Getting Data In

How should the process name be designated for the blacklisting of Windows events?

Raj
Builder

Hi,

I'm uncertain which Process name—CreatorProcessName, ParentProcessName, or NewProcessName—is the appropriate one to apply windows events blacklisting in this context.

Thanks..

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't know why Splunk is not matching that event.  The regex looks good to me.  Perhaps try without the  groups?  It shouldn't matter, but perhaps it will and the groups are not necessary.

---
If this reply helps you, Karma would be appreciated.

Raj
Builder

Hi

Can you pls give me and eg. for above regex with out group ?

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust
ParentProcessName.+Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe
---
If this reply helps you, Karma would be appreciated.
0 Karma

Raj
Builder

@richgalloway 

Can we use the props and transforms to send the unwanted events to null queue aas the applied regex are not working!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, the indexers or heavy forwarders can use the regex to discard matching events.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Raj
Builder

@richgalloway ,

is this with quotes ?
blacklist5 = EventCode="4688" Message="(ParentProcessName.+Microsoft Monitoring Agent\\Agent\\MonitoringHost\.exe)"

 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You asked for a regex so that is what I gave you.  Add quotes and other text as necessary.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Raj
Builder

Hello, @richgalloway @PickleRick ,

The regex I used seems effective, but it's unexpectedly blocking all my Windows security events. I've checked the regex, and I haven't specifically blacklisted any Windows executables. Could you assist me in analyzing the below list of blacklisted executables?

# Copyright (C) 2019 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#



###### OS Logs ######

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))"
blacklist2 = EventCode="5447|4634|5156|4663|4656|5152|5157|4658|4673|4661|4690|4932|4933|5158|4957|5136|4674|4660|4670|5058|5061|4985|4965"
blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\btool.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-powershell.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winprintmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-regmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-netmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-admon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-winevtlog.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-perfmon.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunkd.exe)|.+(?:SplunkUniversalForwarder\\bin\\splunk-wmi.exe)|.+(?:Windows Defender Advanced Threat Protection\\SenseCncProxy.exe)|.+(?:Windows Defender Advanced Threat Protection\\SenseCM.exe)|.+(?:Windows Defender Advanced Threat Protection\\MsSense.exe)|.+(?:Microsoft\\Windows Defender\\Platform\\.*\MsMpEng.exe)|.+(?:Microsoft\\Windows Defender\\Platform\\.*\\MpCmdRun.exe)|.+(?:Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\.*\\MsSense.exe)|.+(?:Microsoft\\Windows Defender\\Platform\\.*\\MsMpEng.exe)|.+(?:Microsoft\\Windows Defender Advanced Threat Protection\Platform\.*\\SenseIR.exe)|.+(?:Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\.*\\OpenHandleCollector.exe)|.+(?:ForeScout SecureConnector\\SecureConnector.exe)|.+(?:Windows Defender Advanced Threat Protection\\SenseIR.exe)|.+(?:Rapid7\\Insight Agent\\components\\insight_agent\\.*\\get_proxy.exe)|.+(?:Rapid7\\Insight Agent\\components\\insight_agent\\.*\\ir_agent.exe|.+(?:Tanium\\Tanium Client\\TaniumCX.exe)|.+(?:AzureConnectedMachineAgent\\GCArcService\\GC\\gc_worker.exe)|.+(?:AzureConnectedMachineAgent\\GCArcService\\GC\\gc_service.exe)|.+(?:WindowsPowerShell\\Modules\\gytpol\\Client\\fw.*\\GytpolClientFW.*.exe)|.+(?:AzureConnectedMachineAgent\\azcmagent.exe)|.+(?:Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe)"
blacklist4 = EventCode="4688" Message="(?:New Process Name:).+(?:Tanium\\Tanium Client)"
blacklist5 = EventCode="4688" Message="(?:Creator Process Name:).+(?:Tanium\\Tanium Client)"
renderXml=true
index = es_winsec

Thanks...
0 Karma

richgalloway
SplunkTrust
SplunkTrust

@Raj wrote:
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.

Stop right there!  These comments are very important and yet you've chosen to ignore them by editing a file that should not be modified.  What other instructions have you disregarded?

The configs shown look good to me, but I am not familiar enough with Windows to know if there's something there that shouldn't be there or vice versa.

---
If this reply helps you, Karma would be appreciated.

Raj
Builder

@richgalloway 

I have made changes to local inputs.conf on this app and deployed it to over 3k servers so we need to move these configurations from local to default to get it work ?

Thanks..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It will work as it is, but it is poor practice.  Your changes will be lost the next time Splunk_TA_windows is upgraded.

---
If this reply helps you, Karma would be appreciated.
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...