Getting Data In

Unable to drop windows XML formatted events

Suraj1
New Member

Dears,

 

I'm trying to filter out XML formatted events and below is sample event and REGEX which we used:

Sample Events:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-03-18T07:29:59.988001100Z'/><EventRecordID>11295805761</EventRecordID><Correlation/><Execution ProcessID='796' ThreadID='25576'/><Channel>Security</Channel><Computer>DC01.XXXX.COM</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>UCXXX\XXXDSOD02$</Data><Data Name='TargetUserName'>XXXDSOD02$</Data><Data Name='TargetDomainName'>UCXXX</Data><Data Name='TargetLogonId'>0x13443956d5</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{5517AA4A-D860-6053-03FD-1FE752FC995B}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.X.X.73</Data><Data Name='IpPort'>53681</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event>

 

Regex Implemented in inputs.conf file:

blacklist10 = EventCode="4624" Message="SubjectUserSid:\s+(NULL SID)"
blacklist11 = $xmlRegex="\<EventID\>4624.*\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<"
blacklist12 = EventCode="4624" WorkstationName="-"

Props.conf:

TRANSFORMS-null=setnull

Transforms.conf:

[setnull]
SOURCE_KEY = _raw
REGEX = (\<EventID\>4624.+\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<)
DEST_KEY = queue
FORMAT = nullQueue

Please suggest if you have solution for this.

Thanks,

Suraj

 

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_allow_list_and_deny_l...

  * $XmlRegex: Use this key for filtering when you render Windows Event
    log events in XML by setting the 'renderXml' setting to "true". Search
    the online documentation for "Filter data in XML format with the
    XmlRegex key" for details.

Also remember that transforms are not (typically) run on UFs. So your setnull transform is _not_ run if defined on the UF.

0 Karma

Suraj1
New Member

Dear Karma,

 

We tried to use the suggested option.

Can you please guide us where to update the file as we suspect on location where we writing Regex.

Currently, we have updated windows folder on deployment server and /etc/system/local/ directory on HF level.

Thanks,

Suraj

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...