Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Blacklist DesktopExtension.exe addition inputs.conf

EiffelPalace
Engager
‎01-02-2024 12:21 PM

Hello all,

I am trying to blacklist this app that is generating a ton of Windows Event logs; till I find what app it is and uninstall it. This is for HP's DesktopExtension.exe. The weird thing is that it is only running on about 30 devices. 

Here is the current section in inputs.conf :

 [WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode=4673 ProcessName="*\\DesktopExtension.exe*"
renderXml=false
index=oswinsec

However even after restarting the splunk forwarder the events still appear. I verified one of the hosts has the correct inputs.conf. I have also tried
blacklist3 = EventCode=4673 ProcessName="C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe""

Here is an example of the log/event:

LogName=Security
EventCode=4673
EventType=0
ComputerName=*********
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=10115718
Keywords=Audit Failure
TaskCategory=Sensitive Privilege Use
OpCode=Info
Message=A privileged service was called.
 
Subject:
Security ID: *****************
Account Name: ****************
Account Domain: ***********
Logon ID: ****************
 
Service:
Server: Security
Service Name: -
 
Process:
Process ID: 0x6604
Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe
 
Service Request Information:


Any tips?
Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2024 08:21 AM

Yes, that should work.

blacklist = EventCode=4673 message="DesktopExtension\.exe"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

EiffelPalace
Engager
‎01-03-2024 07:56 AM

I see that the desktopexetension.exe is also in the message so would something like this work?

blacklist = EventCode=4673 message="DesktopExtension.exe"

 

Here is an example message:
A privileged service was called. Subject: Service: Server: Security Service Name: - Process: Process ID: 0x2fcc Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2024 08:21 AM

Yes, that should work.

blacklist = EventCode=4673 message="DesktopExtension\.exe"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-02-2024 12:50 PM

"ProcessName" is not a valid key for a blacklist setting.  Valid keys are "Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, and User".

Also, the RHS must be a valid regular expression.  A valid regex cannot begin with "*".  If you're trying to specify a wildcard at the beginning and end of the match then there's no need - that's implied with most regexes.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-02-2024 01:01 PM

Did not know about the valid key entries. Thanks for sharing!
Came across this documentation after reading your comment.
https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/MonitorWindowseventlogdata

Oof and this right in inputs.conf docs

dtburrows3_0-1704229620202.png

 

Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-02-2024 12:46 PM

Give this a try

blacklist3 = EventCode="4673" Process_Name=".*\\DesktopExtension\.exe.*"

 From what I'm reading on Splunk docs it seems that it needs to be a valid regex to work.

dtburrows3_0-1704228189002.png

This regex seems to match properly

dtburrows3_1-1704228253623.png


The original regex you posted doesn't seem to valid according to regex101

dtburrows3_2-1704228307816.png


Also noticed that the Key you posted "ProcessName" is different then the field I see extracted on windows data on my local machine which is extracted as "Process_Name" but maybe that is how it is coming over in your environment. If that is the case then maybe this could work.

blacklist3 = EventCode="4673" ProcessName=".*\\DesktopExtension\.exe.*"
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...