Getting Data In

How to Blacklist EventCode

ebuehne
Explorer

I see this type of question has been asked several times, however I haven't been able to find the answer to my situation.

I need to have the below eventcode, computername and user added to the overall blacklist so it stops sending results up to Splunk.

I have added the below line to my inputs.conf file:

blacklist5 = EventCode="4625" ComputerName="specific-comp-name"

and that works as it will block all 4625 events from that specific computer name, however it works to well, i need to further narrow the filter to also include where user="User". When i add that:

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" user="User"

The filter stops filtering out anything and once again all 4625 events are being sent up to Splunk.

Any help on how to get this accomplished is greatly appreciated.

0 Karma
1 Solution

wenthold
Communicator

Are you trying to blacklist it based on the Security ID or Account Name in the "Message" field content?

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       {USER_NAME}

This isn't parsed by the forwarder, it's only sent as the "Message" field. You'll have to use regex against the Message field to filter on those values.

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Account Name:\s+{ACCOUNT_TO_BLACKLIST}"

The one issue to be aware of is that in 4624/4625 the "Account Name:" can be defined a bit differently based on logon type. You may want to be specific with your regex to avoid accidentally blacklisting an event you want to see:

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Logon Type:\s+2\s.*Account Name:\s+{ACCOUNT_TO_BLACKLIST}\s+"

View solution in original post

anand_singh17
Path Finder

blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s"

In windows events, there are lot many spaces, which we need to tackle.

0 Karma

wenthold
Communicator

Are you trying to blacklist it based on the Security ID or Account Name in the "Message" field content?

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       {USER_NAME}

This isn't parsed by the forwarder, it's only sent as the "Message" field. You'll have to use regex against the Message field to filter on those values.

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Account Name:\s+{ACCOUNT_TO_BLACKLIST}"

The one issue to be aware of is that in 4624/4625 the "Account Name:" can be defined a bit differently based on logon type. You may want to be specific with your regex to avoid accidentally blacklisting an event you want to see:

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Logon Type:\s+2\s.*Account Name:\s+{ACCOUNT_TO_BLACKLIST}\s+"

ebuehne
Explorer

Thank you for all of that, after following your suggestion, I discovered that there were actually 2 tabs between Account Name: and my key word User, so by simply adding a /t/t it was able to then find what I wanted and add them to the black list.

Thanks again for your help!

anand_singh17
Path Finder

Thank You for the idea. It does not read, because of additional spaces

0 Karma

anand_singh17
Path Finder

blacklist5 = EventCode="4625" ComputerName="server-name" Message="\sAccount Name:\s_USER_NAME_\s"

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@ebuehne - Glad you were able to find the solution with wenthold's help. Please don't forget to "Accept" the answer to close out your question and upvote anything that was helpful. Thanks.

0 Karma

ebuehne
Explorer

wenthold - I inserted the below line however it did not block any of those events:

blacklist5 = EventCode="4625" ComputerName="server-name" Message="Logon Type:\s+2\s.*Account Name:\s+{User}\s+"

When I remove the requirement looking for "User", the blocking works awesome, but it blocks more than what we want:

blacklist5 = EventCode="4625" ComputerName="server-name"

Again, what we are wanting to do is block all of that event code from that server that has a user name of "User" - yes the user name is actually called "User"

0 Karma

wenthold
Communicator

When you look at the events themselves, you'll see the standard entries:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=THIS_COMPUTER.net.internal
TaskCategory=Logoff
OpCode=Info
RecordNumber=114782234
Keywords=Audit Success
Message=An account was logged off.

Subject:
    Security ID:        NB\THAT_COMPUTER$
    Account Name:       THAT_COMPUTER$
    Account Domain:     NB
    Logon ID:       0x111222EDF

Logon Type:         3

The only fields you can blacklist at the forwarder are the key/value ones - LogName, SourceName, EventCode, etc. You can't blacklist the "User" field because it's part of the Message field and it doesn't get extracted at this point. You have to do the blacklist using regex against the entire "Message" field since "user" isn't one of the key/value pairs in the source log. That doesn't get extracted until later. You may want to start with a simple regex, then as you get it working make it more specific. If the events you're trying to blacklist have this in the first part of the message field:
Message=An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       user.account
    Account Domain:     NB


Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xC000006D
    Sub Status:     0xC000006A

the issue is that you probably want to get to that second "Account Name" field, which should match the "User" field you're trying to blacklist - correct?

0 Karma

ebuehne
Explorer

wenthold - Thank you for your response, I put the below in however it is still not preventing those events:

blacklist5 = EventCode="4625" ComputerName="server-name" Message="Account Name:\s+{User}"

Again, when I use this it works, but works to well:

blacklist5 = EventCode="4625" ComputerName="server-name"

I only want to block that event code from that server when the user name = "User" ****** Yes, the user name I want blocked is actually called "User"

Any other ideas?

0 Karma

alemarzu
Motivator

Hello there @ebuehne

What happen if you add another blacklist that only filters users, like this:

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" 
blacklist6 = User="specific-user"
0 Karma

ebuehne
Explorer

Having those on separate lines would create 2 independent blacklist, each blocking all instances which is not the end result we are looking for. We need all eventcode 4625 from the specific server and specific user to get blocked

0 Karma

alemarzu
Motivator

Try this blacklists

blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="Account\sName: \s+specific-user-name"
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" Message="specific-user-name"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...