- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Issue excluding Windows events for a specific new ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks,
I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it.
I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far:
_____inputs.conf_____
blacklist3 = EventCode="4688" new_process_name=".*Teams.exe"
blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>"
blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>"
blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>"
None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well:
_____props.conf_____
[WinEventLog:Security]
TRANSFORMS-null = 4688cleanup
_____transforms.conf_____
[4688cleanup]
REGEX = "Teams\.exe<\/Data>"
DEST_KEY = queue
FORMAT = nullQueue
And this:
_____transforms.conf_____
[4688cleanup]
REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>
DEST_KEY = queue
FORMAT = nullQueue
None of these have worked so far and I'd appreciate any input y'all have.
Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process):
<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process):
<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>
Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks!
-SplunkUser5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You did remove the quotes in the second transform you posted 🙂
Problem with your first regex, is that it hits both the one to remove and the one to keep.
This may work:
NewProcessName.*?Teams\.exe<\/Data>.*?ParentProcessName
Looking for Teams.exe after NewProcessName and before ParentProcessNaneme
Always test your regex, like this:
https://regex101.com/r/v97Z1h/1
Edit:
This may be faster, since it uses less steps to find the data:
NewProcessName[^<]+Teams\.exe<
Edit2
You can also set a sourcetype for the data you are trying to delete. This way nothing are removed before you see that all is ok. If sourcetype = ToDelete show correct data, then you can send it to nullQueue:
[4688cleanup]
REGEX = NewProcessName[^<]+Teams\.exe<
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ToDelete
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SplunkUser5 - Yes @jotne is right about transforms.conf issue.
But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and again that is Windows path requires extra backslashes in the regex sometimes.
Try:
C:\\\Users\\\.*\\\AppData\\\Local\\\Microsoft\\\Teams\\\current
(try the 4 backslash version as well, as I'm not sure which one will work. I always have to do try and error between 2, 3, and 4 backslashes.)
I hope this helps!!! Kindly upvote if it does!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did get the exclusion under inputs.conf to work with different indexes using this format, just with double slashes rather than triple or quadruple, so there's just an issue with how my Windows security events are setup.
We're upgrading to v9.2 soon in case it's an issue with the arbitrary formatting of the Forwarded Events channel from the v9.1 update. The inputs.conf exclusion seems to work with everything else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the input. Escaping the escape characters seems a bit silly, but alright. I couldn't get it working today so I'll try a few more variations next week as I have time. Appreciate the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You regex:
REGEX = "Teams\.exe<\/Data>"
does not hit your input data due to the quote.
Do not quote your regex in transforms.conf
REGEX = Teams\.exe<\/Data>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did not realize that. Thank you for the correction.
Removing quotes didn't exclude the Teams events though so I must have something else set wrong. As far as what I have posted, does it seem right? I'm not super familiar with troubleshooting props.conf and transforms.conf settings yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You did remove the quotes in the second transform you posted 🙂
Problem with your first regex, is that it hits both the one to remove and the one to keep.
This may work:
NewProcessName.*?Teams\.exe<\/Data>.*?ParentProcessName
Looking for Teams.exe after NewProcessName and before ParentProcessNaneme
Always test your regex, like this:
https://regex101.com/r/v97Z1h/1
Edit:
This may be faster, since it uses less steps to find the data:
NewProcessName[^<]+Teams\.exe<
Edit2
You can also set a sourcetype for the data you are trying to delete. This way nothing are removed before you see that all is ok. If sourcetype = ToDelete show correct data, then you can send it to nullQueue:
[4688cleanup]
REGEX = NewProcessName[^<]+Teams\.exe<
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ToDelete
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I finally tried this using a different index and it worked just fine. I'm thinking it's an issue with the Forwarded Events channel forwarding issue introduced in v9.1. Once we upgrade to v9.2, it should work just fine for EventID 4688.
Again, thanks for the input!
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
