How should the process name be designated for the ...

AL3Z · ‎11-21-2023

Hi,

I'm uncertain which Process name—CreatorProcessName, ParentProcessName, or NewProcessName—is the appropriate one to apply windows events blacklisting in this context.

Thanks..

rasad4468 · ‎11-27-2023

@AL3Z

In the context of blacklisting Windows events using inputs.conf for a Universal Forwarder, the relevant process name field you would typically use depends on your specific requirements. Let me break down the options you mentioned:

CreatorProcessName:

This field represents the name of the process that created the new process. If you are interested in events based on the process that initiated the creation of another process, you might use this field.
ParentProcessName:

This field indicates the name of the parent process that spawned the new process. If you want to blacklist events based on the immediate parent process, you would use this field.
NewProcessName:

This field represents the name of the new process that was created. If you are looking to blacklist events based on the specific process that is created, this would be the field to use.
When configuring blacklisting for Windows events, you may need to consider your specific use case and the level of granularity you require. For instance, if you want to block events based on a certain application being launched, you would use the "NewProcessName." If you want to block events based on a specific process initiating the creation of other processes, you might use "CreatorProcessName" or "ParentProcessName."

Here's a basic example of how you might use inputs.conf to blacklist events based on the NewProcessName:

[monitor://C:\Path\To\Your\Logs]
disabled = false
index = your_index
sourcetype = your_sourcetype
ignoreOlderThan = <your_time_specification>
blacklist = \.exe$ ; Adjust this regex pattern based on your needs

In the example above, the "blacklist" line uses a regular expression to filter out events where the new process name ends with ".exe". Adjust the regex pattern according to your requirements.

Remember to restart the Universal Forwarder after making changes to the inputs.conf file for the changes to take effect.

Always test your configurations in a controlled environment to ensure they behave as expected before deploying them in a production setting.

Thanks
rasad4468

tscroggins · ‎11-27-2023

@rasad4468

Was that written by ChatGPT?

rasad4468 · ‎11-27-2023

@tscroggins

Hi Tscroggins!

Using a ChatGPT for good cause for example helping another human being then it's yes. If the solution is not working then NO.

tscroggins · ‎11-27-2023

The answer confuses processes with files and the WinEventLog input type with the monitor input type. ChatGPT is a fine a tool, but its output is misleading and incorrect in this context. Human oversight is required. 🙂

AL3Z · ‎11-29-2023

@tscroggins @rasad4468 @richgalloway @PickleRick

Can we use this method to blacklist like this

blacklist3 = EventCode=%^4688$% Message=%SplunkUniversalForwarder%
blacklist4 = EventCode=%^4688$% Message=%Tanium%blacklist5 = EventCode=%^4688$% Message=%Rapid7%

my raw events are showing like this after adding why ?

tscroggins · ‎11-29-2023

Hi @AL3Z,

Please read <https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf#Event_Log_allow_list_and_deny_li...> carefully.

If renderXml = false, yes, you can use EventCode and Message in your blacklist settings.

It appears you have set the suppress_* settings to true. You should only set those to true if either (a) renderXml = true or (b) you want to exclude the fields from your events as illustrated by your image.

tscroggins · ‎11-25-2023

Hi @AL3Z,

Windows event log events are stored by Windows in a language-independent format. When using renderXml = true, Splunk does not forward the locale-specific message string. You can further optimize forwarder resource usage by also setting the suppress_* settings to true.

In the case of the security event log Microsoft-Windows-Security-Auditing provider/source, event identifier 4688 will have no Message field beginning with "A new process has been created." You must instead use whitelist and blacklist values that reference $XmlRegex and match against the raw XML event.

For example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2023-11-19T16:06:34.0318973Z" /><EventRecordID>139624</EventRecordID><Correlation /><Execution ProcessID="4" ThreadID="344" /><Channel>Security</Channel><Computer>titan</Computer><Security /></System><EventData><Data Name="SubjectUserSid">S-1-5-18</Data><Data Name="SubjectUserName"></Data><Data Name="SubjectDomainName"></Data><Data Name="SubjectLogonId">0x3e7</Data><Data Name="NewProcessId">0x320</Data><Data Name="NewProcessName">C:\Windows\System32\lsass.exe</Data><Data Name="TokenElevationType">%%1936</Data><Data Name="ProcessId">0x1c8</Data><Data Name="CommandLine" /><Data Name="TargetUserSid">S-1-0-0</Data><Data Name="TargetUserName"></Data><Data Name="TargetDomainName"></Data><Data Name="TargetLogonId">0x0</Data><Data Name="ParentProcessName">C:\Windows\System32\wininit.exe</Data><Data Name="MandatoryLabel">S-1-16-16384</Data></EventData></Event>

The raw XML event contains a series of <Data> elements, one of which is <Data Name="NewProcessName">. To exclude a specific NewProcessName value, e.g. C:\Windows\System32\lsass.exe, we can construct a blacklist value using the $XmlRegex key. I'll use percent (%) as the regular expression delimiter. You can use one $XmlRegex key to match multiple parts of the raw XML or multiple $XmlRegex keys to make your matches easier to maintain. I've used three $XmlRegex keys to match the Provider, EventID, and Data elements:

blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">C:\\Windows\\System32\\lsass\.exe<\/Data>%

Note that I've included the provider/source because all Windows events are uniquely identified by a three-tuple of log, provider/source, and event identifier, e.g. Security, Microsoft-Windows-Security-Auditing, and 4688.

You can add additional processes to your blacklist by using a regular expression group construct within the NewProcessName match:

blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Windows\\System32\\lsass\.exe|C:\\Program Files\\MyApp\\MyProgram\.exe)<\/Data>%

This setting would be added to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf.

