5069|5070|5125|5126|5127|5136|5137|5138|5139|5140|5141|5152|5153|5154|5155|5156|5157|5158|5159|5378|5440|5441|5442|443|5444|5446|5447|5448|5449|5450|5451|5452|5456|5457|5458|5459|5460|5461|5462|5463|5464|5465|5466|5467|5468|5471|5472|5473|5474|5477|5479|5632|5633|5712|5888|5889|5890|608|6144|6272|561|563|625|613|614|615|616|24577|24578|24579|24580|24581|24582|24583|24584|24588|24595|24621|5049|5478)
DEST_KEY = queue
FORMAT = indexQueue 

 

 

 

I can't figure out why this isn't working.

 

 

 

Sample Log

 

 

10/21/2021 10:06:05 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName= (REDACTED BY ME THE POSTER)
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=7865970185
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
	Process ID:		1548
	Application Name:	\device\harddiskvolume4\windows\system32\dns.exe

Network Information:
	Direction:		Inbound
Source Address:                 10.10.211.7
	Source Port:		53
Destination Address:            10.1.0.0
	Destination Port:       57834
	Protocol:		17

Filter Information:
	Filter Run-Time ID:	90427
	Layer Name:		Receive/Accept
	Layer Run-Time ID:	44

 

 

 

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...