Getting Data In

Issue excluding Windows events for a specific new process

SplunkUser5
Explorer

Hi Folks,

I'm running into trouble excluding new process creation events for Teams from being indexed. It's an expected application and starts at logon so we're not super worried about it.

I've looked at a handful of community articles, tried what was posted, and I'm stumped. My regex syntax looks fine, but Splunk still isn't excluding the events. Here's what I've tried so far:

_____inputs.conf_____

blacklist3 = EventCode="4688" new_process_name=".*Teams.exe"

blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<Data Name='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>"

blacklist3 = $XmlRegex="<EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>"

blacklist3 = EventCode="4688" $XmlRegex="Name=\'NewProcessName\'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe<\/Data>"


None of these have worked. I found a couple community articles saying props.conf and transforms.conf was the proper way to filter out events so I tried these as well:

_____props.conf_____

[WinEventLog:Security]
TRANSFORMS-null = 4688cleanup

_____transforms.conf_____

[4688cleanup]
REGEX = "Teams\.exe<\/Data>"
DEST_KEY = queue
FORMAT = nullQueue


And this:

_____transforms.conf_____

[4688cleanup]
REGEX = <EventID>4688<\/EventID>.*<DataName='NewProcessName'>C:\\Users\\.*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams\.exe<\/Data>
DEST_KEY = queue
FORMAT = nullQueue


None of these have worked so far and I'd appreciate any input y'all have.

Here is a copy of an event I'm trying to exclude from being indexed (Teams.exe as a new process):

<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:11:25.7542758Z'/><EventRecordID>4096881</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1124'/><Channel>Security</Channel><Computer>{Device_FQDN}</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x11111111</Data><Data Name='NewProcessId'>0x5864</Data><Data Name='NewProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4604</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>

And a copy of an event we'd like to keep (Teams.exe as a parent process, but not the new process):

<Event xmlns='http:// schemas .microsoft .com/win/2004/08/events/event '><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T22:33:19.5932251Z'/><EventRecordID>4212468</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='31196'/><Channel>Security</Channel><Computer>{Device_FQNDN</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-1-11-111111111-111111111-1111111111-111111</Data><Data Name='SubjectUserName'>{user}</Data><Data Name='SubjectDomainName'>{Domain}</Data><Data Name='SubjectLogonId'>0x1111111</Data><Data Name='NewProcessId'>0x7664</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4238</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Users\{user}\AppData\Local\Microsoft\Teams\current\Teams.exe</Data><Data Name='MandatoryLabel'>S-1-11-1111</Data></EventData></Event>

 

 

Events obfuscated for privacy. Like I said, the regex syntax looks fine as far as I can tell and matches in regex101 so I'm hoping it's a small thing I'm overlooking. We're running Splunk v9.1.1 if that makes any difference. Thanks!

-SplunkUser5

Labels (3)
0 Karma
1 Solution

jotne
Builder

You did remove the quotes in the second transform you posted 🙂

Problem with your first regex, is that it hits both the one to remove and the one to keep.

This may work:

 

NewProcessName.*?Teams\.exe<\/Data>.*?ParentProcessName

 

Looking for Teams.exe after NewProcessName and before ParentProcessNaneme

Always test your regex, like this:
https://regex101.com/r/v97Z1h/1

Edit:
This may be faster, since it uses less steps to find the data:

 

NewProcessName[^<]+Teams\.exe<

 


Edit2
You can also set a sourcetype for the data you are trying to delete.  This way nothing are removed before you see that all is ok.  If sourcetype = ToDelete show correct data, then you can send it to nullQueue:

 

[4688cleanup]
REGEX = NewProcessName[^<]+Teams\.exe<
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ToDelete

 

 

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@SplunkUser5 - Yes @jotne is right about transforms.conf issue.

 

But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and again that is Windows path requires extra backslashes in the regex sometimes.

 

Try:

C:\\\Users\\\.*\\\AppData\\\Local\\\Microsoft\\\Teams\\\current

 

(try the 4 backslash version as well, as I'm not sure which one will work. I always have to do try and error between 2, 3, and 4 backslashes.)

 

I hope this helps!!! Kindly upvote if it does!!!

SplunkUser5
Explorer

I did get the exclusion under inputs.conf to work with different indexes using this format, just with double slashes rather than triple or quadruple, so there's just an issue with how my Windows security events are setup.

We're upgrading to v9.2 soon in case it's an issue with the arbitrary formatting of the Forwarded Events channel from the v9.1 update. The inputs.conf exclusion seems to work with everything else.

0 Karma

SplunkUser5
Explorer

Thanks for the input. Escaping the escape characters seems a bit silly, but alright. I couldn't get it working today so I'll try a few more variations next week as I have time. Appreciate the help!

0 Karma

jotne
Builder

You regex:

 

REGEX = "Teams\.exe<\/Data>"

 

does not hit your input data due to the quote.

Do not quote your regex in transforms.conf

 

REGEX = Teams\.exe<\/Data>

 

SplunkUser5
Explorer

Did not realize that. Thank you for the correction.

Removing quotes didn't exclude the Teams events though so I must have something else set wrong. As far as what I have posted, does it seem right? I'm not super familiar with troubleshooting props.conf and transforms.conf settings yet.

0 Karma

jotne
Builder

You did remove the quotes in the second transform you posted 🙂

Problem with your first regex, is that it hits both the one to remove and the one to keep.

This may work:

 

NewProcessName.*?Teams\.exe<\/Data>.*?ParentProcessName

 

Looking for Teams.exe after NewProcessName and before ParentProcessNaneme

Always test your regex, like this:
https://regex101.com/r/v97Z1h/1

Edit:
This may be faster, since it uses less steps to find the data:

 

NewProcessName[^<]+Teams\.exe<

 


Edit2
You can also set a sourcetype for the data you are trying to delete.  This way nothing are removed before you see that all is ok.  If sourcetype = ToDelete show correct data, then you can send it to nullQueue:

 

[4688cleanup]
REGEX = NewProcessName[^<]+Teams\.exe<
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ToDelete

 

 

0 Karma

SplunkUser5
Explorer

I finally tried this using a different index and it worked just fine. I'm thinking it's an issue with the Forwarded Events channel forwarding issue introduced in v9.1. Once we upgrade to v9.2, it should work just fine for EventID 4688.

Again, thanks for the input!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...