Getting Data In

Splunk Blacklist DesktopExtension.exe addition inputs.conf

EiffelPalace
Engager

Hello all,

I am trying to blacklist this app that is generating a ton of Windows Event logs; till I find what app it is and uninstall it. This is for HP's DesktopExtension.exe. The weird thing is that it is only running on about 30 devices. 

Here is the current section in inputs.conf :

 [WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode=4673 ProcessName="*\\DesktopExtension.exe*"
renderXml=false
index=oswinsec

However even after restarting the splunk forwarder the events still appear. I verified one of the hosts has the correct inputs.conf. I have also tried
blacklist3 = EventCode=4673 ProcessName="C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe""

Here is an example of the log/event:

LogName=Security
EventCode=4673
EventType=0
ComputerName=*********
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=10115718
Keywords=Audit Failure
TaskCategory=Sensitive Privilege Use
OpCode=Info
Message=A privileged service was called.
 
Subject:
Security ID: *****************
Account Name: ****************
Account Domain: ***********
Logon ID: ****************
 
Service:
Server: Security
Service Name: -
 
Process:
Process ID: 0x6604
Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_28.52349.1300.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe
 
Service Request Information:


Any tips?
Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, that should work.

blacklist = EventCode=4673 message="DesktopExtension\.exe"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

EiffelPalace
Engager

I see that the desktopexetension.exe is also in the message so would something like this work?

blacklist = EventCode=4673 message="DesktopExtension.exe"

 

Here is an example message:
A privileged service was called. Subject: Service: Server: Security Service Name: - Process: Process ID: 0x2fcc Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, that should work.

blacklist = EventCode=4673 message="DesktopExtension\.exe"
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

"ProcessName" is not a valid key for a blacklist setting.  Valid keys are "Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, and User".

Also, the RHS must be a valid regular expression.  A valid regex cannot begin with "*".  If you're trying to specify a wildcard at the beginning and end of the match then there's no need - that's implied with most regexes.

---
If this reply helps you, Karma would be appreciated.

dtburrows3
Builder

Did not know about the valid key entries. Thanks for sharing!
Came across this documentation after reading your comment.
https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/MonitorWindowseventlogdata

Oof and this right in inputs.conf docs

dtburrows3_0-1704229620202.png

 

dtburrows3
Builder

Give this a try

blacklist3 = EventCode="4673" Process_Name=".*\\DesktopExtension\.exe.*"

 From what I'm reading on Splunk docs it seems that it needs to be a valid regex to work.

dtburrows3_0-1704228189002.png

This regex seems to match properly

dtburrows3_1-1704228253623.png


The original regex you posted doesn't seem to valid according to regex101

dtburrows3_2-1704228307816.png


Also noticed that the Key you posted "ProcessName" is different then the field I see extracted on windows data on my local machine which is extracted as "Process_Name" but maybe that is how it is coming over in your environment. If that is the case then maybe this could work.

blacklist3 = EventCode="4673" ProcessName=".*\\DesktopExtension\.exe.*"
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...