Getting Data In

Reducing Windows Security Events flow by filtering in parsing queue

fab73
Path Finder

In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=User_Name!=Administrator
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529|530)
DEST_KEY = queue
FORMAT = indexQueue

and in props.conf :

[WinEventLog:Security]     
TRANSFORMS-security=setnull,secsetparsing2,secsetparsing

but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.

0 Karma
1 Solution

fab73
Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

View solution in original post

0 Karma

fab73
Path Finder

It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf

Windows:Security

[setnull]
[secsetparsing]

Windows:Security

[setnull2]
[secsetparsing2]

0 Karma

fab73
Path Finder

I Tried :

#### Windows:Security

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[secsetparsing2]
REGEX=Administrator
DEST_KEY = queue
FORMAT = indexQueue

[secsetparsing]
REGEX=(?m)^EventCode=(528|529)
DEST_KEY = queue
FORMAT = indexQueue

but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?

0 Karma

fab73
Path Finder

Is the filter applied on source data of the event?

0 Karma

fab73
Path Finder

Thanks. But which is the regular expression that match the string

"Nome utente: Administrator"

in source data?

I have this event (a classic Windows Security event):

"02/02/2017 10:06:49 AM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=server01
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=2
CategoryString=Accesso/fine sess.
RecordNumber=1549305796
Message=Accesso non riuscito:

Motivo:     Nome utente sconosciuto o password non valida

Nome utente:    Administrator

Dominio:        MyDomain

Tipo di accesso:    3

..."

0 Karma

somesoni2
Revered Legend

The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this

[secsetparsing2]
REGEX=User_Name=Administrator
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...