Note that the default blacklist1 and blacklist2 values provided by Splunk Add-on for Windows do not work when renderXML = true, so we'll modify those as well. I did not include the provider in the modifications; it's a direct translation of the default.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml = true
suppress_keywords = true
suppress_opcode = true
suppress_sourcename = true
suppress_task = true
suppress_text = true
suppress_type = true
blacklist1 = $XmlRegex=%<EventID>4662<\/EventID>% $XmlRegex=%<Data Name="ObjectType">(?!\s*groupPolicyContainer)%
blacklist2 = $XmlRegex=%<EventID>566<\/EventID>% $XmlRegex=%<Data Name="ObjectType">(?!\s*groupPolicyContainer)%
blacklist3 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Windows\\System32\\lsass\.exe|C:\\Program Files\\MyApp\\MyProgram\.exe)<\/Data>%

Deploy inputs.conf and restart Splunk Universal Forwarder using your configuration management tool of choice, e.g. a Splunk deployment server.

AL3Z · ‎11-26-2023

Hi @tscroggins @richgalloway @PickleRick ,

In this below sample event the C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe appears in both ParentParentName and NewProcessName, we might need a specialized handling. Would you like help with a xml regex pattern to cover these conditions?

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T08:18:13.998467800Z'/><EventRecordID>151265209</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11116'/><Channel>Security</Channel><Computer>xxvy.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3978</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f80</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

Can we use like this ?

blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%

richgalloway · ‎11-27-2023

I notice the regexes are using double quotes ("), but event uses single quotes ('). That will prevent a match.

---
If this reply helps you, Karma would be appreciated.

AL3Z · ‎11-27-2023

What if the Program.exe is present in NewProcessName and ParentProcessName which one do we need to apply it to Regex ??

tscroggins · ‎11-27-2023

Hi @AL3Z,

Props to @richgalloway for pointing out the difference between my test data with quotes (") and live data with apostrophes ('). We can accommodate both in the regular expression.

We can also accommodate multiple Data elements with different Name attributes; however, if the same value is in both elements, we only need to match one to filter the event. If you want match a value in either element, try:

blacklist3 = $XmlRegex=%<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name=["'](New|Parent)ProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>%

(New|Parent)ProcessName matches both NewProcessName and ParentProcessName. If it's easier to read and maintain, you can also use (NewProcessName|ParentProcessName).

If you only want to match events that do have the same value in both elements, add an additional $XmlRegex match:

blacklist3 = $XmlRegex=%<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name=["']NewProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>% $XmlRegex=%<Data Name=["']ParentProcessName["']>C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>%

Technically, the example also matches e.g. <Data Name="NewProcessName'> with different start and end characters, but it's not valid XML, and you shouldn't encounter this case in a live event stream. We can make the regular expression tighter with capture groups and back references, but I don't know if back references are supported in this context.

Separate blacklist values will work as well. Combining them or separating them is up to your preference and administrative style.

AL3Z · ‎11-27-2023

@tscroggins ,

None of your shared Regex patterns are working
https://regex101.com/r/i5cas6/1
Can you pls share your applied regex in regex101.

tscroggins · ‎11-29-2023

There are several patterns illustrated for use with renderXml = true and $XmlRegex:

<Provider[^>]+Name=["']Microsoft-Windows-Security-Auditing["']

<Data Name=["']NewProcessName["']>C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>

<Data Name=["']ParentProcessName["']>C:\\Program Files $x86$\\Tanium\\Tanium Client\\TaniumClient\.exe<\/Data>

Recall that % was used as a start and end delimiter and is not part of the pattern.

richgalloway · ‎11-27-2023

Those two fields have different meanings so use the one that applies to your use case(s). NewProcessName is more common, IME, but both may useful.

---
If this reply helps you, Karma would be appreciated.

tscroggins · ‎11-25-2023

For reference:

1. Microsoft Corporation. "About Event Logging." Windows App Development, 7 January 2021, https://learn.microsoft.com/en-us/windows/win32/eventlog/about-event-logging.

2. Splunk Inc. "inputs.conf Event Log allow list and deny list formats." Splunk Enterprise Admin Manual, 16 November 2023, https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Event_Log_allow_list_and_deny_l....

richgalloway · ‎11-21-2023

Splunk supports none of those directly. You'd have to use a regex on the Message field to filter on the desired process name. The most likely candidate is NewProcessName, but that depends on what event(s) you're filtering.

---
If this reply helps you, Karma would be appreciated.

AL3Z · ‎11-21-2023

@richgalloway ,

When I try to apply this blacklist it is not getting blacklisted even after applied matching regex pattern
blacklist3 = EventCode="4688" Message="(?:ParentProcessName).+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)"

https://regex101.com/r/Jq2IKb/1

What changes do we need here?

Thanks..

PickleRick · ‎11-21-2023

What format are you pulling the logs in? Traditional or XML?

 * $XmlRegex: Use this key for filtering when you render Windows Event
    log events in XML by setting the 'renderXml' setting to "true". Search
    the online documentation for "Filter data in XML format with the
    XmlRegex key" for details.

AL3Z · ‎11-21-2023

@PickleRick @richgalloway ,

Can we make changes to the splunk ta windows app inputs.conf of the deployment server ??

There was some configs messed up in the inputs.conf how we can restore to the previous configs ??

Thanks...

PickleRick · ‎11-22-2023

That's another question, completely unrelated to the original issue. See my response in this thread https://community.splunk.com/t5/Deployment-Architecture/What-are-the-best-practices-for-creating-and... for managing apps.

How should the process name be designated for the blacklisting of Windows events?

inputs.conf

universal forwarder

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?